Correct certificate chain format for `client_service_provider_certificate_chain`

[Noah-Vincenz]

Steps to reproduce:

1. running tinker/create-psd2-configuration.php --certificate ~/path/to/certs/signing_cert.pem --chain ~/path/to/certs/signing_cert_chain.pem --key ~/path/to/certs/signing_cert.key from terminal

What should happen:

1. Create PSD2 Provider

What happens:

1. Running into Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate. in /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Exception/ExceptionFactory.php:52

Traceback

PHP Fatal error: Uncaught bunq\Exception\BadRequestException: HTTP Response Code: 400
The response id to help bunq debug: 6b3487d7-44e8-4a99-8f3c-45441bc7e810
Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate. in /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Exception/ExceptionFactory.php:52
Stack trace:
#0 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/Handler/ResponseHandlerError.php(54): bunq\Exception\ExceptionFactory::createExceptionForResponse(Array, 400, '6b3487d7-44e8-4...')
#1 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/Handler/HandlerUtil.php(42): bunq\Http\Handler\ResponseHandlerError->execute(Object(GuzzleHttp\Psr7\Response))
#2 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/FulfilledPromise.php(39): bunq\Http\Handler\HandlerUtil::bunq\Http\Handler{closure}(Object(GuzzleHttp\Psr7\Response))
#3 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/TaskQueue.php(47): GuzzleHttp\Promise\FulfilledPromise::GuzzleHttp\Promise{closure}()
#4 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(246): GuzzleHttp\Promise\TaskQueue->run(true)
#5 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(223): GuzzleHttp\Promise\Promise->invokeWaitFn()
#6 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(267): GuzzleHttp\Promise\Promise->waitIfPending()
#7 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(225): GuzzleHttp\Promise\Promise->invokeWaitList()
#8 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\Promise\Promise->waitIfPending()
#9 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/guzzle/src/Client.php(183): GuzzleHttp\Promise\Promise->wait()
#10 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/ApiClient.php(220): GuzzleHttp\Client->request('POST', Object(GuzzleHttp\Psr7\Uri), Array)
#11 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/ApiClient.php(492): bunq\Http\ApiClient->request('POST', 'payment-service...', Array, Array, Array)
#12 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Model/Core/PaymentServiceProviderCredentialInternal.php(46): bunq\Http\ApiClient->post('payment-service...', Array, Array)
#13 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Context/ApiContext.php(221): bunq\Model\Core\PaymentServiceProviderCredentialInternal::createWithApiContext('-----BEGIN CERT...', '-----BEGIN CERT...', 'UvMNfs5vOA2TV9e...', Object(bunq\Context\ApiContext))
#14 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Context/ApiContext.php(153): bunq\Context\ApiContext->initializePsd2Credential(Object(bunq\Model\Generated\Object\Certificate), Object(bunq\Security\PrivateKey), Array)
#15 /Users/noah-vincenznoah/Desktop/tinker2/tinker/create-psd2-configuration.php(57): bunq\Context\ApiContext::createForPsd2(Object(bunq\Util\BunqEnumApiEnvironmentType), Object(bunq\Model\Generated\Object\Certificate), Object(bunq\Security\PrivateKey), Array, '##### YOUR DEVI...')
#16 {main}
thrown in /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Exception/ExceptionFactory.php on line 52

Fatal error: Uncaught bunq\Exception\BadRequestException: HTTP Response Code: 400
The response id to help bunq debug: 6b3487d7-44e8-4a99-8f3c-45441bc7e810
Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate. in /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Exception/ExceptionFactory.php:52
Stack trace:
#0 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/Handler/ResponseHandlerError.php(54): bunq\Exception\ExceptionFactory::createExceptionForResponse(Array, 400, '6b3487d7-44e8-4...')
#1 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/Handler/HandlerUtil.php(42): bunq\Http\Handler\ResponseHandlerError->execute(Object(GuzzleHttp\Psr7\Response))
#2 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/FulfilledPromise.php(39): bunq\Http\Handler\HandlerUtil::bunq\Http\Handler{closure}(Object(GuzzleHttp\Psr7\Response))
#3 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/TaskQueue.php(47): GuzzleHttp\Promise\FulfilledPromise::GuzzleHttp\Promise{closure}()
#4 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(246): GuzzleHttp\Promise\TaskQueue->run(true)
#5 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(223): GuzzleHttp\Promise\Promise->invokeWaitFn()
#6 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(267): GuzzleHttp\Promise\Promise->waitIfPending()
#7 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(225): GuzzleHttp\Promise\Promise->invokeWaitList()
#8 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\Promise\Promise->waitIfPending()
#9 /Users/noah-vincenznoah/Desktop/tinker2/vendor/guzzlehttp/guzzle/src/Client.php(183): GuzzleHttp\Promise\Promise->wait()
#10 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/ApiClient.php(220): GuzzleHttp\Client->request('POST', Object(GuzzleHttp\Psr7\Uri), Array)
#11 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Http/ApiClient.php(492): bunq\Http\ApiClient->request('POST', 'payment-service...', Array, Array, Array)
#12 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Model/Core/PaymentServiceProviderCredentialInternal.php(46): bunq\Http\ApiClient->post('payment-service...', Array, Array)
#13 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Context/ApiContext.php(221): bunq\Model\Core\PaymentServiceProviderCredentialInternal::createWithApiContext('-----BEGIN CERT...', '-----BEGIN CERT...', 'UvMNfs5vOA2TV9e...', Object(bunq\Context\ApiContext))
#14 /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Context/ApiContext.php(153): bunq\Context\ApiContext->initializePsd2Credential(Object(bunq\Model\Generated\Object\Certificate), Object(bunq\Security\PrivateKey), Array)
#15 /Users/noah-vincenznoah/Desktop/tinker2/tinker/create-psd2-configuration.php(57): bunq\Context\ApiContext::createForPsd2(Object(bunq\Util\BunqEnumApiEnvironmentType), Object(bunq\Model\Generated\Object\Certificate), Object(bunq\Security\PrivateKey), Array, '##### YOUR DEVI...')
#16 {main}
thrown in /Users/noah-vincenznoah/Desktop/tinker2/vendor/bunq/sdk_php/src/Exception/ExceptionFactory.php on line 52

SDK version and environment

• Tested on 0.12.0
• Production

Response id

• Response id: 6b3487d7-44e8-4a99-8f3c-45441bc7e810

Extra info:

I have verified my certificate and its root certificate. I am unsure about the format for the client_service_provider_certificate_chain parameter value for the request body to the POST /payment-service-credential-provider endpoint for our certificates?
Assuming I have the three certificates:

1. client signing certificate A
2. intermediate certificate B
3. root certificate C

What should the client_service_provider_certificate_chain value be (ie the format of the signing_cert_chain.pem file in the Steps to reproduce command)?
We have tried many different combinations

1. BC with new-line characters (\n) and -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- prefix and suffix for both B and C
2. BC without new-line characters (\n) and -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- prefix and without suffix for both B and C
3. B,C
4. [B,C]
5. CB
   ... and so on. Any help would be greatly appreciated.

[Noah-Vincenz]

also followed everything in this thread https://together.bunq.com/d/46832
and this Medium blog post