This guide will show you how to get a client SSL certificate that is required to access Signicats web services in production.
For more information about certificates, please refer to SSL web service certificates. For more information about how to set up the certificate on your server, refer to Setting up 2-way SSL, .Net or Setting up 2-way SSL, Java.
Signicat’s web services in production requires you to provide a client SSL certificate with all web service calls and that all clients must be authenticated with a client SSL certificate. The client SSL certificate is issued by Signicat on request and may be used to authenticate a web service client to Signicat web service. The SSL certificate must be installed on the server(s) where you are making web service requests to Signicat. The certificate will identify a client and give the client access to web service call.
|The client SSL certificate is a very security sensitive asset. Anyone with the correct client SSL certificate can make web service requests on your behalf and get access to your documents at Signicat. It is very important that this certificate is kept secret.|
The certificate will provide access to all data associated with that particular “service” which is registered in the certificate. If a customer has more than one client each client should have a separate certificate.
It is not necessary to use certificates to use Signicat web service in a test environment. The requirement for SSL client certificates only web service in production.
Ask for a certificate
Send a request towhere you ask for a SSL client certificate for your service.
Signicat needs the following information:
- A short name of the client that will use the certificate. This will be used as part of the certificate name. The name should be a short name for the application that calls Signicats web service. Typical names could be “e-banking” or “my page”.
- Name, e-mail address and mobile number to a person in your organisation that has the authority to order and receive certificates. Signicat will, among otherwise send an access code by SMS to your mobile number.
Signicat generates the certificate
Signicat will create a SSL server certificate with root certificate “Signicat Web Service SSL CA (2048)”
Signicat will send an SMS with a one time password and an e-mail with a URL to the person with the authority to order and receive certificates. The one time password has a lifetime of 30 minutes.
Download certificate file
The person that receives the SMS and e-mail opens the URL in a browser and uses the one time password to download the certificate file.
The certificate is encrypted, and may not be used without a key for decryption. This key is sent to the same mobile number in a text message after the certificate is downloaded.
The certificate may be used immediately after it is issued.
Receive the certificate decryption password
The person with the authority to download the file will receive an SMS shortly after the file was downloaded. This SMS contains the permanent certificate decryption password.
|The certificate is a very security sensitive asset. Don’t leave copies of the file on unsecure computers. It is best to download the file directly on the server where the file should be used. The certificate file must under no circumstances be sent on email, chat services or other unsecure channels. Also remember to delete the SMS with the decryption password.|
Install the certificate
Refer to the specific guides for each server platform for instructions on how to install the certificate.
Withdrawal of Certificate
If the certificate is compromised, this must be reported to Signicat immediately. Signicat will draw return the certificate. After the withdrawal the certificate will not function with the Signicat services.
Renewal of Certificate
The certificate has a lifetime of 2 years. After that, it must be issued a new certificate. Process for issuance of the new certificate is the same as for issuing the first certificate.
A new certificate can be used immediately after it is issued.
Recommendations related to security
It is the customer’s responsibility to ensure that the certificate does not come into unauthorized hands. Customer must notify Signicat immediately if the certificate is lost so that the certificate may be blocked.
Signicat recommends that the certificate is downloaded directly to production machines where it is used or on machines with a similar level of security. After the certificate is installed, any temporary copies of the certificate carefully erased.
Any backup of the certificate should be protected in the same manner as the original. If you choose not backup of the certificate for security reasons, Signicat may issue a new certificate if this is necessary.