# Technical FAQs
What is the purpose of postman collections?
Through the postman collections, you can now test how the dummy party ABC Trucking interacts with the Participant Registry, Warehouse 13 and the Authorisation Registry! Please don’t forget to also install the Test environment to get the correct variable
[Here is a quick walkthrough on using them](/apply-ishare/quick-walkthroughs/postman-collections.md).
You can find the private keys of ABC Trucking in these Postman collections. Of course, real users should never under any circumstance share private keys of their certificates. In these collections however, it is necessary to share the private keys so that you may impersonate ABC Trucking.
What do I do when I encounter Certificate Export Error?
Using OpenSSL to export the certificate from an iSHARE Test certificate file (P12), might result in an error.
**Command:**
```html
openssl pkcs12 -in infile.p12 -nodes -nokeys -out outfile.pem
```
**Enter Import Password:**
**Result:**
Error outputting keys and certificates
```html
40D2B40002000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
```
**Explanation:**
This means that the RC2-40-CBC key algorith is not available. Try the following command:
```html
openssl pkcs12 -in infile.p12 -nodes -legacy -nokeys -out outfile.pem
```
Or try a different workstation to extract the certificate.
What do I do when I encounter Private Key Export Error?
Using OpenSSL to export the private key from an iSHARE Test certificate file (P12), might result in an error.
**Command:**
```html
openssl pkcs12 -in infile.p12 -nocerts -out outfile-key.pem
```
**Enter Import Password:**
**Result:**
Error outputting keys and certificates
```html
40D2B40002000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
```
**Explanation:**
This means that the RC2-40-CBC key algorith is not available. Try the following command:
```html
openssl pkcs12 -in infile.p12 -legacy -nocerts -out outfile-key.pem
```
Or try a different workstation to extract the key.
**Convert key into RSA key**
If you want to convert the key into an RSA key use the following command
```
openssl rsa -in outfile-key.pem -out outfile-key-rsa.pem
```
What should be in the 'aud' parameter of an access token?
The "aud" parameter should be a single string value with the identifier of the target organization (and not an array).
For example, for i4Trust experiments, the target is the i4Trust Satellite or Participant Registry, which has the identifer "EU.EORI.NLi4TRUSTSAT".
Therefore, the "aud" parameter is - aud: "EU.EORI.NLi4TRUSTSAT"
What kind of token is prerequisite in an M2M flow?
For M2M flow, you'll need to obtain an access token by providing a signed iSHARE-JWT at the token endpoint of the service provider.
API specification for H2M interaction
iSHARE specifications are generic and caters to different possible scenarios, some of them are mentioned in the dev portal. A user may be working for multiple organisations and while using the same identity provider in which case the additional steps of organisation selection are to be followed. If the user only is known for one organisation within IDP then that flow is not necessary.
Identity provider for organisations
In the examples, the IDPs are shown as locally hosted components, but it symbolises that they are actually provided by service providers (IDPs) and each organisation has the right to choose its own preferred IDP.
In experiment and in PoC, technically hosting IDP only allows you to demonstrate the concept, however, in production you would use a real IDP which meets the specifications. Due to standardised specifications you do not need to recode when you switch from one provider to another.
Where do I find information for user interaction with service provider?
The [**Authorization page**](https://dev.ishare.eu/reference/authorization.html) (dev portal) explains that user interaction with the service provider can happen in two ways: the service specific or the portal approach. The explanation of these methods describes the difference in the request parameter of the /userinfo endpoint.
Different policy-expiration deadlines for different policy-targets
For example, if policy contains two different resource-types, can each resource type have its own policy expiration deadline attribute?
Answer - Yes, ideally you should be able to create separate policies for such reasons, however, as far as the reference implementations, this is not yet supported. If you need to use this feature then you may need to make some changes to the code base.
For one delegation evidence there is one defined time limit. There are no time-limit parameters within the "policySets' ' array; which is the array that contains specific policies. You could have many delegation evidences, containing policies with different time limits.
Can a JWT be hardcoded if it is according to iSHARE specifications?
JWT token cannot be hardcoded as it is usually valid only for 30 seconds so you need to generate new one every time.
Is the /createpolicy endpoint in the AR ( after the successful authentication, with the access token) the only way to create a new policy?
For creation of policies if you are using iSHARE test AR instance then make sure that you have access to GUI where you can also create policy via GUI apart from API.
For getting access to AR GUI, share a valid EORI number and email ID for a participant who would create policy for that EORI number, so access can be granted. <[support@ishare.eu]>
Note: one email ID can only be associated with 1 EORI number. Once the details are shared, you should receive an email to setup your account. Even if email is not received, you can go to the and use forgot password to setup your account with this email id.
Note, if you get forbidden message after login, then make sure that you are on correct URL.
The GUI for AR can be accessed from here:
For the endpoints swagger for AR:\
Can you give me an example of a delegation mask that uses delegation_path?
[As specified on the dev portal](https://dev.ishare.eu/delegation/delegation-request.html), it is an array of EORI (ID) of participants which form the path in the delegation chain. There is no example given there, but it is a full list of EORIs which determine the sequence of delegation path to aid Service Provider to traverse through that path for determining the authorisation.
So to explain: If EU.EORI.XX020 is service consumer and EU.EORI.XX002 is the Service Provider and EU.EORI.XX010 is the entitled party who gave rights to EU.EORI.XX0nn where nn > 10 until 20 (assuming that is the delegation path i.e. from 10-->20, just for this example, of course its not real) then the delegation\_path array will contain EORIs from EU.EORI.XX010 -> EU.EORI.XX020.
That could be for example:\
\[EU.EORI.XX010, EU.EORI.XX013, EU.EORI.XX016, EU.EORI.XX020]\
\[EU.EORI.XX010, EU.EORI.XX015, EU.EORI.XX020]\
\[EU.EORI.XX010, EU.EORI.XX017, EU.EORI.XX013, EU.EORI.XX016, EU.EORI.XX020]... and the list can go on with any permutations and combinations. However, it could also be that due to privacy reasons, only n-1 delegator id is available, then it would be issuer of the issuer, issuer and subject (service consumer), in which case it's path is not conclusive and Service provider will have to use different mechanisms to traverse through the path (not specified).
Invalid JWT tokens when server time is out of sync with the local time of the computer
When the server time is out of sync with the local time of the computer, this might lead to invalid JWT tokens. Using a leeway can prevent this problem.
Is it possible to deploy the Participant Registry across multiple machines for redundancy?
Yes, the standard iSHARE [Participant Registry installation guide](https://github.com/iSHAREScheme/iSHARESatellite/blob/main/docs/INSTALL.md) describes a single-VM setup for simplicity, but the components can be distributed across multiple servers. A custom deployment plan must be created for such environments, and the iSHARE team will support to help align with framework compliance.
What should be configured as valid redirect URLs in the IDP?
While wildcards are allowed, it is recommended to verify that redirection only occurs to the URL specified in the signed authentication request. Alternatively, clients can be registered without a security key and then set redirect URLs.
How can I obtain a test certificate to participate in the iSHARE test environment?
To obtain a test certificate for use in the iSHARE test environment, you need to follow the steps outlined on the Trust Body of Knowledge. The process involves generating a Certificate Signing Request through the iSHARE Certification Portal. Detailed instructions are available here: [Apply for a test certificate](https://trustbok.ishare.eu/apply-ishare/test-certificate).
How can I register with a Participant Registry in one of the roles?
The Party can be created through the /parties endpoint via APIs or manually through the Participant Registry UI. This endpoint allows a Participant Registry to create a participant based on OIDC proof from a certified IDP. It is important to ensure you are compliant with the requirements for the role you want to perform before registering with the Participant Registry
Can different policySets within a delegation evidence have their own validity periods?
Currently, notBefore and notOnOrAfter timestamps are defined at the root level of the delegation evidence and apply to all policySets. For finer granularity, iSHARE will be updating this through [RFC041](https://gitlab.com/ishare-foundation/cab/rfc/-/issues/4).
Can there be multiple Authorisation Registries per Data Space?
Yes, there can be multiple ARs for each data space. While through [RFC056](https://gitlab.com/ishare-foundation/cab/rfc/-/issues/25) in Release 3.0, a single AR can also function for multiple data spaces.
Should the x5c header in a client assertion contain the full certificate chain?
Yes, the full chain (excluding the root CA) must be present in the x5c header. The root CA’s fingerprint must match an entry on the Participant Registry’s trusted list. This allows service providers to validate the certificate path without making external calls.
What should the Authorisation Registry return if a delegation request is unauthorized due to missing context?
It is recommended to return a 401 Unauthorized response when the requester lacks sufficient proof, such as not being the issuer, access subject, or lacking valid previous steps. This approach is clearer than returning an empty delegation evidence and helps prevent an ambiguous interpretation of access denial.
Are service providers required to check certificate revocation using OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List)?
While not strictly required, OCSP or CRL checks are recommended depending on the risk profile of the implementation. These checks help ensure that revoked certificates are not accepted.
What happens if the partyID and certificate serial number mismatch during participant creation?
There is currently no enforced validation between partyID and certificate serial number. Incorrect associations must be corrected by deleting the participant and re-registering, as partyID can’t be modified in the Participant Registry UI.
Who is allowed to query the /delegation endpoint in the Authorisation Registry?
Any party with a valid client assertion may query the endpoint. However, it is recommended that requestors who are not the issuer or accessSubject provide proof (via previous\_steps) of a legitimate access right. The conformance test assumes this behaviour but does not enforce it strictly, as data spaces may define stricter rules.
Can a party register multiple certificates with the Participant Registry?
Yes, a party can register multiple certificates. This allows flexibility in managing identities, supporting different environments (ex., test and production), or ensuring redundancy.
What should I do if OpenSSL reports ‘unable to verify the first certificate’ when testing a Participant Registry peer connection?
This error means the certificate chain is incomplete or the root CA is not trusted. Add the CA certificate to your system and verify that the peer’s certificate chain includes all necessary intermediaries. Use openssl verify to confirm that the certificate can be validated.
What is the purpose of the /dataspaces endpoint in the Participant Registry specification?
The /dataspaces endpoint lists registered Data Spaces and their details. It is used by Participants to discover the available Data Spaces. Documentation on its usage is available in the latest iSHARE developer portal.
Can participants be transferred between different Participant Registries?
Yes, in theory, participants can be transferred between different (participant registry) nodes, as they are interconnected through the same Hyperledger Fabric network. Functionality to support such transfers is part of [RFC064](https://gitlab.com/ishare-foundation/cab/rfc/-/blob/ac118179053a9e95513bc3e3f51cc49abf620dfd/RFC%20Documents/RFC064/README.md).
Why might a Participant Registry peer fail to join a Hyperledger Fabric channel with a TLS error?
A “TLS handshake failed” or “certificate signed by unknown authority” error usually indicates that the client does not trust the signer of the server’s TLS certificate. This can happen if the root or intermediate CA certificate is missing or misconfigured. Ensure the client trusts the CA that issued the peer’s certificate and that the certificate chain is properly configured.
Which checks must a Participant Registry perform before accepting a certificate during party registration?
The Participant Registry must verify that the certificate meets the main requirements, including the validity of the Subject Name and relevant attributes. These checks ensure the certificate aligns with the participant’s declared identity and trust requirements.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://trustbok.ishare.eu/apply-ishare/technical-faqs.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.