Overview
In this section, we provide information on (planned) outages.
Public SSL/TLS Certificate update
Find more information about the public SSL/TLS Certificate update below.
Environments
In this section, we provide information on the availability of our environments.
Operational | Production |
| Operational | Sandbox |
Operational | Development |
API Products
In this section, we provide information on availability per API. We show our availability with the following terms: Operational, Outage, or Maintenance.
| Operational | Payment Initiation (PSD2) |
Operational | Account Information (PSD2) |
Operational | Confirmation Availability Funds (PSD2) |
| Operational | Business Account Insight |
| Operational | Business Account Insight - Batch Transaction Details |
Operational | Business Account Payment |
| Operational | Business Account Payment - Instant |
Operational | Business Account Notification |
Operational | IBAN-Name Check |
| Operational | Pay by Invoice |
Operational | FX Trade |
Operational | Tikkie |
Operational | Tikkie Cashback |
| Operational | Consumer Investments Instrument |
| Operational | Investment Asset Report |
| Operational | BUUT - Payment Initiation (PSD2) |
| Operational | BUUT - Account Information (PSD2) |
Go to this report for PSD2 API availability per month (Dutch only).
Public SSL/TLS Certificate update
Read more about the recent communicated update regarding the public SSL/TLS certificates that will impact you. It’s possible you have already received information from your public certificate provider regarding this change. We have gathered the relevant information for you to review, and we will update you throughout the upcoming months on the evolvement of the solution to the change. For any questions, please contact support.
What is happening?
Public CAs will no longer include the Client Authentication (id-kp-clientAuth) identifier in the Extended Key Usage (EKU) field of newly issued public SSL/TLS certificates. Major browser and root program providers have introduced new security requirements, that prohibit the inclusion of the Client Authentication EKU in publicly trusted SSL/TLS certificates. These changes are designed to reinforce certificate purpose specificity and improve ecosystem security.
What is changing?
For many years, public SSL/TLS certificates have commonly included both Server Authentication and Client Authentication EKUs. Moving forward,the Client Authentication EKU will be deprecated in public SSL/TLS certificates.This is due to updated requirements from major Root Programs, with enforcement led by Google Chrome.
What certificates are affected?
This change applies only to newly issued, renewed, or reissued certificates. DV, OV, EV public SSL/TLS certificates are affected by this update.
What is the timeline?
The timeline for this update of public SSL/TLS certificates consists of a soft deadline and a hard deadline which differs per public CA.
Soft deadline
The client authentication EKU will no longer be part of a Public SSL/TLS certificate by default. Until the hard deadline it will remain possible to obtain a public SSL/TLS certificatewithclient authentication EKU.
Hard deadline
The client authentication EKU will no longer be part of a Public SSL/TLS certificate. No exceptions.
Below you can find the deadline dates of DigiCert and Sectigo:
Digicert
- Soft deadline: 1st of October 2025
- Hard deadline: 1st of May 2026
Sectigo
- Soft deadline: 14th of October 2025
- Hard deadline: 15th of May 2026
If using another certificate provider than DigiCert or Sectigo it is recommended to check with your certificate provider what deadlines they have for this update.
What do you need to do?
For now, until the hard deadline, please renew your expiring public SSL/TLS certificate or issue a new public SSL/TLS certificate, ensuring that the certificate includes the client authentication EKU.
Per certificate provider, the process can be different for obtaining a public SSL/TLS certificate with the client authentication EKU:
- Some certificate providers don’t seem to have a soft deadline right now and will remain issuing public SSL/TLS certificates by default with the client authentication EKU, until their hard deadline.
- Some certificate providers give you the option to check a checkbox that you want them to issue a public SSL/TLS certificate with the client authentication EKU.
- Some certificate providers require you to create a support ticket, then the support team will issue a public SSL/TLS certificate with the client authentication EKU for you.
If you are uncertain, always check with the certificate provider how you can get a public SSL/TLS certificate with the client authentication EKU.
What will be the solution?
In the future, the CAs and Browsers expect you to use a different type of certificate for client authentication. This effectively means that public SSL/TLS certificates can no longer be used for client authentication in the future.
At the moment ABN AMRO is assessing the change and working on a future solution to replace the currently used public TLS/SSL certificates used to communicate with our APIs.
For the remaining time till the hard deadline, mentioned earlier in this e-mail, please ensure you request your CA to issue a public SSL/TLS certificate with the client authentication EKU, if you intend to use your certificate to communicate with our API portfolio.
More information
When there are new developments on this topic, we will inform you about this via e-mail and the developer portal.
Report bug or issue
Security is a top priority for ABN AMRO. To ensure secure banking for our customers, we are continuously improving our systems and processes to maintain their reliability. However, if you notice anything we would appreciate it if you would report it to us. Any vulnerabilities, bugs, or errors regarding APIs, please report it by contacting us via support. If you want to pro-actively help, view our HackerOne page to see how you can help by becoming a bug hunter.
Need help?