Home/Talk to a specialist

Canadian certificate guidance

Talk to a specialist

Have a question about qualified website authentication certificates, TLS compliance, or PSD2 requirements? This page explains how to reach the right team, what to prepare before contacting us, and what to expect from the process.

On this page
  1. Why People Contact Us
  2. How to Reach Us
  3. Response Times
  4. What Is a QWAC and Why Does It Matter
  5. eIDAS and PSD2: What Canadian Organizations Need to Know
  6. Certificate Lifecycle: What Happens After You Contact Us
  7. Who We Work With
  8. Technical Prerequisites to Prepare Before Contacting Us

Have a question about qualified website authentication certificates, TLS compliance, or PSD2 requirements? This page explains how to reach the right team, what to prepare before contacting us, and what to expect from the process.

Talk to a specialist — digital certificate and security infrastructure
Illustrative security infrastructure context.

Why People Contact Us

Most inquiries fall into a few clear categories. Knowing which one fits your situation helps us respond faster and with more relevant information.

Common reasons to get in touch:

  • You need a Qualified Website Authentication Certificate (QWAC) for PSD2 or open banking compliance
  • Your organization is evaluating eIDAS-compliant certificates for cross-border EU/Canada operations
  • You have a TLS certificate that is expiring or was revoked and need a replacement path
  • You are a fintech or financial institution assessing digital identity obligations under Canadian or European regulation
  • You need technical documentation, certificate policy details, or audit reports
  • You are a developer integrating certificate-based authentication into an API or payment gateway

If your question does not fit these categories, reach out anyway. Certificate and compliance questions are rarely simple, and a short conversation often saves hours of independent research.

How to Reach Us

Use the contact form on this page for all general, technical, and compliance-related questions. Provide as much context as possible in the message field — the more specific your question, the more useful the first response will be.

What to include in your message:

FieldWhat to Write
Organization typeBank, fintech, SaaS provider, government, other
Certificate type neededQWAC, TLS/SSL, eIDAS, other
Regulatory contextPSD2, open banking, Canadian OSFI guidelines, none
TimelineHow urgently you need the certificate or answer
Technical environmentApache, Nginx, Azure, AWS, on-premise HSM, other

Incomplete inquiries are answered, but may require a follow-up exchange before any actionable guidance can be provided.

Response Times

We do not promise 24-hour turnaround on every inquiry because some questions require input from compliance officers or technical architects. Here is what you can realistically expect:

Inquiry TypeTypical Response Time
General product questions1 business day
Technical integration questions1–2 business days
Compliance or legal questions2–3 business days
Custom enterprise certificate requests3–5 business days
Urgent revocation or security incidentsSame day (mark as urgent)

If you have a time-sensitive situation — for example, a QWAC that was revoked 24 hours before a regulatory audit — mark the subject line clearly as urgent. These are triaged separately.

What Is a QWAC and Why Does It Matter

Before contacting us, it helps to know what category of certificate you actually need. Many organizations come in asking for "an SSL certificate" when what they need is a Qualified Website Authentication Certificate with specific regulatory attributes.

A QWAC is a type of TLS certificate defined under the EU's eIDAS regulation (Regulation 910/2014). It carries legally validated organizational identity information inside the certificate itself, which standard DV or OV TLS certificates do not provide.

Key differences between certificate types:

Certificate TypeIdentity ValidationeIDAS CompliantPSD2 CompatibleUse Case
DV (Domain Validated)Domain onlyNoNoBasic HTTPS
OV (Organization Validated)Organization nameNoNoGeneral business sites
EV (Extended Validation)Legal entityNoNoE-commerce, trust signals
QWACLegal entity + regulatory attributesYesYesOpen banking, PSD2, fintech APIs

For Canadian fintechs operating in or connecting to EU markets, the regulatory obligation to use QWACs under PSD2 Article 34 applies to any third-party provider (TPP) accessing account data via open banking APIs. This is not optional — a standard OV or EV certificate will not satisfy a compliant ASPSP (bank) API gateway.

eIDAS and PSD2: What Canadian Organizations Need to Know

Canada does not currently have a direct equivalent to eIDAS, but Canadian financial institutions and payment service providers connecting to European banking infrastructure must comply with EU requirements on the EU side of the connection.

Practical implications:

  • A Canadian fintech registered as a TPP under PSD2 must present a valid QWAC to access EU bank APIs
  • The QWAC must be issued by a Qualified Trust Service Provider (QTSP) listed on an EU Member State's Trusted List
  • Certificate attributes must include the PSP authorization number and the National Competent Authority identifier
  • Certificates have a maximum validity period — currently capped and subject to CA/Browser Forum and eIDAS 2.0 updates rolling out through 2026

Under eIDAS 2.0, which began broader implementation across EU member states in 2025 and continues into 2026, requirements for QWAC issuance and audit have become more stringent. If your organization holds a QWAC issued before 2024, it is worth verifying that the certificate attributes still comply with updated technical standards (ETSI EN 319 411-2, ETSI EN 319 412-5).

Certificate Lifecycle: What Happens After You Contact Us

Understanding the process ahead of time prevents delays. Certificate issuance is not instant — it involves identity verification steps that cannot be shortcut.

Typical QWAC issuance process:

  1. Initial inquiry and scoping call
  2. Organization identity verification (legal entity documents, register extracts)
  3. Regulatory authorization verification (PSD2 license number, NCA confirmation)
  4. Technical requirements review (key size, SAN configuration, HSM requirements)
  5. Certificate Signing Request (CSR) submission
  6. Issuance and delivery
  7. Installation support (optional)
  8. Ongoing renewal planning

Steps 2 and 3 are where most delays occur. Having your authorization documentation ready — particularly your PSD2 license number from your national regulator — cuts the timeline significantly.

Estimated timelines by scenario:

ScenarioEstimated Time to Issuance
Standard QWAC, full documentation ready5–10 business days
QWAC with missing regulatory docs15–25 business days
TLS/OV certificate1–3 business days
Emergency replacement (revoked cert)1–2 business days (expedited process)

Who We Work With

Our clients range from established Canadian Schedule I banks exploring open banking infrastructure to early-stage fintechs preparing for their first PSD2 authorization. We also work with:

  • Payment processors integrating with EU acquirers
  • Identity verification providers building eIDAS-compliant flows
  • Legal and compliance teams advising financial institutions on digital identity obligations
  • Software vendors embedding certificate management into financial platforms
  • Government-adjacent organizations handling sensitive digital transactions

If you are unsure whether your use case fits, the answer is almost always: yes, reach out. A short exchange clarifies things faster than trying to self-diagnose from regulatory documents.

Technical Prerequisites to Prepare Before Contacting Us

If your question is technical rather than commercial, prepare the following before sending your message. It will make the response more precise.

For TLS/QWAC installation questions:

  • Server software and version (Apache 2.4, Nginx 1.25, IIS 10, etc.)
  • Operating system
  • Whether you use an HSM (hardware security module) and which model
  • Current certificate's expiry date and CA name
  • Error messages or browser warnings you are seeing (exact text)

For compliance questions:

  • Your organization's jurisdiction of registration
  • Whether you hold a PSD2 license, and from which NCA
  • Which EU member states' bank APIs you are connecting to
  • The specific regulatory requirement you are trying to meet (cite the article if possible)

Providing this upfront reduces back-and-forth and gets you to a usable answer faster.

Start a conversation

Tell us what needs to work.

Share the certificate type, the regulated service and the technical environment. A short brief is enough to start.

Frequently asked questions

Practical answers

What is the difference between a QWAC and a standard SSL certificate?

A standard SSL/TLS certificate (including DV, OV, and EV types) authenticates a domain and sometimes an organization, but it does not carry the legally recognized identity attributes required by eIDAS or PSD2. A QWAC is issued by a Qualified Trust Service Provider under strict EU audit requirements and contains specific regulatory fields — including PSP authorization numbers — that make it legally valid for open banking API access in the EU.

Do Canadian companies need a QWAC if they are not operating in Europe?

If your systems exclusively operate within Canada and do not connect to EU-regulated banking APIs, you do not need a QWAC for EU compliance purposes. However, as Canada's open banking framework matures through 2026 and beyond, similar certificate standards may be adopted domestically.

How long does a QWAC remain valid, and what happens when it expires?

Under current CA/Browser Forum rules and eIDAS technical standards, QWAC validity periods have been progressively shortened. As of 2026, maximum validity is governed by both eIDAS 2.0 implementing acts and CA/B Forum Baseline Requirements, which trend toward shorter cycles (currently 397 days for publicly trusted TLS, with QWAC-specific rules layered on top).

Can you help with certificate revocation if there has been a security incident?

Yes. If a private key has been compromised, a certificate was issued incorrectly, or you are responding to a security incident requiring immediate revocation, contact us and mark the inquiry as urgent.