ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00.
25
ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00
-
Upload
aurora-attard -
Category
Documents
-
view
226 -
download
1
Transcript of ISA PKI SERVICES Enrollment Processes Framework contract Nº DI/06750-00.
ISA PKI SERVICES
Enrollment Processes
Framework contract Nº DI/06750-00
INDEX
1. – How to become an ISA Local Registration Authority
2. – How to get an ISA Lightweight, Normalized or Qualified certificates
3. – How to get an ISA SSL/TLS or Wildcard certificates
4. – How to get an ISA NC and QC for Servers
2.1. – Certificate Request
2.2. – Validation of Certificates by the LRAs
2.3. – Certificate Download & Installation
3.1. – Key Generation
3.2. – Certificate Request
3.4. – Certificate Download & Installation
2.4. – Export your Certificate
3.3. – Validation of Certificates by the FNMT Central Registration Authority
1.- HOW TO BECOME AN ISA LOCAL REGISTRATION AUTHORITY
Any Organization who wants to become an ISA Local Registration Authority to manage their certificates, will need first to formalized and Order Form with at least the following items:
Any certificates needed for the project to be launched. We’ll be grateful to assist you in the definition of your needs and during the hole process.
Local Registration Authority
1
LRA smartcards
One per each LRA operator needed. (This item includes 1 smartcard + 1 reader + 1 QC + 1 NC)
Quantity
Item
1.- HOW TO BECOME AN ISA LOCAL REGISTRATION AUTHORITY
FORM 100
For the appointment, removal or modification of the LRA Referent.
By completing and signing this form, the Organization will appoint the LRA Referent, and the FNMT will be then able to issue the LRA Referent’s QC and NC in order to operate within the LRA applications.FORM 200
For the appointment, removal or modification of the LRA Office.
The LRA Referent will have to inform the FNMT about the LRA Office data required by completing and signing this form. The habilitated LRA operators will only be able to get into the LRA applications from the workstations created upon reception of this form.
FORM 300
For the appointment, removal or modification of the LRA Officers.
The LRA Referent will appoint the LRA Officers and assign them to a workstation among those previously communicated, from which they will be able to get into the LRA applications for the exercise of their registry tasks.
BACK TO MENU
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
FNMT-RCM CRYPTOGRAPHIC
SOFTWARE
- The FNMT-RCM Root Certificate- The ISA CA Intermediate Certificate- The CAPICOM- The Smartcard drivers- The FNMT-RCM smartcard app- And to configure the security settings
required
Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures
and manuals available in our web site: https://ec.fnmt.es/
and https://ec.fnmt.es/LRAIn particular, to operate with ISA certificates it is necessary to
install:
Certificate
Applicant
2.1. –CERTIFICATE REQUEST
1- Enter required personal data2- Accept terms & conditions3- Click on “Send request”
REQUEST CODE + Data entered
LC Request
Application
(creating a private and a public key)
LRA
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
Notes for QC
Notes for LC
REQUEST CODE Screenshot +
ID documents required
2.2. – VALIDATION OF CERTIFICATES BY THE LRAS
LRA
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
Registry App.
Authenticating with LRA Officer’s NC
First, the Registry App will ask the LRA Officer to authenticate with his/her ISA Normalized certificate which will be displayed as (AUTH) NAME+SURNAME
In case the NC has been protected with a password, the LRA Officer will be required to enter the PIN and click on Accept to get into the Registry Application
The LRA Officer shall check and validate the data provided for any request for certificates. In particular, the LRA Officer must check the applicant’s identity, his/her condition as employee of the referred Organization, and the veracity of the email address provided. All the documents provided shall be kept by the LRA Office as part of the application file.
**********
For the accreditation purposes, the applicant’s PHYSICAL PRESENCE in the LRA is ONLY required for NORMALIZED and QUALIFIED CERTIFICATES.
2.2. – VALIDATION OF LC, NC AND QC
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
2.2. – VALIDATION OF LC, NC AND QC
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
JOSE LUIS
BELLO
OF0XX – N/A
296850757
2.2. – VALIDATION OF LC, NC AND QC
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
*******
LRACertificat
e Applicant
Certificate ready to be downloaded
The LRA Officer will contact the certificate applicant to inform about the availability of his/her certificate through
the corresponding Download Application
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
2.3. – CERTIFICATE DOWNLOAD & INSTALLATION
Certificate
Applicant
LC Download Application1- Enter the same data entered
at the request phase + REQUEST CODE 2- Click on “Download Certificate”
CERTIFICATE
Please check that your certificate has been correctly installed and make a BACK UP COPY: Open your Internet Explorer Tools Internet Options Content Certificates. Your certificate shall be displayed within the “Personal” certificates tab. Select it and click on “Export” to make a Backup copy
Notes for QC
2. – HOW TO GET AN ISA LIGHTWEIGHT, NORMALIZED OR QUALIFIED CERTIFICATES
2.4. – EXPORT YOUR CERTIFICATE (ONLY FOR LC AND NC)
filename.pfx filename.p12
Keep these files safe and preferably in an external device
BACK TO MENU
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
Only the SSL/TLS Certificate Responsible, appointed by the Organization or Competent Authorities are entitled to request these certificates through their corresponding LRA Office
Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures
and manuals available in our web site: https://ec.fnmt.es/LRA
The procedure for obtaining the certificate consists of 3 easy phases:
• Key Generation• Certificate Request• Certificate Download and Installation
FORM 400
The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
3.1. – KEY GENERATION
3.2. – CERTIFICATE REQUEST
SSL/TLS Certificate
Responsible
LRA
-----BEGIN CERTIFICATE request-----MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAeFw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVBIENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xMjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3BhLmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhrxNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9VsRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KTO/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY/skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBltmdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ85EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uYeB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsfw8DwpKttZ6GkrweKfjKeeN0=-----END CERTIFICATE request-----
PKCS#10with RSA and 2048
bits
SSL/TLS Certificate
Responsible
• Copy of official ID documents
• Completed and signed FORM 400 -
Common name (domain name or wildcard domain name to be certified)•
PKCS#10
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
LRA
Pre - Registry
Components App.
Authenticating with LRA Officer’s NC
3.2. – CERTIFICATE REQUEST (PRE-REGISTRY APP)
******
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
LRA
The LRA operator will have to check and validate all the data and documents received and then, enter the required data and the PKCS#10 facilitated by the SSL&TLS Certificate responsible
PKCS#10
ec.fnmt.es
OF0XX - FNMT
name
surname
Oficial ID number
-----BEGIN CERTIFICATE request-----MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAeFw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkV
3.2. – CERTIFICATE REQUEST (PRE-REGISTRY APP)
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
After confirming the data entered, the Pre-Registry application will display the data to be signed by the LRA Officer
The application will ask the LRA Officer to select his/her ISA Qualified Certificate which will be displayed as (SIGN) NAME+SURNAME and then to enter the smartcard‘s PIN
**********
3.2. – CERTIFICATE REQUEST (PRE-REGISTRY APP)
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
The Pre-Registry App will then display the SSL/TLS CERTIFICATE REQUEST FOR ISSUANCE REPORT. Even at this stage, it will be possible to cancel the registry process and correct data. To confirm and complete the process, the LRA Officer will have to FIRST PRINT the contract and then ACCEPT.
3.2. – CERTIFICATE REQUEST (PRE-REGISTRY APP)
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
This report contains all the relevant information concerning the electronic certificate:• Issuance contract reference with precise
information about the Local Regional Authority involved, the LRA Officer, date + hour, request number and CA
• Legal Organization Name• Data referred to the Certificate• Certificate CN• Related ORDER FORM• Attestation that the Local Regional
Authority/the LRA officer has verified the information and data included and the applicant’s identity
3.2. – CERTIFICATE REQUEST (PRE-REGISTRY APP)
This report shall be kept by the Local Regional Authority as part as the application file and a signed copy shall be sent directly to the FNMT CENTRAL Registry Authority which will be in charge of discriminating the applications to be accepted or rejected.
LRA
FORM 400
ID DOCS
FNMT Central Registry Authority
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
3.3. – VALIDATION OF CERTIFICATES BY THE FNMT CRA
Upon reception of an SSL&TLS certificate request, the FNMT CENTRAL Registration Authority will be in charge of:
• Validating all the documentation received.
• Checking the domains ownership
• Accepting or rejecting the conformity reports in order to issue or reject the certificates requested.
The CENTRAL Registration Authority will connect to the SSL&TLS Certificates Management Application in order to ask to the ISA CA the issuance of the certificates for the accepted conformity reports or to cancel the rejected ones. This process will be done in a quasi-online operation.
The CENTRAL Registration Authority will send an email to the LRA Operator to inform about the availability of the requested certificate, as well as the URL from which they will be able to download the certificate and submit it to the SSL&TLS Certificate Responsible for its installation.
LRAFNMT Central
Registry Authority
Certificate ready to be downloaded
3. – HOW TO GET AN ISA SSL/TLS OR WILDCARD CERTIFICATES
3.4. – CERTIFICATE DOWNLOAD & INSTALLATION
LRA
Pre - Registry
Components App.
Authenticating with LRA Officer’s NC
******
ec.fnmt.es
474923416
SSL/TLS Certificate
Responsible
BACK TO MENU
4. – How to get an ISA NC and QC for Servers
The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits
4.1. – KEY GENERATION
4.2. – CERTIFICATE REQUEST
Certificate Responsible
LRA
-----BEGIN CERTIFICATE request-----MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAeFw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVBIENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xMjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3BhLmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhrxNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9VsRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KTO/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY/skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBltmdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ85EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uYeB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsfw8DwpKttZ6GkrweKfjKeeN0=-----END CERTIFICATE request-----
PKCS#10with RSA and 2048
bits
Certificate Responsible
• Copy of official ID documents
• Completed FORM 500 -Common name
• PKCS#10
4. – How to get an ISA NC and QC for Servers
4.2. – CERTIFICATE REQUEST
LRA
4.3. – VALIDATION OF CERTIFICATES BY THE FNMT CRA
LRAFNMT Central
Registry Authority
Certificate Responsible
FNMT Central Registry Authority
• Copy of official ID documents
• Completed and signed FORM 500 -Common name
• PKCS#10
FORM 500
BACK TO MENU
https://ec.fnmt.es/
https://ec.fnmt.es/LRA
Request Applicatio
ns
Registry App.
Download Applications
Pre - Registry
Components App.
Lightweight Certificate Request AppNormalized Certificate Request AppQualified Certificate Request AppLightweight Certificate Download AppNormalized Certificate Download AppQualified Certificate Download App
FORM 100
FORM 200
FORM 300
FORM 400
Issuance, Revocation, Suspension & Cancellation of Suspension App for LC, NC & QC
Request & Download App for SSL/TLS Certificates
FORM 500
thanks for your attention¡¡
BACK TO MENU
