Connecting to the API
The CAR API is a secure REST API that enables integration partners to interact with the CAR platform. To ensure the highest level of security and data protection, all communication with the API requires mutual TLS authentication using client certificates.
Before you begin integrating with the API, you'll need to:
- Obtain a client certificate from the CAR Certification Authority
- Install the CAR CA root certificate
- Configure your client application to use these certificates
- Provide any IP addresses that will be used to connect to the production API
The sections below provide detailed information about the certificate requirements and the process for obtaining them.
Client certificate
All API clients integrating with the CAR API will be required to use a client certificate issued by the CAR Certification Authority (CA) to connect. The client certificate will be a standard TLS X.509 client certificate, with key length according to NIST recommendations (currently 4096 bits).
The API server will use TLS with a server certificate, also signed by the CAR CA. This means that a connecting client system will have to install two certificates:
- The client certificate, specific to the connecting system itself, issued by the CAR CA
- The CAR CA root certificate, to be able to trust the CAR API Server certificate issued by the CAR CA.
The TLS version will be the latest one available at platform launch (currently TLS 1.3), as well as older versions still needed by integration partners as long as they are deemed secure (currently TLS 1.2). Future versions will be implemented as soon as possible, including deprecating support for older versions as quickly as integration partners can manage.
As there is no need for integration partners to verify the validity of other partners' certificates, CRLs will only be available internally the CAR operating environments (if requirements change, CRLs will be exposed on a url).
IP Whitelisting
In addition to TLS authentication, all API access is restricted to pre-approved IP addresses. This adds an extra layer of security by ensuring that API requests can only originate from known and trusted network locations.
To set up IP whitelisting:
- Identify the public IP addresses that your organization will use to connect to the CAR API
- Provide these IP addresses to the CAR certificate manager during the certificate request process
- The CAR team will configure the firewall rules to allow traffic from these IP addresses
- Any API requests originating from non-whitelisted IP addresses will be rejected
Note: If you need to add or modify whitelisted IP addresses after initial setup, please contact the CAR certificate manager with the updated list of IP addresses.
Obtaining a client certificate
Actors:
- Integration partner (you): a bank or CTD
- CAR certificate manager: a member of the E-faktura tech team
- Integration partner generates a CSR with a public key of 4096 bits.
openssl req -newkey rsa:4096 -keyout myprivate.key -out mycsr.csr - Integration partner stores the private key in a secure location
- Integration partner sends CSR to E-fakturabolaget (unencrypted channels are ok, https://send.e-faktura.com is preferred. Please send the link generated by send.e-faktura.com manually to the CAR certificate manager, it is not sent automatically)
- CAR certificate manager signs CSR to generate a client certificate.
- CAR certificate manager distributes client.cer and ca.cer to integration partner using send.e-faktura.com
- Integration partner contacts CAR certificate manager to perform manual verification of the certificate
- The API is accessible with the client certificate (production URL: https://api.e-faktura.com)
NOTE: For the CI (https://ci.e-faktura.com) and stage (https://stage.e-faktura.com) environments, step 6 is omitted.
Your client certificate will have the following fields set:
- CN={your-organization code as specified in the E-faktura rulebook}
- OU={your role} (bank, ctd, internal)
- O={our-organization} (E-fakturabolaget)
- C=SE
You do not need to provide these values in the CSR.