# Obtaining a client SSL web service certificate
This guide explains how to obtain a client SSL certificate that is required to access Signicat's SOAP web services as well as Signicat's standalone Session Data Storage (SDS) REST web service in production.
For general information about SSL certificates, please refer to our page on SSL web service certificates. For more information about how to set up the certificate on your server, refer to our page on setting up two-way SSL.
Signicat's web services in production require you to provide a client SSL certificate with all web service calls.
Signicat also requires that all clients must be authenticated with a client SSL certificate. The client SSL certificate is issued by Signicat on request and may be used to authenticate a web service client towards Signicat's web service. The SSL certificate must be installed on the server(s) from which you are making web service requests to Signicat. The certificate will identify a client and give the client access to web service calls.
The client SSL certificate is a security-sensitive asset. Anyone with the correct client SSL certificate can make web service requests on your behalf and get access to your documents at Signicat. It is very important that this certificate is kept secret.
The certificate will provide access to all data associated with that particular "service" which is registered in the certificate.
If a customer has more than one client, each client should have a separate certificate.
It is not necessary to use certificates to use Signicat web service in a test environment. The requirement for SSL client certificates applies only to web services in production.
# 1. Ask for a certificate
Contact us at firstname.lastname@example.org to request an SSL client certificate for your service.
Signicat will need the following information:
- A short name for the client that will be using the certificate. This will be used as part of the certificate name. The name should be a short name for the application that calls Signicat's web service. Typical names could be "e-banking" or "my page".
- The name, email address and mobile number of a person in your organisation that has the authority to order and receive certificates. Signicat will send an access code by SMS to your mobile number.
# 2. Signicat generates the certificate
Signicat will create an SSL server certificate with the root certificate "Signicat Web Service SSL CA (2048)".
Signicat will then send an SMS with a one-time password and an email with a URL to the person with the authority to order and receive certificates. The one-time password has a lifetime of 30 minutes.
# 3. Download certificate file
The person that receives the SMS and email opens the URL in a browser and uses the one-time password to download the certificate file.
The certificate is encrypted and may not be used without a key for decryption. This key is sent to the same mobile number in an SMS after the certificate is downloaded.
The certificate may be used immediately after it is issued.
# 4. Receive the certificate decryption password
The person with the authority to download the file will receive an SMS shortly after the file was downloaded. This SMS contains the permanent certificate decryption password.
Do not leave copies of the certificate file on unsecured computers.
It is best to download the file directly onto the server where the file should be used. The certificate file must under no circumstances be sent through email, chat services or other insecure channels. Also remember to delete the SMS with the decryption password.
# 5. Install the certificate
Refer to the specific guides for each server platform for instructions on how to install the certificate.
# Certificate withdrawal
If the certificate is compromised, this must be reported to Signicat immediately. Signicat will then withdraw the certificate. After the withdrawal, the certificate will not function with Signicat's services.
# Certificate renewal
The certificate has a lifetime of two years. After that, a new certificate must be issued. The process for the issuing of the new certificate is the same as for issuing the first certificate.
A new certificate can be used immediately after it is issued. Certificates work in parallel, so if you receive a new certificate before expiry of your current one, the current certificate will still work until it expires.
# Security recommendations
It is the customer's responsibility to ensure that the certificate does not fall into unauthorised hands. The customer must notify Signicat immediately if the certificate is lost, so that the certificate may be blocked.
Signicat recommends that the certificate is downloaded directly to production machines where it is used or to machines with a similar level of security. After the certificate is installed, any temporary copies of the certificate are erased.
Any backup of the certificate should be protected in the same manner as the original. If you choose not to back up the certificate for security reasons, Signicat may issue a new certificate if this is necessary.