Client Side Digital Certificates User Enrolment Guide

Client Side Digital Certificates User Enrolment Guide

Table of Contents 1. INTRODUCTION... 3 2. INSTALLING A NEW CERTIFICATE AUTHORITY... 4 3. ENROLLING THE NEW CSDC... 10 4. CONFIRMING AND EXPORTING THE CSDC... 14 5. REMOVING THE PREVIOUS CSDC... 20 6. RENEWING A CSDC... 22 7. APPENDIX 1 - TROUBLESHOOTING... 23 7.1. INABILITY TO INSTALL AND RUN THE ACTIVEX COMPONENT... 23 7.1.1. Installing the ActiveX Component... 23 7.1.2. Adding https://pki.verisign.com.au to Trusted Sites in Internet Explorer... 23 7.2. INTERNET EXPLORER (9 OR LATER) SPECIFIC SETTINGS... 25 Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 2.

1. Introduction A Client Side Digital Certificate (CSDC) is required to authenticate customers who access a range of ASX systems. To successfully enrol a new CSDC, the following process should be followed in the specified order: 1. Install a new Certificate Authority (CA) 2. Enrol the new CSDC 3. Confirm the CSDC Enrolment 4. Remove Previous CSDC. When a CSDC is about to expire (one year from its enrolment), users will be sent an email 30 days prior requesting that the CSDC be renewed. If any difficulties are encountered during the process of enrolling a CSDC, see Appendix 1 - Troubleshooting. For any other questions regarding the enrolment of a CSDC, contact certificate.support@asx.com.au. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 3.

2. Installing a New Certificate Authority Before a new CSDC can be enrolled, a new CA needs to be installed. If the CA is not installed prior to enrolling, an error occurs (duplicate digital ID) and a new CSDC will need to be reissued. To install a new CA: 1. Select: https://pki.verisign.com.au/services/asxoperationsptyltdasxcag2/digitalidcenter.htm. This opens the Digital ID Centre where CSDC s can be managed. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 4.

2. Click INSTALL CA to install the CA. This opens the Certificate window at the General tab. If a red cross appears in the Certificate Information frame it indicates that the CSDC is not trusted. Later in this procedure the opportunity is provided to place the CSDC in the Trusted Root Certification Authorities store. 3. Click Install Certificate. Clicking Install Certificate opens the Certificate Import Wizard window. 4. Click Next. This opens the Certificate Store frame. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 5.

5. Click Place all certificates in the following store. 6. Click Browse. Clicking Browse enables the required certificate store to be selected. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 6.

7. Navigate to and select Trusted Root Certification Authorities, and click OK. The Certificate Import Wizard window is displayed. 8. Click Next. Clicking Next opens the Completing the Certificate Import Wizard frame. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 7.

9. Click Finish. Once Finish is clicked, a security warning appears. 10. Click Yes. When Yes has been clicked, a message appears indicating that the installation was successful. 11. Click OK. Once OK has been clicked the new CA is installed. The installation of the CA however should be checked to ensure that it has been saved in the correct location. 12. Select Tools > Internet Options from Internet Explorer. This opens the Internet Options window. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 8.

13. Select Content and click Certificates. This opens the Certificates window. 14. Select Trusted Root Certification Authorities. Check that the installed CA is listed in the Trusted Root Certification Authorities frame. 15. Click Close. If the installed CA is listed, click Close. If the certificate is not listed, attempt to install the CA again. If there are still issues in installing the CA, contact certificate.support@asx.com.au. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 9.

3. Enrolling the New CSDC Once the CA has been successfully installed, the new CSDC can be enrolled. To enrol the new CSDC: 1. Click https://pki.verisign.com.au/services/asxoperationsptyltdasxcag2/digitalidcenter.htm. This opens the Digital ID Center window. 2. Select Enroll. Once Enroll has been selected, the Enrollment window opens. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 10.

3. Enter enrolment details in the specified fields. Enter the First Name, Last Name, E-mail Address and Passcode that was provided by the ASX Password Administrator. Note: All fields are case sensitive except the Passcode. 4. Enter a challenge phrase in the Enter Challenge Phrase field. The challenge phrase should be recorded and kept in a safe location and not shared with anyone. This phrase should be a unique phrase to ensure that it provides protection against unauthorised action on the CSDC. Warning: Ensure that the challenge phrase is kept in a safe location. This phrase is required for certificate renewal. If the challenge phrase has been misplaced, a new certificate will need to be reissued. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 11.

5. Click Submit. Once Submit has been clicked, a message dialog box is displayed. Check that the email address is correct. Note: The Enter Comments field does not require any information to be entered. 6. Click OK if the email address is correct. If the email address is incorrect, click Cancel and re-enter the email address in the Your E-mail Address field, and click Submit again. Once OK has been clicked, the Web Access Confirmation dialog box opens. 7. Click Yes. If this is a trusted site, click Yes. This opens the Internet Explorer dialog box. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 12.

8. Click Yes. In the Internet Explorer dialog box, click Yes to allow the interaction. 9. Click Yes twice. The Web Access Confirmation dialog box appears twice. Click Yes in both windows. Once Yes has been clicked the second time, a confirmation message is displayed. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 13.

4. Confirming and Exporting the CSDC Once the CSDC is enrolled it needs to be confirmed that it was enrolled correctly. If the CSDC has been correctly enrolled it should be exported to a local drive as a backup copy. To confirm and export the enrolled CSDC: 1. Select Tools > Internet Options from the Internet Explorer browser. This opens the Internet Options window. 2. Select Content and click Certificates. Clicking Certificates opens the Certificates window. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 14.

3. Check the expiration date for the CSDC ensuring that it expires a year from the date it was installed. 4. Click Export. Once the CSDC has been enrolled, a backup copy needs to be exported to a local drive. Clicking Export opens the Certificate Export Wizard window. 5. Click Next. Clicking Next opens the Export Private Key frame, and enables the option of exporting the private key with the certificate. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 15.

6. Click Yes, export the private key, and click Next. Clicking Yes, Export the private key opens the Export File Format frame. 7. Click Personal Information Exchange PKCS # 12 (.PFX), Include all certificates in the certificate path if possible and Export all extended properties, and click Next. This opens the Password frame. The password is required to protect the private key and import the certificate. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 16.

8. Enter a password in the Password field, and confirm the password. 9. Click Next. Once Next has been clicked, the File to Export frame opens. 10. Click Browse and navigate to the required location on a local drive. 11. Enter a meaningful file name and click Save. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 17.

12. Click Next. Once Next has been clicked, confirmation that the export was successful is displayed. Ensure that the settings displayed in the frame are correct. If not, select Back and re-enter the required settings. 13. Click Finish. Click Finish to complete the export process. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 18.

14. Click OK. 15. Click Close. Click Close to complete the exporting of the CSDC. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 19.

5. Removing the Previous CSDC The previous CSDC needs to be removed now that the CSDC is enrolled. To remove the previous CSDC: 1. Open Internet Explorer and select Tools > Internet Options. This opens the Internet Options window. 2. Click Content and then click Certificates. This opens the Certificates window. 3. Click Personal and select the previous CSDC in the list. Warning: Check the date carefully to ensure the correct certificate is removed. If the newly enrolled certificate is removed, another new certificate will need to be installed. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 20.

4. Click Remove. Clicking Remove removes the existing CSDC. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 21.

6. Renewing a CSDC Thirty days prior to a CSDC expiring, users are sent an email notifying them that the certificate is about to expire. Users are required to renew the certificate before it expires. To renew a CSDC: 1. Click https://pki.verisign.com.au/services/asxoperationsptyltdasxcag2/digitalidcenter.htm. This opens the Digital ID Center window. 2. Click Renew. 3. Click Submit. Once Submit has been clicked, a dialog box appears. 4. Select the current CSDC from the list and click OK. 5. Click Yes. 6. Follows on screen instructions to ensure CSDC is correctly installed. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 22.

7. Appendix 1 - Troubleshooting Occasionally when enrolling a new CSDC, users may experience difficulty. This is usually as a result of the end users desktop computer configuration. The common difficulties that may be encountered include the inability to install and run ActiveX components, and the users Internet Explorer configuration being not compatible for enrolling the CSDC. 7.1. Inability to Install and Run the ActiveX Component An ActiveX component called Personal Trust Agent (PTA) is required for successful enrolment or renewal. The user attempting the enrolment/renewal must have privileged (admin) rights to install the required ActiveX. Where this is not possible due to security policies, the required ActiveX components can be installed by the system administrators using the OnSite.MSI package provided by Symantec (Verisign). For details on installing the OnSite.MSI package and configuring ActiveX and Trusted Sites, refer to Chapter 12 in the PDF document below. Double-click the icon to open the document. To run the OnSite.MSI software, double-click on the OnSite.MSI icon below. VeriSign Managed PKI - Installation and Conf 7.1.1. Installing the ActiveX Component An ActiveX component called Personal Trust Agent (PTA) is required for successful enrolling of a CSDC. The user attempting enrolment must have privileged (Admin) rights to install the required ActiveX. Where this is not possible due to security policies, the required ActiveX components can be installed by the System Administrators using the OnSite.MSI package provided by Symantec (VeriSign). 7.1.2. Adding https://pki.verisign.com.au to Trusted Sites in Internet Explorer To ensure that the required ActiveX component is activated properly, https://pki.verisign.com.au needs to be added to the list of trusted sites in Internet Explorer. The security settings need to be changed to allow the CSDC to be enrolled. To add the ActiveX component to the list of trusted sites on Internet Explorer: 1. Open Internet Explorer. 2. Select Internet Options from the Tools menu. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 23.

3. Click Security, and click Trusted sites (green tick). This displays the Trusted sites frame. 4. Click Sites. This opens the Trusted sites window enabling trusted sites to be added to the list. 5. Enter https://pki.verisign.com.au in the Add this website to the zone: field. 6. Click Add and then Close. This opens the Security level for this zone frame. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 24.

7. Move the slider in the Security level for this zone frame to the base of the slider so that it is Low, and click OK. If the slider is not visible, click Default level and it should be displayed. 8. Close all Internet Explorer windows. Once all of the Internet Explorer windows have been closed, continue to enrol the CSDC. 7.2. Internet Explorer (9 or later) Specific Settings If Internet Explorer 9 or later is used, additional steps are required before a CSDC can be enrolled. To enable Internet Explorer 9 or later to be compatible for enrolling: 1. Select Tools > Compatibility View Settings from Internet Explorer. This opens the Compatibility View Settings window. 2. Add https://pki.verisign.com.au in the Add this website field. 3. Select Include Updated website lists from Microsoft and Display internet sites in Compatibility View. Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 25.

4. Click Close. Once all of the Internet Explorer windows have been closed, continue to enrol the CSDC. Disclaimer This document provides general information only and may be subject to change at any time without notice. ASX Limited (ABN 98 008 624 691) and its related bodies corporate ( ASX ) makes no representation or warranty with respect to the accuracy, reliability or completeness of this information. To the extent permitted by law, ASX and its employees, officers and contractors shall not be liable for any loss or damage arising in any way, including by way of negligence, from or in connection with any information provided or omitted, or from anyone acting or refraining to act in reliance on this information. The information in this document is not a substitute for any relevant operating rules, and in the event of any inconsistency between this document and the operating rules, the operating rules prevail to the extent of the inconsistency. ASX Trademarks The trademarks listed below are trademarks of ASX. Where a mark is indicated as registered it is registered in Australia and may also be registered in other countries. Nothing contained in this document should be construed as being any licence or right to use of any trademark contained within the document. ASX Copyright 2014 ASX Limited ABN 98 008 624 691. All rights reserved 2014 26.