Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00.

Similar presentations


Presentation on theme: "ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00."— Presentation transcript:

1 ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/

2 INDEX 1. – How to become an ISA Local Registration Authority 2. – How to get an ISA Lightweight, Normalized or Qualified certificates 3. – How to get an ISA SSL/TLS or Wildcard certificates 4. – How to get an ISA NC and QC for Servers 2.1. – Certificate Request 2.2. – Validation of Certificates by the LRAs 2.3. – Certificate Download & Installation 3.1. – Key Generation 3.2. – Certificate Request 3.4. – Certificate Download & Installation 2.4. – Export your Certificate 3.3. – Validation of Certificates by the FNMT Central Registration Authority

3 1.- H OW TO BECOME AN ISA L OCAL R EGISTRATION A UTHORITY Any Organization who wants to become an ISA Local Registration Authority to manage their certificates, will need first to formalized and Order Form with at least the following items: Any certificates needed for the project to be launched. Well be grateful to assist you in the definition of your needs and during the hole process. Local Registration Authority1 LRA smartcards One per each LRA operator needed. (This item includes 1 smartcard + 1 reader + 1 QC + 1 NC) QuantityItem

4 1.- H OW TO BECOME AN ISA L OCAL R EGISTRATION A UTHORITY F ORM 100 For the appointment, removal or modification of the LRA Referent. By completing and signing this form, the Organization will appoint the LRA Referent, and the FNMT will be then able to issue the LRA Referents QC and NC in order to operate within the LRA applications. F ORM 200 For the appointment, removal or modification of the LRA Office. The LRA Referent will have to inform the FNMT about the LRA Office data required by completing and signing this form. The habilitated LRA operators will only be able to get into the LRA applications from the workstations created upon reception of this form. F ORM 300 For the appointment, removal or modification of the LRA Officers. The LRA Referent will appoint the LRA Officers and assign them to a workstation among those previously communicated, from which they will be able to get into the LRA applications for the exercise of their registry tasks. BACK TO MENU BACK TO MENU

5 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES FNMT-RCM CRYPTOGRAPHIC SOFTWARE -The FNMT-RCM Root Certificate -The ISA CA Intermediate Certificate -The CAPICOM -The Smartcard drivers -The FNMT-RCM smartcard app -And to configure the security settings required Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/ and https://ec.fnmt.es/LRAParticular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission https://ec.fnmt.es/ https://ec.fnmt.es/LRA In particular, to operate with ISA certificates it is necessary to install:

6 Certificate Applicant 2.1. –C ERTIFICATE R EQUEST 1- Enter required personal data 2- Accept terms & conditions 3- Click on Send request REQUEST CODE + Data entered LC Request Application (creating a private and a public key) LRA 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES Notes for QC Notes for LC REQUEST CODE Screenshot + ID documents required

7 Your PC is now hosting the PRIVATE KEY which will be associated to your certificate at the download phase. Please make sure you DO NOT FORMAT NOR UPDATE your PC till your certificate is correctly installed in your PC BACK

8 DG DIGIT FINANCES F UNCTIONAL M AILBOX R ESPONSIBLE Notes for Lightweight Certificate for Functional Mailbox REQUEST

9 BACK Notes for Qualified Certificates REQUEST 1- Before getting into the QC Request Application please confirm: that you have correctly installed the CRYPTOGRAPHIC SW that you have installed the smartcard READER DRIVERS that you have inserted your SMARTCARD into the reader and it is ready to be used 2- Then, you may proceed to request your QC by getting into the QC Request Application and following the same steps as for any other certificate. Please be aware that youll be asked to enter the smartcard PIN Certificate Applicant QC Request Application (creating the private key into the smartcard) 3- Please keep your smartcard safely since you will need it at the download phase REQUEST CODE + Data entered

10 2.2. – V ALIDATION OF C ERTIFICATES BY THE LRA S LRA 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES Registry App. Authenticating with LRA Officers NC First, the Registry App will ask the LRA Officer to authenticate with his/her ISA Normalized certificate which will be displayed as (AUTH) NAME+SURNAME In case the NC has been protected with a password, the LRA Officer will be required to enter the PIN and click on Accept to get into the Registry Application The LRA Officer shall check and validate the data provided for any request for certificates. In particular, the LRA Officer must check the applicants identity, his/her condition as employee of the referred Organization, and the veracity of the address provided. All the documents provided shall be kept by the LRA Office as part of the application file. ********** For the accreditation purposes, the applicants PHYSICAL PRESENCE in the LRA is ONLY required for NORMALIZED and QUALIFIED CERTIFICATES.

11 2.2. – V ALIDATION OF LC, NC AND QC 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES

12 2.2. – V ALIDATION OF LC, NC AND QC 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES JOSE LUIS BELLO R6049 OF0XX – N/A

13 2.2. – V ALIDATION OF LC, NC AND QC 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED C ERTIFICATES ******* LRA Certificate Applicant Certificate ready to be downloaded The LRA Officer will contact the certificate applicant to inform about the availability of his/her certificate through the corresponding Download Application

14 BACK Lightweight Certificate Issuance Contract

15 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED CERTIFICATES 2.3. – C ERTIFICATE D OWNLOAD & I NSTALLATION Certificate Applicant LC Download Application 1- Enter the same data entered at the request phase + REQUEST CODE 2- Click on Download Certificate CERTIFICATE Please check that your certificate has been correctly installed and make a BACK UP COPY: Open your Internet Explorer Tools Internet Options Content Certificates. Your certificate shall be displayed within the Personal certificates tab. Select it and click on Export to make a Backup copy Notes for QC

16 For the correct installation of your certificate, please do not forget to use the same PC and the same browser you used at the request phase. BACK

17 Notes for Qualified Certificates DOWNLOAD 1- Before getting into the QC Download Application please confirm: that you have correctly installed the CRYPTOGRAPHIC SW in that PC that you have installed the smartcard READER DRIVERS in that PC that you have inserted your SMARTCARD into the reader and it is ready to be used 2- Then, you may proceed to download your QC by getting into the QC Download Application and following the same steps as for any other certificate. Please be aware that youll be asked to enter the smartcard PIN Certificate Applicant QC Download Application 3- Please keep your smartcard safely. You will NOT be able to export your certificate from your smartcard CERTIFICATE into the smartcard

18 2. – H OW TO GET AN ISA L IGHTWEIGHT, N ORMALIZED OR Q UALIFIED CERTIFICATES 2.4. – E XPORT YOUR C ERTIFICATE ( ONLY FOR LC AND NC) filename.pfxfilename.p12 Keep these files safe and preferably in an external device BACK TO MENU BACK TO MENU

19 BACK Export your Certificate INTERNET EXPLORER Internet Explorer Tools Internet Options Content Certificates. Your certificate shall be displayed within the Personal certificates tab. Select it and click on Export to make a Backup copy filename.pfx Just by double clicking this file, youll be able to install your certificate in other PCs. Youll be required to enter the PASWORD you set to protect the private key

20 BACK Export your Certificate MOZILLA FIREFOX filename.p12 Just by double clicking this file, youll be able to install your certificate in other PCs. Youll be required to enter the Certificate Backup PASWORD you set. Mozilla Firefox Options Advanced Encryption View Certificates Your Certificates. Your certificate shall be displayed within the Your certificates certificates tab. Select it and click on Backup

21 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES Only the SSL/TLS Certificate Responsible, appointed by the Organization or Competent Authorities are entitled to request these certificates through their corresponding LRA Office Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/LRAParticular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission https://ec.fnmt.es/LRA The procedure for obtaining the certificate consists of 3 easy phases: Key Generation Certificate Request Certificate Download and Installation F ORM 400

22 The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES 3.1. – K EY G ENERATION 3.2. – C ERTIFICATE R EQUEST SSL/TLS Certificate Responsible LRA -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1 cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI 9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6 g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0 aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY /skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8 5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf w8DwpKttZ6GkrweKfjKeeN0= -----END CERTIFICATE request PKCS#10 with RSA and 2048 bits SSL/TLS Certificate Responsible Copy of official ID documents Completed and signed FORM Common name (domain name or wildcard domain name to be certified) PKCS#10

23 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES LRA Pre - Registry Components App. Authenticating with LRA Officers NC 3.2. – C ERTIFICATE R EQUEST (P RE -R EGISTRY A PP ) ******

24 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES LRA The LRA operator will have to check and validate all the data and documents received and then, enter the required data and the PKCS#10 facilitated by the SSL&TLS Certificate responsible PKCS#10 ec.fnmt.es OF0XX - FNMT name surname Oficial ID number -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqG SIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V 1cm9wZWFuIENvbW1pc3Npb24xGzAZBgN VBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTA eFw0xMTExMDQxNjExMjVaFw0xMzExMDQ xNjExMjVaMHMxHzAdBgNVBAMTFk9QUkV 3.2. – C ERTIFICATE R EQUEST (P RE -R EGISTRY A PP )

25 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES After confirming the data entered, the Pre-Registry application will display the data to be signed by the LRA Officer The application will ask the LRA Officer to select his/her ISA Qualified Certificate which will be displayed as (SIGN) NAME+SURNAME and then to enter the smartcards PIN ********** 3.2. – C ERTIFICATE R EQUEST (P RE -R EGISTRY A PP )

26 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES The Pre-Registry App will then display the SSL/TLS CERTIFICATE REQUEST FOR ISSUANCE REPORT. Even at this stage, it will be possible to cancel the registry process and correct data. To confirm and complete the process, the LRA Officer will have to FIRST PRINT the contract and then ACCEPT – C ERTIFICATE R EQUEST (P RE -R EGISTRY A PP )

27 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES This report contains all the relevant information concerning the electronic certificate: Issuance contract reference with precise information about the Local Regional Authority involved, the LRA Officer, date + hour, request number and CA Legal Organization Name Data referred to the Certificate Certificate CN Related ORDER FORM Attestation that the Local Regional Authority/the LRA officer has verified the information and data included and the applicants identity 3.2. – C ERTIFICATE R EQUEST (P RE -R EGISTRY A PP ) This report shall be kept by the Local Regional Authority as part as the application file and a signed copy shall be sent directly to the FNMT CENTRAL Registry Authority which will be in charge of discriminating the applications to be accepted or rejected. LRA F ORM 400 ID DOCS FNMT Central Registry Authority

28 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES 3.3. – V ALIDATION OF C ERTIFICATES BY THE FNMT CRA Upon reception of an SSL&TLS certificate request, the FNMT CENTRAL Registration Authority will be in charge of: Validating all the documentation received. Checking the domains ownership Accepting or rejecting the conformity reports in order to issue or reject the certificates requested. The CENTRAL Registration Authority will connect to the SSL&TLS Certificates Management Application in order to ask to the ISA CA the issuance of the certificates for the accepted conformity reports or to cancel the rejected ones. This process will be done in a quasi-online operation. The CENTRAL Registration Authority will send an to the LRA Operator to inform about the availability of the requested certificate, as well as the URL from which they will be able to download the certificate and submit it to the SSL&TLS Certificate Responsible for its installation. LRA FNMT Central Registry Authority Certificate ready to be downloaded

29 ********** BACK

30 3. – H OW TO GET AN ISA SSL/TLS OR W ILDCARD CERTIFICATES 3.4. – C ERTIFICATE D OWNLOAD & I NSTALLATION LRA Pre - Registry Components App. Authenticating with LRA Officers NC ****** ec.fnmt.es SSL/TLS Certificate Responsible BACK TO MENU BACK TO MENU

31 4. – How to get an ISA NC and QC for Servers The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits 4.1. – K EY G ENERATION 4.2. – C ERTIFICATE R EQUEST Certificate Responsible LRA -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1 cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI 9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6 g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0 aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY /skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8 5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf w8DwpKttZ6GkrweKfjKeeN0= -----END CERTIFICATE request PKCS#10 with RSA and 2048 bits Certificate Responsible Copy of official ID documents Completed FORM Common name PKCS#10

32 4. – How to get an ISA NC and QC for Servers 4.2. – C ERTIFICATE R EQUEST LRA 4.3. – V ALIDATION OF C ERTIFICATES BY THE FNMT CRA LRA FNMT Central Registry Authority Certificate Responsible FNMT Central Registry Authority Copy of official ID documents Completed and signed FORM 500 -Common name PKCS#10 F ORM 500 BACK TO MENU BACK TO MENU

33 https://ec.fnmt.es/ https://ec.fnmt.es/LRA Request Applications Registry App. Download Applications Pre - Registry Components App. Lightweight Certificate Request App Normalized Certificate Request App Qualified Certificate Request App Lightweight Certificate Download App Normalized Certificate Download App Qualified Certificate Download App F ORM 100 F ORM 200 F ORM 300 F ORM 400 Issuance, Revocation, Suspension & Cancellation of Suspension App for LC, NC & QC Request & Download App for SSL/TLS Certificates F ORM 500

34 thanks for your attention¡¡ BACK TO MENU BACK TO MENU


Download ppt "ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00."

Similar presentations


Ads by Google