Netrust SSL Web Server Certificate New Application Enrolment Guide

Netrust SSL Web Server Certificate New Application Enrolment Guide Updated: September 2010 Version: 2.0

Table of Contents 1 Introduction 3 2 Requirements 3 3 Launching Netrust SSL Web Server Certificate Application Website 3 4 Entering the Promotional Code 4 5 Review all information before proceeding 5 6 Confirmation of your Proof of Right 5 7 Inputting the CSR and Password 6 a. Guidelines for creating CSR 7 b. Sample CSR 7 c. Web Server Type Selection 8 8 CSR and Domain Information Check 9 9 Provide Contacts 10 10 Contact Information Confirmation 11 11 Subscription Agreement 12 12 Review Supplied Information 12 13 Confirmation of Application 14 14 Telephone and Email Support 14 Annex A 15 Copyright 2010 by Netrust Pte Ltd. All rights reserved. 2

1 Introduction This guide provides instructions on the application for a Netrust SSL Web Certificate It is assumed that you are familiar with the Windows environment. 2 Requirements Please ensure you have the following items before you start with the application: A Certificate Signing Request (CSR) Learn how to generate a CSR from your web server at http://www.entrust.net/ssl-technical/webserver.cfm Promotional Code obtained from Netrust Pte Ltd via email Details of the Authorising, Technical and Billing Contacts 3 Launching Netrust SSL Web Server Certificate Application Website Ensure that you are connected to the Internet Browse Netrust SSL Web Server Certificate Application Website at https://ssl.netrust.net/ssl. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 3

4 Entering the Promotional Code Key in the Promotional Code into the text box provided and click Submit. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 4

5 Review all information before proceeding Netrust Pte Ltd Your promotional code has been verified. Click Proceed to Step 1 to proceed with the enrolment. 6 Prepare your Proof of Right Please refer to Annex A of this Enrolment Guide for the documents needed as your Proof of Right. Submit the documents after registering the promo code. (Only applicable to companies outside of Singapore) Click Proceed to Step 2 for the next step. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 5

7 Inputting the CSR and Password Copy and paste the CSR (the following page will show an example of a CSR) onto Certificate Signing Request box. Key in a Password which you will be using during your next renewal. Key in the same password to confirm. (Note: Do not forget your password as you will be asked for this upon renewal) Click on the drop down menu to select the Server Type which you are using. Please refer to Section 7(c) for example of Server Type drop down menu. Click Proceed to check CSR to proceed. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 6

a. Guidelines for creating a CSR For creating a new CSR, please use the following guidelines: Netrust Pte Ltd 1. Do not use special characters in the challenge or revocation passphrase (if applicable). The following characters are unsupported: ".,;-@#$%^&!*)(-+=<>?/: 2. Do not use the following characters in the common name field of the CSR as they are unsupported: "_,;@#$%^&!*)(+=<>?/: 3. Bit key length should be 2048. Starting 1 January 2011, Entrust will no longer be able to accept any Certificate Signing Requests with 1024 bit key sizes. 4. CSR should be in Base64 (pem) encoded format. Some FTP and text editor programs might corrupt the format. b. Sample CSR Only copy and paste the content highlighted. Do not include any blank spaces before or after the CSR, and remember to include the "----BEGIN CERTIFICATE REQUEST----- " and "----- END CERTIFICATE REQUEST-----" lines. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 7

c. Web Server Type Selection Click on the drop down menu to display the list of server types. Then select the server type used. Server Type information is needed for reference purposes only. If your server is not in the list, you may select the closest option or Others. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 8

8 CSR and Domain Information Check The displayed information is extracted from the CSR, please ensure that all details are correct. If any of this information is incorrect, a new CSR needs to be generated to be used to request for SSL Web Certificate. Note: Ensure that the organization field (O=) in the CSR matches the legally registered name of the organization for which you are requesting the certificate for (authorising contact s organization). If everything is correct, click Proceed to Step 3 to go to the next step. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 9

9 Provide Contacts Key in all required information in the text box provided. Please do not leave any field blank. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 10

Note: The Technical Contact and Authorising Contact must be different individuals. Email address for the Authorising contact must not be a group or generic email. If you are applying on behalf of another organization, the Authorising Contact MUST be a representative from the domain owner s company. Please refer to Annex A if you are applying on behalf of your customer. Once completed, click Verify Information to proceed. 10 Contact Information Confirmation Ensure all the details entered are correct. Click Previous Step to make any amendments. If everything is correct, click Proceed to Step 4 to go to the next step. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 11

11 Subscription Agreement Read through the subscription agreement and once you agree, click on the check box I have read and agreed with this agreement. Then click on Proceed to Step 5 to go to the next step. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 12

12 Review Supplied Information Please click Submit Order if you no longer need to make any amendments on all the information provided. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 13

13 Confirmation of Application Confirmation page indicates that you have successfully enrolled the promo code and your application will be processed. A Tracking ID is given to monitor the progress of your order. Your certificate will be processed within 2-5 working days. Once your application is approved, the Authorising and Technical Contact will receive an email with the certificate from Netrust. 14 Telephone and Email Support Netrust provides helpdesk support during office hours from Mondays to Fridays, 9:00am 5:30pm GMT +08:00. Contact us at (+65) 62121388. Email support is also available at sslsupport@netrust.net. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 14

ANNEX A Copyright 2010 by Netrust Pte Ltd. All rights reserved. 15

Proof of Right Documents and Authorisation Letter Case 1: If you are applying on behalf of a Private Company, Society or Government Agency We need A copy of Authorisation Letter (Template 1) Case 2: We need Case 3: We need Case 4: We need Case 5: We need If you are a Private Company based in Singapore applying on your own A copy of the Company Registration which we can retrieve from Accounting and Corporate Regulatory Authority online If you are a Society based in Singapore applying on your own A copy of the Society s Registration which we can retrieve from Registry of Societies online If you are a Government Agency applying on your own A copy of the registration details of the entity which we can obtain online from Unique Entity Number If you are applying on behalf of a Private Company based outside of Singapore (a) A copy of your Company s Business/Company Registration Certificate (b) A copy of Authorisation Letter (Template 1) Case 6: If you are applying on behalf of a Government Agency outside of Singapore We need A copy of the Authorisation Letter (please use Template 1) Case 8: We need If you are a Private Company based outside of Singapore applying on your own A copy of your Company s Business/Company Registration Certificate Please email the required documents to sslsupport@netrust.net or send them via fax to (65) 62121366. Authorisation and Technical Contacts If you are applying on behalf of another company (i.e. domain owner), appoint the applicant as the technical contact. This person will be in-charge of the pre-certificate application / certificate application / any post processes e.g. certificate installation. Appoint a representative from the domain owner s company as the authorising contact. Authorising and technical contacts must be different individuals. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 16

Other important information 1. Supported web server, CSR generation and installation instructions: http://www.entrust.net/ssl-technical/webserver.cfm 2. Supported web browser: http://www.entrust.net/ssl-technical/browsers/index.cfm 3. Subscriber Agreement: http://www.entrust.net/buy/pdf/subscription_agreement_20080418.pdf 4. SSL provides a secure channel for data transmission. Additionally, it also provides server verification. 5. Certificate signed by Entrust will be trusted by the browser upon installation of the chain certificate which is issued to the applicant together with the server certificate. 6. The web addresses (cn=) are tied to the certificate 7. DNS poisoning will redirect the traffic to another webpage that is insecure. It cannot be secured since all CAs verify the owner of the site address (e.g. ) before issuing the certificate tied to the web address. Even if the hacker tries to create his own self-signed certificate that looks similar to the authentic site, the certification path does not originate from a trusted CA and hence the browser will prompt user with an error message 8. There are only 4 ways to compromise the trust a. Loss of PKCS#12 package by administrator (that includes the private key) b. Server has been compromised c. Client s machine is compromised by trojans that populate the un-trusted CA to the trusted CA certificate store d. Web browser is buggy and has been compromised by malicious web application. What happens after you finish Online Enrolment? 1. When you have submitted your SSL online enrolment application, Netrust SSL Support will receive your application and it will be pending for verification. 2. Netrust SSL Support will send an email to the Authorising Contact to confirm employment of the person indicated as the Technical Contact. This is a simple process done purely via email. Hence, please kindly check your email promptly to avoid any delay in your application. 3. Verification of your SSL application takes about 2-5 working days. 4. When the SSL Certificate is ready, Netrust SSL Support will send an email to the authorising and technical contacts containing the certificate. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 17

Each Standard server certificate comes with a one-time replacement within a period of 30 days starting from the original issuance date. If you require a replacement after thirty days, you must purchase a new certificate. Please note: Promotional Code has a validity of 3 months from the date of issuance. Extension or replacement of Promotional Code is strictly not permitted. Copyright 2010 by Netrust Pte Ltd. All rights reserved. 18

Template 1 Authorisation Letter for Applying On Behalf of Organisation [Date] - - - PRINT THIS LETTER ON AUTHORISING CONTACT S COMPANY LETTERHEAD - - - To: Netrust Pte Ltd Verification Officer, #05-03, Luzerne, FAX: (65) 6212 1366 RE: APPLICATION FOR WEB SERVER CERTIFICATE I, [Name of Authorising Contact], approve the acquisition(s) of a limited right to use one or more Entrust SSL Web Server certificate(s) (including any renewal certificates) on behalf of [Authorising Contact s Company] ("Subscriber"). I represent and warrant that: - 1. I am duly authorized to bind Subscriber to the terms and conditions of the Entrust SSL Certification Practice Statement available on the internet at http://www.entrust.net/about/practices.cfm and the Entrust SSL Web Server Certificate Subscription Agreement at http://www.entrust.net/buy/pdf/sslsubagree011405.pdf (collectively the Terms ); 2. Subscriber hereby agrees to the Terms; and 3. Subscriber has sufficient legal power, corporate or otherwise, to enter into such agreements. I acknowledge that an Entrust digital certificate may be used to bind Subscriber in electronic commerce transactions and that the protection of the Subscriber's private keys associated with an Entrust digital certificate is solely the responsibility of Subscriber. I authorize [Name of Technical Contact] from [Technical Contact s Company] to request one or more certificate(s) for [Domain Name] on our behalf (including any renewal certificates), and to act as a technical contact on my behalf in respect of such certificate. IN WITNESS WHEREOF, I have executed this authorisation letter. Yours Sincerely, [Name of Authorising Contact] [Designation] Copyright 2010 by Netrust Pte Ltd. All rights reserved. 19