INFORMATION TECHNOLOGY CERES DEPARTMENT LRA APPLICATION MANUAL Name Date Written by: Technical support 18/10/2010 Revised by: Approved by: DOCUMENT TRACEABILITY Version Date Description Author 1.0 18/10/2010 Document Creation Technical support Reference: Document classified as: Public
Contenido 1. Introduction... 3 2. Technical requirements... 3 2.1. Hardware... 3 2.2. Software... 3 2.2.1. Internet Explorer configuration... 3 3. LRA application... 4 3.1. Application Access... 4 3.2. Selecting the registration case... 5 3.3. Registration process... 7 3.3.1. Fill in the certificate holder data form... 7 3.3.2. Signature of the Request for Issuance, Revocation, Suspension or Cancellation of Suspension... 9 3.3.3. Completion of the registration process.... 11 3.3.4. Acknowledge... 12 3.4. Certificate revocation... 13 3.5. Certificate suspension... 13 3.6. Cancellation of the suspension (activation of suspended certificates)... 13 4. Contact Us... 14 5. Annex I. Installation Instructions CAPICOM 2.1.0.2 FNMT-RCM... 15 Página 2 de 15
1. INTRODUCTION This manual aims to capture the operational requirements to be met by any LRA and to guide the authorized operators through the LRA application. Through this application you will be able to ask the FNMT-RCM for the issuance, revocation, suspension, and cancellation of the suspension of the lightweight, normalized and qualified certificates. (Please refer to the specific procedures which are available in: https://ec.fnmt.es/lra/documentation.html) 2. TECHNICAL REQUIREMENTS 2.1. HARDWARE USB smartcard PC/SC reader. Internet Connection through fixed IP addresses. These IP addresses must be previously communicated to the FNMT-RCM and assigned to a workstation through FORM 200. Direct connection to printer or via local network. Cryptographic smartcard hosting the LRA Referent s/officer s Qualified Certificate. 2.2. SOFTWARE Operating System. Microsoft Windows XP (SP3), Windows Vista or Windows 7. It is recommended that the OS is updated. Browsers valid (It is recommended that the Browser is updated). o Internet Explorer 7 or higher. o Firefox 3.5 or higher. Smartcard reader drivers installed correctly. Cryptographic software from the FNMT-RCM. Adobe Reader 8 or higher. Capicom (Microsoft Cryptographic module). Only for Internet Explorer Users. Annex I Install the root certificates of the ISA CA and FNMT-RCM CA. 2.2.1. Internet Explorer configuration In Internet Explorer, go to Tools / Internet Options / Security. Click "Trusted Sites." In the level control on the left, scroll down to select "low." If no level control press the "default level" Press the button "Sites." Uncheck the option "Require server verification (https: / /) for all sites in this zone" In the textbox Add this website to the zone add the following URLs http:// *. fnmt.es and https ://*. fnmt.es Close the window. Restart the browser. Página 3 de 15
3. LRA APPLICATION 3.1. APPLICATION ACCESS You shall get into the LRA application through the URL https://registro20.cert.fnmt.es. Please note that you will need both your Normalized and your Qualified certificate to operate within the application First you will be required to authenticate within the service. You must select your Normalized Certificate and click OK to continue. (Please remember that your Normalized Certificate will be shown to you as: AUTH + name + surname ) If you have been previously habilitated as an LRA operator, you will log into the home page of the LRA application. Página 4 de 15
3.2. SELECTING THE REGISTRATION CASE To start operating, please click the User registration option in the left menu. A menu will be displayed with the different registry options you are allow to operate with. You must select the appropriate options for each dropdown menu: Certification Authority: list of available CAs. ISA CA Type of Petition: Please select the operation to perform: o o o o Issuance: operation to collect the data in order to register a new certificate. Revocation: operation to terminate a certificate. Suspension: operation to terminate a certificate temporally. The certificate will be in a suspended state at most 15 days. After the 15 days of suspension, and if the cancellation of suspension has not been processed, the certificate will be automatically revoked. Cancelling the suspension: operation to return the suspended certificate into an enabled state. Type of Certificate: select the type of certificate you to need to operate with: o Lightweight certificate (LCP). o Normalized certificate (NCP). o Qualified certificate (QCP). Página 5 de 15
Data Pre-charge: After selecting the options, the preloading data menu will display: In the event the user data have been previously loaded (by a previous record), in the CA s database, please complete the following fields: Name o First Surname o E-Mail The certificate holder data would be then automatically filled in the next form. Página 6 de 15
3.3. REGISTRATION PROCESS 3.3.1. Fill in the certificate holder data form Regardless of the LRA application operation selected, the first step consists in filling in the form concerning the certificate holder s data. In case the data have been pre-charged, please verify the correctness and authenticity of the data displayed. Please note that fields marked with * are required. Once the form is completed you may: o o o Cancel: and return to the main menu. Reset: to delete the entered data. Accept: and go to the next step. Página 7 de 15
When you click Accept, the application will check the correctness and completeness of the data entered and if any of the fields is not correct or is required, the application will warn you. Eg.: Once all the required data are correct, the application will display the completed form for your review. You must then select one of following options Accept: to launch data signature process. Correct Data: to return to the previous form. Cancel: and return to the main menu. Página 8 de 15
3.3.2. Signature of the Request for Issuance, Revocation, Suspension or Cancellation of Suspension The LRA application will require your electronic signature for any request for issuance, revocation, suspension or cancellation of suspension for any lightweight, normalized and qualified certificate. If your browser is Internet Explorer a pop up with the data to be signed will be displayed. Please note that for this signature, your smartcard hosting your Qualified Certificate shall be ready to be used. Please verify once more time the registration data entered and then click Accept to launch the signature process Página 9 de 15
A warning message displays notifying that you are accessing to the browser's certificate store. Click Yes to continue. You are then prompted to select the certificate to sign You must select your Qualified Certificate and click OK to continue. (Please remember that your Qualified Certificate will be shown to you as: SIGN + name + surname ) A message will display indicating that this web site is accessing to your certificate s private key. Click Yes to continue. Página 10 de 15
The PIN of your Smartcard is now required. Introduce it and click OK. 3.3.3. Completion of the registration process. The application will display the customized contracts in duplicate. One copy shall be kept by the LRA Office and the other by the certificate holders. Printing the contracts is mandatory as to complete the registration process. Please be aware that if you are dealing with the Issuance of Normalized or Qualified Certificates, you must gather the handwritten signature of both the certificate holder and yours. These contracts that have to be printed in paper should be printed in both sides. The following options will be displayed: Print: Print the two copies of the contract (when applicable, you may use a virtual printer to generate PDF documents). It is necessary to click this button to go to the next step. If all data are OK, click Accept to end the registration process. Accept: Click here to end the registration process. Please remember to click first the PRINT button. Correct Data: click here to return to the previous form so you can correct the incorrect data. Cancel: click here to return to the main menu. Página 11 de 15
3.3.4. Acknowledge If the registration process has ended successfully, a tick will be displayed indicating the success of the process and the registration number. If there is any error, the application will display a red cross and information about the error occurred. Página 12 de 15
3.4. CERTIFICATE REVOCATION The revocation procedure is similar to the previously described for the Issuance. Please note that in this case, the application will ask you to choose one of the predefined reasons for revoking such certificate. You must select one of the following reasons: Modification of the Certificate: You may select this option when any of the certificate holder s data have changed and a new certificate is required. Key Compromise AC: It is strange that may occur in practice. In case the CA root certificates are compromised, there would be a real security risk in using any certificate issued by such CA. There would be then an automatic revocation of all the certificates involved. Certificate is not necessary: The LRA determines that the certificate is no longer needed by the certificate holder for its activities and therefore decides to revoke. Key Compromise: You may select this option when the private key associated to a certificate is compromised and therefore is not safe to make use of it. Replacement of Certificate: You may select this option when the certificate holder no longer needs his certificate but needs any other type. 3.5. CERTIFICATE SUSPENSION The suspension procedure is similar to the previously described for the Issuance. This action will invalidate the certificate for a maximum period of 15 days. Beyond this period, if no cancellation of suspension is processed, the certificate will be automatically revoked. 3.6. CANCELLATION OF THE SUSPENSION (ACTIVATION OF SUSPENDED CERTIFICATES) The Cancellation of the suspension procedure is similar to the previously described for the Issuance. This action will restore the validity of a certificate in a suspended state. The cancellation of the suspension of any certificate shall be processed when necessary within the 15 days period of suspension. If no cancellation of the suspension is processed within this period, the certificate will be automatically revoked. Página 13 de 15
4. CONTACT US For any questions, feedback, problems, etc. please do not hesitate to contact us through this email: technicalsupport@fnmt.es Página 14 de 15
5. ANNEX I. INSTALLATION INSTRUCTIONS CAPICOM 2.1.0.2 FNMT-RCM You can download it by clicking here. Install the downloaded executable "Capicom_2.1.0.2_FNMT_RCM.exe." In Internet Explorer, go to Tools / Internet Options / Security. Click "Trusted Sites." In the level control on the left, scroll down to select "low." If no level control press the "default level" Press the button "Sites." Uncheck the option "Require server verification (https: / /) for all sites in this zone" In the textbox Add this website to the zone add the following URLs http:// *. fnmt.es and https ://*. fnmt.es Close the window. Restart the computer. NOTE: If your OS is Windows Vista you must disable the User Account Control under User Accounts Control Panel and restart your computer. Página 15 de 15