isa pki services n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ISA PKI SERVICES PowerPoint Presentation
Download Presentation
ISA PKI SERVICES

Loading in 2 Seconds...

play fullscreen
1 / 25

ISA PKI SERVICES - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

ISA PKI SERVICES. Framework contract Nº DI/06750-00. Enrollment Processes. INDEX. 1. – How to become an ISA Local Registration Authority. 2. – How to get an ISA Lightweight, Normalized or Qualified certificates. 2.1. – Certificate Request. 2.2. – Validation of Certificates by the LRAs.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ISA PKI SERVICES' - emerson-vinson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
isa pki services

ISA PKI SERVICES

Framework contract Nº DI/06750-00

Enrollment Processes

slide2

INDEX

1. – How to become an ISA Local Registration Authority

2. – How to get an ISA Lightweight, Normalized or Qualified certificates

2.1. – Certificate Request

2.2. – Validation of Certificates by the LRAs

2.3. – Certificate Download & Installation

2.4. – Export your Certificate

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.1. – Key Generation

3.2. – Certificate Request

3.3. – Validation of Certificates by the FNMT Central Registration Authority

3.4. – Certificate Download & Installation

4. – How to get an ISA NC and QC for Servers

slide3

1.- How to become an ISA Local Registration Authority

Any Organization who wants to become an ISA Local Registration Authority to manage their certificates, will need first to formalized and Order Form with at least the following items:

Item

Quantity

Local Registration Authority

1

One per each LRA operator needed. (This item includes 1 smartcard + 1 reader + 1 QC + 1 NC)

LRA smartcards

Any certificates needed for the project to be launched. We’ll be grateful to assist you in the definition of your needs and during the hole process.

slide4

1.- How to become an ISA Local Registration Authority

For the appointment, removal or modification of the LRA Referent.

Form 100

By completing and signing this form, the Organization will appoint the LRA Referent, and the FNMT will be then able to issue the LRA Referent’s QC and NC in order to operate within the LRA applications.

For the appointment, removal or modification of the LRA Office.

Form 200

The LRA Referent will have to inform the FNMT about the LRA Office data required by completing and signing this form. The habilitated LRA operators will only be able to get into the LRA applications from the workstations created upon reception of this form.

For the appointment, removal or modification of the LRA Officers.

Form 300

The LRA Referent will appoint the LRA Officers and assign them to a workstation among those previously communicated, from which they will be able to get into the LRA applications for the exercise of their registry tasks.

BACK TO MENU

slide5

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/ and https://ec.fnmt.es/LRA

In particular, to operate with ISA certificates it is necessary to install:

  • The FNMT-RCM Root Certificate
  • The ISA CA Intermediate Certificate
  • The CAPICOM
  • The Smartcard drivers
  • The FNMT-RCM smartcard app
  • And to configure the security settings required

FNMT-RCM CRYPTOGRAPHIC SOFTWARE

slide6

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

2.1. –Certificate Request

Certificate Applicant

(creating a private and a public key)

LC Request Application

1- Enter required personal data

2- Accept terms & conditions

3- Click on “Send request”

REQUEST CODE Screenshot +

ID documents required

REQUEST CODE + Data entered

LRA

Notes for LC

Notes for QC

slide7

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

2.2. – Validation of Certificates by the LRAs

The LRA Officer shall check and validate the data provided for any request for certificates. In particular, the LRA Officer must check theapplicant’sidentity, his/her condition as employee of the referred Organization, and the veracity of the email address provided. All the documents provided shall be kept by the LRA Office as part of the application file.

For the accreditation purposes, the applicant’s physical presence in the LRA is ONLY required for Normalized and Qualified Certificates.

First, the Registry App will ask the LRA Officer to authenticate with his/her ISA Normalized certificate which will be displayed as (AUTH) NAME+SURNAME

Authenticating with LRA Officer’s NC

Registry App.

In case the NC has been protected with a password, the LRA Officer will be required to enter the PIN and click on Accept to get into the Registry Application

LRA

**********

slide8

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

2.2. – Validation of LC, NC and QC

slide9

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

2.2. – Validation of LC, NC and QC

JOSE LUIS

BELLO

R6049

joseluis.bello@fnmt.es

OF0XX – N/A

296850757

slide10

2. – How to get an ISA Lightweight, Normalized or Qualified Certificates

2.2. – Validation of LC, NC and QC

LRA

Certificate ready to be downloaded

Certificate Applicant

*******

The LRA Officer will contact the certificate applicant to inform about the availability of his/her certificate through the corresponding Download Application

slide11

2. – How to get an ISA Lightweight, Normalized or Qualified certificates

2.3. – Certificate Download & Installation

LC Download Application

Certificate Applicant

1- Enter the same data entered at the request phase + REQUEST CODE

2- Click on “Download Certificate”

CERTIFICATE

Please check that your certificate has been correctly installed and make a BACK UP COPY: Open your Internet Explorer  Tools  Internet Options  Content  Certificates. Your certificate shall be displayed within the “Personal” certificates tab. Select it and click on “Export” to make a Backup copy

Notes for QC

slide12

2. – How to get an ISA Lightweight, Normalized or Qualified certificates

2.4. – Export your Certificate (only for LC and NC)

filename.pfx

filename.p12

Keep these files safe and preferably in an external device

BACK TO MENU

slide13

3. – How to get an ISA SSL/TLS or Wildcard certificates

Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/LRA

Only the SSL/TLS Certificate Responsible, appointed by the Organization or Competent Authorities are entitled to request these certificates through their corresponding LRA Office

Form 400

  • The procedure for obtaining the certificate consists of 3 easy phases:
    • Key Generation
    • Certificate Request
    • Certificate Download and Installation
slide14

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.1. – Key Generation

-----BEGIN CERTIFICATE request-----

MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1

cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe

Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB

IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x

MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh

LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr

xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V

sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI

9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT

O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV

HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0

aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB

AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY

/skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt

mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8

5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY

eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf

w8DwpKttZ6GkrweKfjKeeN0=

-----END CERTIFICATE request-----

The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits

SSL/TLS Certificate Responsible

PKCS#10

with RSA and 2048 bits

3.2. – Certificate Request

  • Copy of official ID documents
  • Completed and signed FORM 400 -
  • Common name (domain name or wildcard domain name to be certified)

SSL/TLS Certificate Responsible

LRA

PKCS#10

slide15

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.2. – Certificate Request (Pre-Registry App)

Pre - Registry Components App.

Authenticating with LRA Officer’s NC

LRA

******

slide16

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.2. – Certificate Request (Pre-Registry App)

LRA

ec.fnmt.es

OF0XX - FNMT

The LRA operator will have to check and validate all the data and documents received and then, enter the required data and the PKCS#10 facilitated by the SSL&TLS Certificate responsible

name

surname

Oficial ID number

name.surmane@org.es

-----BEGIN CERTIFICATE request-----

MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAeFw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkV

PKCS#10

slide17

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.2. – Certificate Request (Pre-Registry App)

After confirming the data entered, the Pre-Registry application will display the data to be signed by the LRA Officer

The application will ask the LRA Officer to select his/her ISA Qualified Certificate which will be displayed as (SIGN) NAME+SURNAME and then to enter the smartcard‘s PIN

**********

slide18

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.2. – Certificate Request (Pre-Registry App)

The Pre-Registry App will then display the SSL/TLS CERTIFICATE REQUEST FOR ISSUANCE REPORT. Even at this stage, it will be possible to cancel the registry process and correct data. To confirm and complete the process, the LRA Officer will have to FIRST PRINT the contract and then ACCEPT.

slide19

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.2. – Certificate Request (Pre-Registry App)

This report contains all the relevant information concerning the electronic certificate:

LRA

  • Issuance contract reference with precise information about the Local Regional Authority involved, the LRA Officer, date + hour, request number and CA
  • Legal Organization Name
  • Data referred to the Certificate
  • Certificate CN
  • Related ORDER FORM
  • Attestation that the Local Regional Authority/the LRA officer has verified the information and data included and the applicant’s identity

Form 400

ID docs

This report shall be kept by the Local Regional Authority as part as the application file and a signed copy shall be sent directly to the FNMT CENTRAL Registry Authority which will be in charge of discriminating the applications to be accepted or rejected.

FNMT Central RegistryAuthority

slide20

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.3. – Validation of Certificates by the FNMT CRA

  • Upon reception of an SSL&TLS certificate request, the FNMT CENTRAL Registration Authority will be in charge of:
  • Validating all the documentation received.
  • Checking the domains ownership
  • Accepting or rejecting the conformity reports in order to issue or reject the certificates requested.

FNMT Central RegistryAuthority

LRA

Certificate ready to be downloaded

The CENTRAL Registration Authority will connect to the SSL&TLS Certificates Management Application in order to ask to the ISA CA the issuance of the certificates for the accepted conformity reports or to cancel the rejected ones. This process will be done in a quasi-online operation.

The CENTRAL Registration Authority will send an email to the LRA Operator to inform about the availability of the requested certificate, as well as the URL from which they will be able to download the certificate and submit it to the SSL&TLS Certificate Responsible for its installation.

slide21

3. – How to get an ISA SSL/TLS or Wildcard certificates

3.4. – Certificate Download & Installation

Pre - Registry Components App.

Authenticating with LRA Officer’s NC

LRA

******

SSL/TLS Certificate Responsible

ec.fnmt.es

474923416

BACK TO MENU

slide22

4. – How to get an ISA NC and QC for Servers

4.1. – Key Generation

-----BEGIN CERTIFICATE request-----

MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1

cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe

Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB

IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x

MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh

LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr

xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V

sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI

9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT

O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV

HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0

aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB

AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY

/skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt

mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8

5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY

eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf

w8DwpKttZ6GkrweKfjKeeN0=

-----END CERTIFICATE request-----

The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits

Certificate Responsible

PKCS#10

with RSA and 2048 bits

4.2. – Certificate Request

Certificate Responsible

  • Copy of official ID documents
  • Completed FORM 500 -Common name

LRA

PKCS#10

slide23

4. – How to get an ISA NC and QC for Servers

4.2. – Certificate Request

LRA

FNMT Central RegistryAuthority

Form 500

4.3. – Validation of Certificates by the FNMT CRA

LRA

FNMT Central RegistryAuthority

  • Copy of official ID documents
  • Completed and signed FORM 500 -Common name

Certificate Responsible

PKCS#10

BACK TO MENU

slide24

https://ec.fnmt.es/

Lightweight Certificate Request App

Request Applications

Normalized Certificate Request App

Qualified Certificate Request App

Lightweight Certificate Download App

Download Applications

Normalized Certificate Download App

Qualified Certificate Download App

https://ec.fnmt.es/LRA

Issuance, Revocation, Suspension & Cancellation of Suspension App for LC, NC & QC

Form 100

Registry App.

Form 400

Form 200

Form 500

Pre - Registry Components App.

Request & Download App for SSL/TLS Certificates

Form 300

slide25

customerservice@fnmt.es

technicalsupport@fnmt.es

thanks for your attention¡¡

BACK TO MENU