remote certification system 2.0 user...

Remote Certification System 2.0

User Manual

Security Department, Cryptography Division

Warsaw, 2016

1

Remote Certification System – User Manual

Contents

Introduction 2

1. Generating DOCert system certificate with the use of one-time code 3

2. Remote recertification in DOCert system on smartcard. 9

3. Remote recertification in DOCert system in pfx file 13

4. Cryptographic keys and certificate installation in the Internet Explorer web browser 20

4.1 NBP CCK 2 certificate installation 20

4.2 User’s cryptographic keys and certificate installation 24

5. Cryptographic keys and certificate installation in the Firefox web browser 28

5.1 NBP CCK 2 certificate installation 28

5.2 User’s cryptographic keys and certificate installation 30

6. Changing the password protecting the key and certificate pfx file 34

2


Introduction

DOCert is an IT system for issuing and distributing central electronic certificates used in the NBP

IT systems.

Remote Certification System (SZOC 2.0), which is available at www.docert.nbp.pl , is part of the

DOCert system. It enables users to generate and renew certificates on users’ workstations without

the need to visit NBP Current version of "SZOC" was made in Java Web Start Technology, it's

available for users through kontrolka_u.jnlp (or kontrolka_t.jnlp for test certificates) application,

which run on local user workstation after downloading from DOCert website. You need to have

the Java Virtual Machine (JVM) installed in 1.8 version or higher to run "SZOC" application.

Cerificates may be generated in two ways:

1. Based on a one-time code received from NBP, in which case the User does not need any

certificate issued in the DOCert system. Note: this functionality is available only in

selected IT systems.

2. Based on the User’s certificate of the DOCert system – in this case the User needs to have

a PFX file containing cryptographic keys and the certificate. In addition, the certificate has

to be valid and may not have been revoked.

NOTE: For the NBP IT systems to function correctly it is necessary to have CA certificate

installed on the User’s workstation - NBP CCK 2. It should be added to the „Trusted Root

Certification Authorities” in the Internet Explorer web browser or to “Certification authorities”

in the Firefox web browser. The certificate can be downloaded from the following address::

NBP CCK 2 - http://www.docert.nbp.pl/certyfikaty/pliki/NBPcck2.crt

In the case of generating test certificates the activities described in the manual should be

performed in the tab “Test certificates” NBP CCK 2 certificate should be replaced with NBP CCK

TEST 2, which is available at the following address:

NBP CCK TEST 2 - http://www.docert.nbp.pl/certyfikaty/pliki/ccknbp_test_2014.crt

http://www.docert.nbp.pl/

http://www.docert.nbp.pl/certyfikaty/pliki/NBPcck2.crt

http://www.docert.nbp.pl/certyfikaty/pliki/ccknbp_test_2014.crt

3


1. Generating DOCert system certificate with the use of one-time code

1. The user enters the web site address www.docert.nbp.pl and chooses the “Certificates”

(or Test certificates) option from the left-hand side menu bar.


4


2. On the displayed page, click "Download SZOC 2.0" button to download the file kontrolka_u.jnlp (or kontrolka_t.jnlp for test certification).

3. Before generating the first certificate, the User is asked to run “Kontrolka

Recertyfikacyjna” Java application located on the displayed sub-site.

4. The User chooses the English version of SZOC application .

5


5. The User chooses the “One-time code” option.

6


6. If the NBP certification authority’s (NBP CCK 2) certificate is not installed on the

workstation, a warning will be displayed asking to install the certificate of this

certification authority. You should click the “Yes” button.

7. Then, the User selects the location where the file containing the generated keys and

certificate will be saved. To do this, the User chooses the “Browse” option and specifies

the location and name of the file where the keys and certificate are to be saved.

7


8. If the path and file name in the window “Select a location the PKCS#12 file will be saved

in” are correct, the selection should be accepted by clicking “OK”.

9. After specifying the location and name of the key and certificate file, the User sets up the

password protecting this file and confirms the password by clicking “OK”.

8


10. Then, the User is asked to enter the one-time code. Once the code is entered and the “OK”

button clicked, the procedure is completed.

9


2. Remote recertification in DOCert system on smartcard.


option from the left-hand side menu bar.

2. In the next step, user click “Download SZOC 2.0” button.

10


3. Before the first recertification, the User is asked to run “Kontrolka Recertyfikacyjna” Java

application located on the displayed sub-site.

11


4. The User chooses the English version of SZOC application.

5. In order to renew the certificate for the web browser, the User clicks the “Smartcard”

button

.

6. Next step the User enters the password that protects this smartcard.

12


13


3. Remote recertification in DOCert system in pfx file


option from the left-hand side menu bar.

2. On the displayed page, click "Download SZOC 2.0" button to download the file

kontrolka_u.jnlp.

14


3. Before the first recertification, the User is asked to run “Kontrolka Recertyfikacyjna” Java

application located on the displayed sub-site.

15


4. The User chooses the English version of SZOC application.

5. In order to renew the certificate for the web browser, the User clicks the “SSL certificate”

button.

16


6. If the NBP certification authority’s (NBP CCK 2) certificate is not installed on the

workstation a warning will be displayed asking to install the certification of this

certification authority. You should click the “Yes” button.

7. The User is asked to select the file containing the present private key and certificate.

17


8. If the file in the window “Select in the location of your actual PKCS#12 file” is correct it

should be accepted by clicking the “OK” buton.

18


9. After selecting the file, the User enters the password that protects this file. The same

password will be used to protect the file containing the new private key and certificate.

10. Then, the User is asked to select the location and name of the file in which the new key

and certificate will be saved.

19


11. If the data entered are correct, the User confirms the data by clicking “OK”, thus ending

the recertification procedure.

20


4. Cryptographic keys and certificate installation in the Internet Explorer

web browser

4.1 NBP CCK 2 certificate installation

1. To install NBP CCK 2 certificate of the certification authority in the Internet Explorer

web browser you should open www.docert.nbp.pl website and select the certificates of

the Key Certification Centre of NBP from the table at the bottom.

2. After choosing the first certificate a window containing the question “Do you want to open

or save file from the docert.nbp.pl site?” will be displayed at the bottom. The „Open” option

should be chosen.


21


3. After the NBP CCK 2 certificate is displayed, the User clicks the “Install Certificate”

button. This starts the “Certificate import wizard”. On the next screen, the User clicks the

“Next” button.

22


23


4. In order to complete the installation of the keys and certificate, the store where they are to

be saved should be specified – the User selects the option “Place all certificates in the

following store”, clicks the “Browse” button and selects “Trusted Root Certification

Authorities” store.

24


5. On the next screen, the User clicks the “Next” button and then the “Finish” button.

6. If the “Security Warning” screen is displayed – the User confirms the installation of the

NBP CCK 2 certificate by clicking the “Yes” button.

4.2 User’s cryptographic keys and certificate installation

1. In order to install the keys and certificate saved in PFX file, the User clicks the right mouse

button on the pfx file and chooses the “Install PFX” option from the menu starting the

“Certificate Import Wizard”.

25


26


2. On the next screen, the User checks whether the box “File name” contains the selected file,

and, if it does, confirms the choice by clicking the “Next” button.

3. Then, the User types in the password protecting the key and certificate file (set up while

generating the certificate) and confirms it by clicking “Next”.

NOTE: It should be considered carefully whether to choose the “mark this key as exportable”

option. Marking it creates a risk in a situation when unauthorised persons have access to the

workstation (such persons may export the key and transfer it to a different workstation). On the

other hand, not marking this option means that should the PFX file be lost, it will be impossible to

make a remote reneval of the certificate.

27



be saved should be specified – the User selects the option “Automatically select the

certificate store based on the type of certificate” and confirms the choice by clicking

“Next”.

5. The final screen summarizes the data gathered during the installation process - if all the

data are correct, they should be accepted by clicking “Finish”.

28


5. Cryptographic keys and certificate installation in the Firefox web

browser

5.1 NBP CCK 2 certificate installation

1. To install NBP CCK 2 certificate of the certification authority in the Firefox web browser

you should open www.docert.nbp.pl website and select the certificates of the Key

Certification Centre of NBP from the table at the bottom.

2. After choosing the first certificate you should mark the option „Trust this CA to identify

websites” and then click “OK” .


29


3. Next you should choose the second certificate and also mark „Trust this CA to identify

websites”.

4. As the web browser does not confirm that the certificate of the CA has been installed, you

should manually check whether the certificate has been added. To do this, you should

choose Open menu” in the upper corner and then choose „Options”.

5. In „Options” you should choose the tab „Advanced” and next „Certificates” and click „View

certificates”.

30


6. In the next window, choose tab „Authorities” and find Narodowy Bank Polski on the list.

There should be one certificate on the list - NBP CCK 2.

5.2 User’s cryptographic keys and certificate installation

1. To install keys and user certificate in pfx format in Firefox web browser, open the web

browser and choose “Open menu” in the upper corner and then choose „Options”.

31


2. In „Options” choose the tab „Advanced” and next „Certificates” and click „View certificates”.

3. In the „Your certificates” tab choose „Import” and indicate pfx file containing cryptographic

keys and user certificate.

32


4. Then enter the password that protects the pfx file. After entering it the import will be

completed and user certificate will be shown on the list.

33


5. After entering the password and confirming it by clicking “OK”, the message confirming

installation of the keys and certificate in the web browser will be displayed.

6. The installed certificate is visible in the tab “Your Certificates”. Additional information

contained in the certificate may be obtained after clicking “View”.

34


6. Changing the password protecting the key and certificate pfx file

1. In order to change the password protecting the key and certificate file, the User imports

the keys and certificate by clicking the right mouse button on pfx file and starting the

import wizard by choosing the “Install PFX” option.

2. Click “Next”.

35


3. Click “Next”.

4. Enter password and click “Mark this key as exportable” checkbox.

36



be saved should be specified – the User selects the option “Automatically select the

certificate store based on the type of certificate” and confirms the choice by clicking

“Next”, and then click “Finish” on the final window.

6. The final window summarizes the data gathered in the installation proces – if all the data are

correct they should be accepted by clicking „Finish”.

37


7. After successful installation of the certificate in the browser, the certificate should be

exported to the file. To do this, the User starts the Internet Explorer web browser and

selects “Tools” and then “Internet Option” from the menu.

8. In the displayed window, the User selects the “Content” tab and clicks the “Certificates”

button.

38


9. After selecting the appropriate certificate from the list, the User selects the

“Export” option.

10. Then the “Certificate Export Wizard” is started.

39


11. The option “Yes, export the private key” should be selected and the choice confirmed by

clicking the “Next” button.

12. In the next step, the “Delete the private key if the export is successful” checkbox should be

checked.

40


13. After clicking “Next”, the User is asked to set up the password protecting the new key and

certificate file.

14. After setting up the new password, the User specifies the name and location of the file

where the keys and certificate will be saved. The path with the name of the file may be

typed manually or selected by clicking “Browse”.

41


15. After specifying the name of the file where the keys and certificate will be saved, the

summary of the options selected during the export is displayed to the User. The user

confirms correctness of the data by clicking the “Finish” button completing the wizard.

remote certification system 2.0 user...

Documents