This guide will show you how to get a client SSL certificate that is required to access Signicat’s web services in production.
For more information about certificates, please refer to SSL web service certificates. For more information about how to set up the certificate on your server, refer to Setting up two-way SSL, .Net or Setting up two-way SSL, Java.
Signicat’s web services in production require you to provide a client SSL certificate with all web service calls. Signicat also requires that all clients must be authenticated with a client SSL certificate. The client SSL certificate is issued by Signicat on request and may be used to authenticate a web service client towards Signicat’s web service. The SSL certificate must be installed on the server(s) from which you are making web service requests to Signicat. The certificate will identify a client and give the client access to web service calls.
|The client SSL certificate is a very security sensitive asset. Anyone with the correct client SSL certificate can make web service requests on your behalf and get access to your documents at Signicat. It is very important that this certificate is kept secret.|
The certificate will provide access to all data associated with that particular “service” which is registered in the certificate. If a customer has more than one client, each client should have a separate certificate.
It is not necessary to use certificates to use Signicat web service in a test environment. The requirement for SSL client certificates applies only to web services in production.
Ask for a certificate
Send a request toand ask for a SSL client certificate for your service.
Signicat needs the following information:
- A short name of the client that will use the certificate. This will be used as part of the certificate name. The name should be a short name for the application that calls Signicat’s web service. Typical names could be “e-banking” or “my page”.
- The name, e-mail address and mobile number of a person in your organisation that has the authority to order and receive certificates. Signicat will send an access code by SMS to your mobile number.
Signicat generates the certificate
Signicat will create an SSL server certificate with the root certificate “Signicat Web Service SSL CA (2048)”.
Signicat will then send an SMS with a one-time password and an e-mail with a URL to the person with the authority to order and receive certificates. The one-time password has a lifetime of 30 minutes.
Download certificate file
The person that receives the SMS and e-mail opens the URL in a browser and uses the one-time password to download the certificate file.
The certificate is encrypted, and may not be used without a key for decryption. This key is sent to the same mobile number in an SMS after the certificate is downloaded.
The certificate may be used immediately after it is issued.
Receive the certificate decryption password
The person with the authority to download the file will receive an SMS shortly after the file was downloaded. This SMS contains the permanent certificate decryption password.
|The certificate is a very security sensitive asset. Don’t leave copies of the file on unsecured computers. It is best to download the file directly onto the server where the file should be used. The certificate file must under no circumstances be sent through email, chat services or other insecure channels. Also remember to delete the SMS with the decryption password.|
Install the certificate
Refer to the specific guides for each server platform for instructions on how to install the certificate.
If the certificate is compromised, this must be reported to Signicat immediately. Signicat will then withdraw the certificate. After the withdrawal, the certificate will not function with Signicat’s services.
The certificate has a lifetime of two years. After that, a new certificate must be issued. The process for the issuing of the new certificate is the same as for issuing the first certificate.
A new certificate can be used immediately after it is issued.
It is the customer’s responsibility to ensure that the certificate does not fall into unauthorized hands. The customer must notify Signicat immediately if the certificate is lost, so that the certificate may be blocked.
Signicat recommends that the certificate is downloaded directly to production machines where it is used, or to machines with a similar level of security. After the certificate is installed, any temporary copies of the certificate are erased.
Any backup of the certificate should be protected in the same manner as the original. If you choose not to back up the certificate for security reasons, Signicat may issue a new certificate if this is necessary.