HAT is a tool for activation and administration of merchant BankID keystore files. The BankID keystore files are refered to as .bid files, and may, or may not contain the private keys for the merchant BankID. When the private keys are stored outside the BankID keystore file, the keys must be protected using a hardware security module (HSM).

Below is a brief description of the operations offered by the HAT application.

Activate merchant BankID

This operation creates a merchant BankID with two keypairs, one for authentication and one for signing. The merchant BankID is used by BankID Server to provide merchant authentication and signing services. The activation process performs the following steps:

The application starts the activation process by requesting the provided activation URL and shared secret.
Based on the response from BankID COI, the application will create two keypairs either inside an HSM or programmatically (storing them to a file-based keystore).
The application will then submit certificate requests to the BankID COI to retrieve the merchant certificates and certificate chain.
Finally, the application assembles the BankID keystore (.bid file) holding the merchant certificates and either the private keys or references to the private keys located in the HSM.

Renew merchant BankID

This operation creates new keys and certificates for an existing merchant BankID. The renewal process performs the following steps:

The application starts the renewal process by authenticating the merchant using the existing merchant BankID. If your existing merchant BankID is expired or invalid, it cannot be renewed. You will have to order a new merchant BankID from your bank.
After a successful authentication, the application will create two new keypairs either inside an HSM or programmatically (storing them to a file-based keystore).
The application will then submit certificate requests to the BankID COI to retrieve the new merchant certificates and certificate chain.
Finally, the application overwrites the BankID keystore (.bid file) with the new merchant certificates and either the private keys or references to the private keys located in the HSM.

Test merchant BankID

This operation verifies that a merchant BankID is valid by performing authentication and signing transactions towards BankID COI. The test process performs the following steps:

The application starts the authentication process towards the BankID COI.
After a successful authentication, the application continues with signing. A text to be signed is retrieved from BankID COI during the signing operation.
After a successful signing, the merchant BankID has proven to be valid.

Generate BankRA certificate

This operation is used by banks to activate a bank RA certificate. The bank RA certificate is used by BankID Server to sign RA requests to the BankID COI. As the certificate generation requires an offline certificate ceremony, the application usage is split in two.
First, the certificate request needs to be generated prior to the certificate ceremony:

The application generates one keypair for the BankRA certificate either locally or inside an HSM. Note that the use of HSM is required for the production environment.
A certificate request (PKCS#10) is created and saved to a .p10 file.

The .p10 file is used as input to the certificate ceremony. The outcome from the certificate ceremony is a certificate in the .p7c format.
Second, the certificate needs to be imported by the application to create the .bid file:

The application loads the .p7c file and verifies that the certified public key is the same as the one previously created
Finally, the application assembles the BankID keystore (.bid file) holding the BankRA certificate and either the private key or reference to the private key located in the HSM.

Change .bid file password

This operation changes the password for a .bid file. The process performs the following steps:

The .bid file is first read and verified using the original password
The .bid file is then recreated using the new password