250 likes | 388 Views
ISA PKI SERVICES. Framework contract Nº DI/06750-00. Enrollment Processes. INDEX. 1. – How to become an ISA Local Registration Authority. 2. – How to get an ISA Lightweight, Normalized or Qualified certificates. 2.1. – Certificate Request. 2.2. – Validation of Certificates by the LRAs.
E N D
ISA PKI SERVICES Framework contract Nº DI/06750-00 Enrollment Processes
INDEX 1. – How to become an ISA Local Registration Authority 2. – How to get an ISA Lightweight, Normalized or Qualified certificates 2.1. – Certificate Request 2.2. – Validation of Certificates by the LRAs 2.3. – Certificate Download & Installation 2.4. – Export your Certificate 3. – How to get an ISA SSL/TLS or Wildcard certificates 3.1. – Key Generation 3.2. – Certificate Request 3.3. – Validation of Certificates by the FNMT Central Registration Authority 3.4. – Certificate Download & Installation 4. – How to get an ISA NC and QC for Servers
1.- How to become an ISA Local Registration Authority Any Organization who wants to become an ISA Local Registration Authority to manage their certificates, will need first to formalized and Order Form with at least the following items: Item Quantity Local Registration Authority 1 One per each LRA operator needed. (This item includes 1 smartcard + 1 reader + 1 QC + 1 NC) LRA smartcards Any certificates needed for the project to be launched. We’ll be grateful to assist you in the definition of your needs and during the hole process.
1.- How to become an ISA Local Registration Authority For the appointment, removal or modification of the LRA Referent. Form 100 By completing and signing this form, the Organization will appoint the LRA Referent, and the FNMT will be then able to issue the LRA Referent’s QC and NC in order to operate within the LRA applications. For the appointment, removal or modification of the LRA Office. Form 200 The LRA Referent will have to inform the FNMT about the LRA Office data required by completing and signing this form. The habilitated LRA operators will only be able to get into the LRA applications from the workstations created upon reception of this form. For the appointment, removal or modification of the LRA Officers. Form 300 The LRA Referent will appoint the LRA Officers and assign them to a workstation among those previously communicated, from which they will be able to get into the LRA applications for the exercise of their registry tasks. BACK TO MENU
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/ and https://ec.fnmt.es/LRA In particular, to operate with ISA certificates it is necessary to install: • The FNMT-RCM Root Certificate • The ISA CA Intermediate Certificate • The CAPICOM • The Smartcard drivers • The FNMT-RCM smartcard app • And to configure the security settings required FNMT-RCM CRYPTOGRAPHIC SOFTWARE
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates 2.1. –Certificate Request Certificate Applicant (creating a private and a public key) LC Request Application 1- Enter required personal data 2- Accept terms & conditions 3- Click on “Send request” REQUEST CODE Screenshot + ID documents required REQUEST CODE + Data entered LRA Notes for LC Notes for QC
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates 2.2. – Validation of Certificates by the LRAs The LRA Officer shall check and validate the data provided for any request for certificates. In particular, the LRA Officer must check theapplicant’sidentity, his/her condition as employee of the referred Organization, and the veracity of the email address provided. All the documents provided shall be kept by the LRA Office as part of the application file. For the accreditation purposes, the applicant’s physical presence in the LRA is ONLY required for Normalized and Qualified Certificates. First, the Registry App will ask the LRA Officer to authenticate with his/her ISA Normalized certificate which will be displayed as (AUTH) NAME+SURNAME Authenticating with LRA Officer’s NC Registry App. In case the NC has been protected with a password, the LRA Officer will be required to enter the PIN and click on Accept to get into the Registry Application LRA **********
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates 2.2. – Validation of LC, NC and QC
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates 2.2. – Validation of LC, NC and QC JOSE LUIS BELLO R6049 joseluis.bello@fnmt.es OF0XX – N/A 296850757
2. – How to get an ISA Lightweight, Normalized or Qualified Certificates 2.2. – Validation of LC, NC and QC LRA Certificate ready to be downloaded Certificate Applicant ******* The LRA Officer will contact the certificate applicant to inform about the availability of his/her certificate through the corresponding Download Application
2. – How to get an ISA Lightweight, Normalized or Qualified certificates 2.3. – Certificate Download & Installation LC Download Application Certificate Applicant 1- Enter the same data entered at the request phase + REQUEST CODE 2- Click on “Download Certificate” CERTIFICATE Please check that your certificate has been correctly installed and make a BACK UP COPY: Open your Internet Explorer Tools Internet Options Content Certificates. Your certificate shall be displayed within the “Personal” certificates tab. Select it and click on “Export” to make a Backup copy Notes for QC
2. – How to get an ISA Lightweight, Normalized or Qualified certificates 2.4. – Export your Certificate (only for LC and NC) filename.pfx filename.p12 Keep these files safe and preferably in an external device BACK TO MENU
3. – How to get an ISA SSL/TLS or Wildcard certificates Before applying for any certificate, please make sure to read carefully our Particular certificate policies and practice statement applicable to the certification and electronic signature services in the scope of the European Commission and all the related information, procedures and manuals available in our web site: https://ec.fnmt.es/LRA Only the SSL/TLS Certificate Responsible, appointed by the Organization or Competent Authorities are entitled to request these certificates through their corresponding LRA Office Form 400 • The procedure for obtaining the certificate consists of 3 easy phases: • Key Generation • Certificate Request • Certificate Download and Installation
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.1. – Key Generation -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1 cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI 9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0 aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY /skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8 5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf w8DwpKttZ6GkrweKfjKeeN0= -----END CERTIFICATE request----- The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits SSL/TLS Certificate Responsible PKCS#10 with RSA and 2048 bits 3.2. – Certificate Request • Copy of official ID documents • Completed and signed FORM 400 - • Common name (domain name or wildcard domain name to be certified) SSL/TLS Certificate Responsible LRA PKCS#10
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.2. – Certificate Request (Pre-Registry App) Pre - Registry Components App. Authenticating with LRA Officer’s NC LRA ******
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.2. – Certificate Request (Pre-Registry App) LRA ec.fnmt.es OF0XX - FNMT The LRA operator will have to check and validate all the data and documents received and then, enter the required data and the PKCS#10 facilitated by the SSL&TLS Certificate responsible name surname Oficial ID number name.surmane@org.es -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAeFw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkV PKCS#10
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.2. – Certificate Request (Pre-Registry App) After confirming the data entered, the Pre-Registry application will display the data to be signed by the LRA Officer The application will ask the LRA Officer to select his/her ISA Qualified Certificate which will be displayed as (SIGN) NAME+SURNAME and then to enter the smartcard‘s PIN **********
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.2. – Certificate Request (Pre-Registry App) The Pre-Registry App will then display the SSL/TLS CERTIFICATE REQUEST FOR ISSUANCE REPORT. Even at this stage, it will be possible to cancel the registry process and correct data. To confirm and complete the process, the LRA Officer will have to FIRST PRINT the contract and then ACCEPT.
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.2. – Certificate Request (Pre-Registry App) This report contains all the relevant information concerning the electronic certificate: LRA • Issuance contract reference with precise information about the Local Regional Authority involved, the LRA Officer, date + hour, request number and CA • Legal Organization Name • Data referred to the Certificate • Certificate CN • Related ORDER FORM • Attestation that the Local Regional Authority/the LRA officer has verified the information and data included and the applicant’s identity Form 400 ID docs This report shall be kept by the Local Regional Authority as part as the application file and a signed copy shall be sent directly to the FNMT CENTRAL Registry Authority which will be in charge of discriminating the applications to be accepted or rejected. FNMT Central RegistryAuthority
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.3. – Validation of Certificates by the FNMT CRA • Upon reception of an SSL&TLS certificate request, the FNMT CENTRAL Registration Authority will be in charge of: • Validating all the documentation received. • Checking the domains ownership • Accepting or rejecting the conformity reports in order to issue or reject the certificates requested. FNMT Central RegistryAuthority LRA Certificate ready to be downloaded The CENTRAL Registration Authority will connect to the SSL&TLS Certificates Management Application in order to ask to the ISA CA the issuance of the certificates for the accepted conformity reports or to cancel the rejected ones. This process will be done in a quasi-online operation. The CENTRAL Registration Authority will send an email to the LRA Operator to inform about the availability of the requested certificate, as well as the URL from which they will be able to download the certificate and submit it to the SSL&TLS Certificate Responsible for its installation.
3. – How to get an ISA SSL/TLS or Wildcard certificates 3.4. – Certificate Download & Installation Pre - Registry Components App. Authenticating with LRA Officer’s NC LRA ****** SSL/TLS Certificate Responsible ec.fnmt.es 474923416 BACK TO MENU
4. – How to get an ISA NC and QC for Servers 4.1. – Key Generation -----BEGIN CERTIFICATE request----- MIIDbTCCAlWgAwIBAgIDAbKwMA0GCSqGSIb3DQEBBQUAMDsxHDAaBgNVBAoTE0V1 cm9wZWFuIENvbW1pc3Npb24xGzAZBgNVBAMTEkNvbW1pc1NpZ24gQ2xhc3MgQTAe Fw0xMTExMDQxNjExMjVaFw0xMzExMDQxNjExMjVaMHMxHzAdBgNVBAMTFk9QUkVB IENhcm1lbiBNYWdkYWxlbmExHDAaBgNVBAoTE0V1cm9wZWFuIENvbW1pc3Npb24x MjAwBgkqhkiG9w0BCQEWI0Nhcm1lbi1NYWdkYWxlbmEuT1BSRUFAZWMuZXVyb3Bh LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJhV50V9qjPWt77aOmqhr xNKXyUueOxjIKm/IGh+hkJTDJ/RLp/BESt8LFUJGOjpJadT6jx7trEXHrPjXJR9V sRGGnFSbN3FwNmmkbmdiqXhXtgSv/vd2GPWst6swbocg+4D90WdzQC4mIdlHWhjI 9eMP36k7WDzntQqadAfo0QIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFJ+pFuDJ/5KT O/b+YL31E0k9sjuxMB0GA1UdDgQWBBS1Okm1R7J+6sedWQcNbV2YkcHggzAOBgNV HQ8BAf8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6g TIZKaHR0cDovL2VjLmV1cm9wYS5ldS9kZ3MvcGVyc29ubmVsX2FkbWluaXN0cmF0 aW9uL2NvbW1pc3NpZ24vY29tbWlzc2lnbi5jcmwwDQYJKoZIhvcNAQEFBQADggEB AFgleZsTtphjem5MKZXrTkH4YNXUjD2HG5Abp0DIHhdYzRjCDrmv3KGWQgEnD5LY /skg98fxy6O9akdno9TQACOFYvWFfeyu4j28qdw/RhHjpxcM0fZ7crjmlWz+PBlt mdmfWNfkBI2sD7ge+hH1Tn4W5MgWEHfKR5JzRm9iuWhBA8tG0cpF852oZslAKOJ8 5EDT2wQdRRgai6rJjYnl7+oqHAxrgCCY4heJ21wzQ6POp7sqNHfMLIwY73eb98uY eB7NPOUTbARHE+ss0v5xJPMJHItOntF+V3g+c7rldmP6/ewRhxapIHY4cC3Wwqsf w8DwpKttZ6GkrweKfjKeeN0= -----END CERTIFICATE request----- The SSL/TLS Certificate Responsible must generate a PKCS#10 with their server tools. The request PKCS#10 shall be generated with RSA and a key length of 2048 bits Certificate Responsible PKCS#10 with RSA and 2048 bits 4.2. – Certificate Request Certificate Responsible • Copy of official ID documents • Completed FORM 500 -Common name LRA PKCS#10
4. – How to get an ISA NC and QC for Servers 4.2. – Certificate Request LRA FNMT Central RegistryAuthority Form 500 4.3. – Validation of Certificates by the FNMT CRA LRA FNMT Central RegistryAuthority • Copy of official ID documents • Completed and signed FORM 500 -Common name Certificate Responsible PKCS#10 BACK TO MENU
https://ec.fnmt.es/ Lightweight Certificate Request App Request Applications Normalized Certificate Request App Qualified Certificate Request App Lightweight Certificate Download App Download Applications Normalized Certificate Download App Qualified Certificate Download App https://ec.fnmt.es/LRA Issuance, Revocation, Suspension & Cancellation of Suspension App for LC, NC & QC Form 100 Registry App. Form 400 Form 200 Form 500 Pre - Registry Components App. Request & Download App for SSL/TLS Certificates Form 300
customerservice@fnmt.es technicalsupport@fnmt.es thanks for your attention¡¡ BACK TO MENU