Regulatory reporting LuxTrust certificate renewal guide Version 1.9 (April 2015) Don t communicate or reproduce without Luxembourg Stock Exchange authorization Reference : ManuUtil_EFile_Renewal_of_a_LuxTrust_Certificate_EN.doc
Page 2 1 LuxTrust SSL certificate ordering -----------------------3 1.1 Generating a new key pair -------------------------------------------------------3 1.2 EasySSL Order ----------------------------------------------------------------------7 1.3 Complete the form ----------------------------------------------------------------8 1.4 Waiting for the certificate -------------------------------------------------------9 2 Retrieving the certificate ------------------------------- 10 3 Declaring your certificate to the CSSF---------------- 11 4 Deploying the keystore ---------------------------------- 12 4.1 Activating the new certificate------------------------------------------------- 12 4.2 Deploying the keystore --------------------------------------------------------- 13
Page 3 1 LuxTrust SSL certificate ordering The ordering process is divided into two major steps : The electronic request starts with the generation of new key pair to provide LuxTrust with. (see below part 1.1) The postal request to be completed with the same pieces of information than during the electronic order. As soon as LuxTrust will get both your requests, and once the payment achieved, they will provide you with a brand new certificate you will need to activate following the second chapter of this manual. 1.1 Generating a new key pair!! From this step, all operations must be performed on a single workstation with an active encryption module!! Furthermore, to be ready to solve any problem you might be facing during this process, we strongly advice you to backup your keystore (.ks file) before going on with this manual. Note : Should you aim at ordering a certificate for the very first time, please note that a well working e-file station means you have : Java installed (minimum version = 1.6_14). The downloading of Jar files must be authorized Please do not hesitate to call us should you have a doubt related to this subject.
Page 4 Connect to www.e-file.lu with your administrator access (adminxxx). Follow the Certificate activation link Click on 2 Generate to generate new PKCS10 encryption keys in order to let you order a new LuxTrust certificate.
Page 5 Enter your usual keystore password and fill the information about your entity which will be reported in your certificate. You must enter your usual keystore password twice. The latter has been defined during the very first certificate request to LuxTrust and must be know by all e-file users linked to your entity The keystore and the password are closely related. The loss of either would prevent you to send your documents. If the computer is well configured, then the keystore path must already be set up correctly meaning it already refers the keystore used by your encryption module. Important: Java must have write permissions on the folder Note : If you aim at ordering a certificate for the very first time, that means you do not have any keystore yet. In other words, you just need to define a brand new password you will have to provide all the e-file users with since they will need to use it before every sending. Furthermore, the keystore path field being empty, just define any name for the keystore using the Browse button.
Page 6 Important note : We invite you to fill in both the Name and the Entity fields with the complete name of your company. Click the Browse button in order to name the certificaterequest.txt file which will contain a copy of the generated keys. ** Now, LuxTrust only accept certificaterequest with the extension.csr. That s why you have to rename (from.txt to.csr) your certificaterequest after that this latter has been generated ** Click the Generate button This one contains the key which will be needed on the LuxTrust website during the next step. This file is also named P10 or CSR file. We invite you to store both the keystore and the certificaterequest files in a subdirectory named e-file. You can use your directory "My Documents", to be sure you have write permissions. The folder tree could be for example : C:\Documents And Settings\My User\e-file\e-file.ks Close the confirmation message. Important : Once you get this message, please verify if the last modification date has been updated. If it s not the case, it s highly probable that Java has not write permissions on your keystore. We recommend you to make a copy of these two files (keystore and certificate request) on a server, a share drive, or anywhere they can be surely kept. If the keystore.ks or his password is lost, your order will fail and you will have to pay for another certificate.
Page 7 1.2 EasySSL Order LuxTrust standard SSL certificates can be ordered for a period of 1 to 2 years with a key length of 2048 (2K). The prices are displayed during the certificate selection according to its lifetime. Browse to the EasySSL (LuxTrust) website at the page related to the E-FILE SSL certificate order : https://www.easyssl.lu/?product=e-file. Select the wished duration validity (1 or 3 years) and add the certificate to your cart thanks to the button ADD TO CART. If you are not able to see the button, please try with another browser. You can find the CHECKOUT button in the item list, located at the top-right corner of your screen. It will allow you to validate your order. If you already own an EasySSL account, you can use it to finalize your order. Otherwise you need to create a new EasySSL account by following the different steps. Please note that email address required is the one where the certificate will be sent. Once authenticated, you must agree «Terms and Conditions» and finally click on PLACE ORDER button. Once the order is completed, you will be redirected on a summary webpage. You will also receive an email which contains every information about your order. From now there are two steps left. - You will find on this summary page the LuxTrust IBAN needed to do the payment. Do not forget to reference the order ID in the transaction.
Page 8 - You must upload the certificaterequest file (or CSR) which was generated at the end of the step 1.1.1. Click on the Choisissez un fichier button, select the file (1), and finally click on Upload (2). Warning : LuxTrust website now only allows.csr extension. You need to rename your certificaterequest.txt into certificaterequest.csr in order to be taken into account. The certificaterequest file content looks like this: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBujCCASMCAQAwejELMAkGA1UEBhMCTFUxEzARBgNVBAcTCkx1eGVtYm91cmcxHDAaBgVBAoME05vbSBkZS BsYSBTb2Npw6l0w6kxGjAYBgNVBAsMEVNlcnZpY2UgY29uY2VybsOpMRwwGgYDVQQDDBNOb20gZGUgbGEgU2 9jacOpdMOpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCO9gw1FphmjKqIi2hgqENzuO0PZJ+e3Ez4agf8z Z0WaGi8weOrIWDazCFJDADOD+xjnPfmYUevBb/pBieU2sbVvGJ5A1grOaRk/WuZ7g+jVdtqJSF+jzydZRrEZj51bX Ng5TE1f7qdf1pmuDbu+Szx1kCW1iPQp/l0zNQYCO9oQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAfEY3uIld/p MlghXTSaKr1dWpcjbQryCmr49JbnVwN5vzP1ZlBmBweE+C4x1DmK3kG9ogFD/iRg+qQflI6CCTGGDii+sYCRFaAw 0zYuL1eI8ciPilgA+NomGYXtXxcZxQO51IfsnUglG/YomLSBZFyhofhCfD0YsU+vjF4gYiNw4= -----END NEW CERTIFICATE REQUEST--- 1.3 Complete the form The mail you received contains a dynamic PDF, named easy_ssl_orderform.pdf, that must be filled. Please note that the red fields are mandatory. Here are information regarding some fields: - Online Order Number: it is your order number. You can find it either in the received email, either on the summary page. The format should be like #000. - Certificate Type: Choose efile - Common name: Write Internal Use The PDF must be signed by two directors or legal representatives of your company. The signing can be done electronically or manually once the PDF has been printed out. Once the PDF is signed and printed, it must be sent by post with all the required sheets (the list can be found on the last page) to the address indicated inside.
Page 9 1.4 Waiting for the certificate As soon as LuxTrust will receive your order form and the payment, they will provide you by email with a link to download your new certificate. (Generally under 1 to 2 days) You will then need to follow the second chapter of this manual to retrieve, declare if needed, and at least activate your certificate in e-file.
Page 10 2 Retrieving the certificate The certificate will be sent to the email address you provided when ordering. You will find inside this email the certificate with the extension.txt. The reason is that firewalls do not block this kind of files. Save the file on your computer, anywhere you want, and then rename it into *.cer instead of *.txt. You can verify that the certificate is valid by double-clicking on it. A window should appear: You do not have to click on the Install button. Note: You can use the following link to connect on easyssl website in order to retrieve every certificates that you ordered: https://www.easyssl.lu/?page_id=7
Page 11 3 Declaring your certificate to the CSSF For some reports, it is mandatory to declare your certificate to the CSSF. As part of a certificate renewal, it is thus necessary to warn the CSSF about such a change before being able to send your reporting again. Here is the list of the relevant reports : - TAF, COREP, FINREP - PSF - SICAR - 10/467 Management companies report (SGO) - 10/457 Bank Report - 12/530 AGDL Statistics Special enquiries (ESP) - Payment Institution (EDP) - Electronic money institution (EME) - O 1.2 reports - AIFMD To help you declare your certificate, we invite you to follow this direct link to our documentation where you will find a template to be completed and sent to certrep@cssf.lu. A postal sending will also need to be achieved. https://www.e-file.lu/docs/en/manuutil_efile_cssf_certificate_registration_en.pdf In case of AIFMD reporting, please refer to the following manual: https://www.e-file.lu/docs/en/manuutil_efile_cssf_certificate_registration_aif_en.pdf
Page 12 4 Deploying the keystore Once the certificate is saved on your computer, you need to activate it, meaning you need to include the latter into your keystore. Then, this new updated keystore will have to be deployed on every e-file workstation. 4.1 Activating the new certificate!! To be done on the same workstation than the one used to generate the keys!! Connect to www.e-file.lu with your administrator access (adminxxx). Follow the Certificate activation link Click on 4 Activate
Page 13 Fill in the fields Keystore password Click the Browse button to select the certificate (.cer) you just downloaded from LuxTrust Click on Activate 4.2 Deploying the keystore The new keystore, containing both the old keys and the new one, must now be deployed on every e-file workstation. In other words, you need to provide all users with the new.ks file to replace the old used one. In the case you are using the Sending Service for your automatic reportings, don t forget to replace the old keystore by the new one. The default folder is: \\...\ServiceDeposant\keystores\xxx.ks