D IGITAL CERTIFICATE MAINTENANCE 2 · DIGITAL CERTIFICATE MAINTENANCE INDUSTRY GENERIC MANUAL – V1.0 27/08/2007 2.2.4 RENEWING A DIGITAL CERTIFICATE The certification authority

DIGITAL CERTIFICATE MAINTENANCE

INDUSTRY GENERIC MANUAL – V1.0 27/08/2007 2.2.1

2.2 DIGITAL CERTIFICATE MAINTENANCE Australian Customs Service 5 Constitution Avenue Canberra ACT 2601 Telephone: 1300 558 099 Facsimile: 02 6122 5534 © Commonwealth of Australia 2005 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Australian Customs Service. Requests and enquiries concerning reproduction rights should be addressed to the Director, Corporate Communication, Australian Customs Service, 5 Constitution Avenue, Canberra, ACT, 2601.



CONTENTS Overview.................................................................................................................... 3

Renewing a digital certificate..................................................................................... 4

Adding a renewed certificate ................................................................................... 19

Adding a New User.................................................................................................. 39

Adding a new Certificate.......................................................................................... 52

Maintaining Administrator and Signing Authority Details......................................... 58

Changing the Signing Authority ........................................................................... 61

Applying or Removing Administrator Privileges ................................................... 63

Related topics.......................................................................................................... 65

Further assistance................................................................................................... 65



OVERVIEW This module details the processes that ICS clients must follow to maintain their registration as electronic communicators with Customs. It covers:

• updating an existing registration (including adding or amending details)

• renewing an expired certificate

• updating details for a new certificate

• adding a new user or a new certificate.

It does not cover the process for initial registration of a digital certificate with Customs. For information on initial registration of a digital certificate, refer to Module 2.0 Electronic Communicator Registration.

Clients are responsible for the accuracy of information they supply to Customs. It is important to ensure the correctness of the information before it is communicated.



RENEWING A DIGITAL CERTIFICATE The certification authority (CA) known as Verisign currently issues the digital certificates used to communicate electronically with Customs, through the Integrated Cargo System (ICS). The Verisign certificates issued for this purpose all have a validity period.

The following table outlines the validity period for each type of certificate.

Once a certificate expires it can no longer be used to communicate electronically with Customs.

Prior to a certificate expiring it should be renewed via the Verisign web site. The renewed certificate should then be added to the to the relevant Client User in Certificate Maintenance in the ICS. Certificate Maintenance in ICS can only be accessed via the Customs Interactive.

Verisign will notify you via email 30 days prior to the expiry date of your certificate. The email will provide instructions on how to renew your certificate. An email will also be sent from the Customs Connect Facility (CCF) 30 days prior to the expiry date.



You can check the validity date on your certificate at any time by simply opening the certificate. The ‘General’ tab shows the Certificate Information including the ‘valid from’ and ‘to’ dates as detailed below.

To renew your digital certificate:

Step 1. Download the renewed certificate as per the instructions in the email from Verisign. You may not be required to undertake an Evidence of Identity (EOI) check to renew your certificate.

Individual, Non-Individual & ABN-DSC Authorised Officer Certificates

Provided your certificate is still valid, you can renew your digital certificate without an identification check for the first and second renewal. After six years, when your third renewal is due, you will be required to enrol for a new certificate and undergo an identification check.



Standard ABN-DSC Certificates Your Authorised Officer approves your renewal upon request.

Step 2. Export the non-repudiation certificate from your browser to your hard drive or to a removable medium prior to using it to access the ICS. Open a browser window.

Your Internet Explorer home page displays.

Step 3. From the Tools menu at the top of the screen choose Internet Options.



The Internet Options dialog box displays.

Step 4. Choose the third tab entitled Content.



The Content dialog box displays.

Step 5. Click on the Certificates button in the centre pane.



The Certificates dialog box displays

At this dialog box you will be shown the certificates that you have downloaded from Verisign to your browser. In the case of Individual, Non Individual or ABN DSC type certificates you must have downloaded BOTH keypairs of the certificate. You will only need to use one of these keys, however if you have not downloaded both the signing and encryption certificates, Customs will be unable to register you properly.

Both of the Certificates will have the same apparent name in this dialogue window. To determine which of the keypairs you need to export you must do the following.

Find the Certificates belonging to the certificate you wish to export. The name in the Issued To field will be the same for both.



Step 6. Double click the mouse on one of the certificates to select it.

The Certificate - General dialog box displays.

Step 7. Choose the second tab marked Details.



The Certificate - Details dialog box displays.

Step 8. Using the scroll bar on the right hand side of the screen scroll down as far as possible.



Step 9. If the words “Digital Signature, Non Repudia… appear in the key usage field, press OK.

Note: if the words Key Encipherment, Data Encryption appear, you must choose the other certificate. Refer back to step 6.



The Certificates dialog box redisplays.

Step 10. Highlight the correct certificate and click on the button marked Export.



The Certificate Export Wizard dialog box displays.

Step 11. Click Next to continue.



Step 12. Select the Yes radio button, and click Next.

Step 13. Complete the dialogue box as shown above, and click Next.

Note: if the certificate being exported is from a shared PC and is not going to be used on this PC, select the Delete the private key if the export is successful checkbox. This will remove the private key from the machine and prevent its use by persons other than the certificate owner.



Step 14. Enter your password and click Next.



Step 15. Choose a name for the file you are exporting, and browse to the location where you want it to be saved, then click Next.

Step 16. The File Name will show you where your certificate will be saved and what it will be called. Click Finish.



The Exporting your private exchange key! screen displays.

Step 17. Click OK.

Note: if you are using Windows, any certificates that you have downloaded using Internet Explorer will be available for use via the Windows Certificate API store (CAPI). The CSI is capable of seeing the contents of the CAPI and using them to sign or encrypt documents.

Once you have exported your certificate it will need to be added it to your User record in Certificate Maintenance. You can only add a certificate to your own User record. The Certificate Administrator for your organisation can add certificates to all users and does not need to know the users’ passwords.

The Certificate Administrator can also add a Type 3- Device certificate. The email notifying the User that the certificate has been added would be sent to the Certificate Administrator.



ADDING A RENEWED CERTIFICATE

Initial digital certificates issued by VeriSign need to be added to the ICS by a Signing Authority or an Administrator. If you have renewed your certificate with VeriSign before your current certificate has expired, you will be able to add the renewed certificate yourself.

Before commencing this process, all renewed certificates must be added to the CSI Store. For details on adding your certificate to the CSI Store, refer to Module 2.0 – Electronic Communicator Registration.

The process outlined below applies to the following types of certificates:

• Type 1 - grade 2 individual certificates For users who are operating as an individual, who do not have an ABN or work for an ABN organisation, where the digital certificate identifies and authenticates them personally.

• Type 2 - grade 2 non-individual certificates For organisations without an Australian Business Number (ABN), where the digital certificate identifies the organisation and the individual.

• Type ABN-DSC grade 2 certificates For organisations with an ABN (including sole traders and government agencies).



Step 1. Access the following URL https://www.ccf.customs.gov.au

The Customs Interactive screen displays.

Step 2. From the side menu, click on the ‘Login’ option.

The Customs Interactive Login page displays.

Step 3. Click on the ‘Login’ button in the white section of the page.



The ‘CSI signing terms and conditions confirmation’ window displays.

Step 4. Click Sign to accept the terms & conditions (i.e. Sign this transaction).

At this stage, you are using your current, unexpired certificate.



You should have stored your digital certificate in the CSI store. You will be able to see the Password required to sign for authentication window.

Step 5. Enter your password and click OK.

The Customs Interactive Menu displays.

Step 6. Click on the User/Certificate Maintenance hyperlink to enable user to add a new certificate.



The User/Certificate Maintenance page displays.

Step 7. Click on the Login to User/Certificate Maintenance button, on the white part of the screen.

The Signing terms and conditions screen displays.

Step 8. Click the Sign button.







The User/Certificate Maintenance screen displays.

Step 10. Click on the user’s certificate. This will be the certificate with the user’s name listed. (CiTest4 in the above screenshot)

The white part of the screen populates with the certificate holders details, and the Add Certificate button displays.



Step 11. Click on the Add Certificate button.

The CSI Signing terms and conditions screen displays.

Step 12. Click on the Certificate Button.

The Certificate Selection window displays.



Step 13. Highlight the new certificate to be added. This is your renewed certificate that you have already added to the CSI store.

Step 14. Click on the ‘Select’ button.

The Certificate Selection window disappears, and the CSI Signing terms and conditions window redisplays.

Step 15. Click on Sign.



Note: This is the password for your renewed certificate.



The new certificate details display in the resulting screen.

Step 17. Click the ‘Proceed’ button.

A new certificate has been added to the client.



Step 18. Click Return to User/Certificate Maintenance to view the certificate added to the user.


Step 19. To view the certificates attached to the client, click the (+) sign.



The users’ certificates are displayed as hyperlinks.

Step 20. To view the certificate details, click on the applicable certificate hyperlink.



The certificate details will display.

You have now successfully added a renewed digital certificate.



ADDING A TYPE 3 DEVICE CERTIFICATE

Note: Only a Certificate Administrator can add a Type 3 device certificate.


The Customs Interactive Menu screen displays.

Step 2. Click on the User/Certificate Maintenance menu option to add a new certificate.

The User/ Certificate Maintenance screen displays.

Step 3. Click the Login to User/Certificate Maintenance button to login to user /certificate maintenance screen.



The CSI Signing terms and Conditions Confirmation window displays.

Step 4. Click Sign to sing this transaction, and thereby accept the terms and conditions to continue with the login.

The Password required to sign for authentication window displays.





Step 6. Click on the User hyperlink (eg Gary.Gtest).

The Add Certificate command button displays.

Step 7. Click on the Add Certificate button to add a certificate for the selected user.



The User/Certificate Maintenance screen redisplays with additional information.

Step 8. Click on the browse button.



The Choose File window displays.

Step 9. Navigate to the certificate you want to add and click on Open. A Type 3 certificate only has one key so there is no need to check whether it is the Non-Repudiation digital certificate.



The New certificate details screen displays.

Step 10. Check that the certificate details are correct, then click on the Proceed button.

The User/Certificate Maintenance screen redisplays to show that a new certificate has been added to the Device User.

The email to advise that a Type 3 Device certificate has been added will be sent to the person nominated as the CTA (Click Through Agreement) Signing Authority.



Step 11. Click the Return to User/Certificate Maintenance button to view the certificate added to the client.



ADDING A NEW USER Users with the role of signing authority or administrator have the ability to add new users. The person who self-registers the company is given the role of Signing Authority by default.

To add a new user, you will first need the public signing key of that user. Ensure that you have this before commencing.

Step 1. Access the following URL: https://www.ccf.customs.gov.au

The Customs Interactive screen displays.

Click on Login from the menu bar on the left of the screen.



Step 2. In the resulting screen, click on the Login button.

The ‘CSI Signing terms and Conditions Confirmation’ dialogue box displays.



Step 3. Click ‘Sign’ to accept the terms & conditions.

(i.e. Sign this transaction)



The Password required to sign for authentication dialogue box will display.





Step 5. Click on the User/Certificate Maintenance hyperlink on the left side of the screen.



The User/ Certificate Maintenance screen displays.

Step 6. Click Login to User/Certificate Maintenance button in the white part of the page.

The ‘CSI Signing terms and conditions confirmation’ dialogue box displays



Step 7. Click ‘Sign’ to accept the terms & conditions.

The Password required to sign for authentication dialogue box will display.





Step 9. Click on the ‘Client Name’ or ‘Number’ hyperlink (GangesGames in the below screenshot).



The ‘Add new user’ command button displays.

Step 10. Click on the ‘Add new user’ button to add a certificate for the selected user.



You will be prompted to locate the user’s public signing key.

Step 11. Click on the ‘Browse’ button.



Step 12. Navigate to the directory containing the certificate file to be registered.

Select the digital certificate you want to add. It should be the signing public key, which has a file extension of .cer.

In the example above, the file named GaryGtest_signing_public.cer would be the certificate to be added.

Double click on this certificate, and it will be populated in the Add New User section of the User/Certificate Maintenance screen in the ‘PATH’ field.



The New Certificate details screen displays.

The User / Certificate Maintenance screen updates.

Step 13. Click on the Proceed button.



The resulting screen informs that the new user will receive an email notifying them of login access.

Step 14. To update the screen to display the newly created user, click on the Refresh List hyperlink.

Step 15. Click on the Return to User/Certificate Maintenance button to add new users.

Alternatively, click on Customs Interactive from the side menu to return to the Customs Interactive.



ADDING A NEW CERTIFICATE Step 1. Access the following URL https://www.ccf.customs.gov.au




Step 3. Click the Login to User/Certificate Maintenance button.



The CSI Signing terms and Conditions Confirmation window displays.

Step 4. Click Sign to sign the transaction.

You should have stored digital certificate in the CSI Store. The Password required to sign for authentication window displays.





Step 6. Click on the user hyperlink (eg GangesGames)

The User/Certificate Maintenance screen redisplays with the Add Certificate command button.

Step 7. Click on the Add Certificate button to add a certificate for the selected user.



The User/Certificate Maintenance screen redisplays with additional information.

Step 8. Click on the Browse button.

The Choose File window displays.



Step 9. Select the digital certificate you want to add to the User. It should be a Non Repudiation digital certificate. You can check this by opening the file, selecting the ‘Details’ tab and scrolling down to the ‘Key Usage’ field. The one you require should say ‘Digital Signature, Non-Repudiation’.

Once you have found the correct digital certificate click on the Open button.

The New Certificate Details window displays.

Step 10. If all details are correct, click Proceed.



The Add certificate screen displays and indicates the certificate has been successfully added.

An email is sent to the user, notifying them the certificate has been added.



MAINTAINING ADMINISTRATOR AND SIGNING AUTHORITY DETAILS The signing authority for an organisation has the ability to make registered client users within their organisation administrators. The signing authority for the organisation can also be changed.







Step 3. Click the Login to User/Certificate Maintenance button to login to the User/Certificate Maintenance section.

The CSI Signing terms and Conditions Confirmation field displays.

Step 4. Click Sign to sign the transaction, and thereby accept the terms and conditions to continue with the login.

You should have stored your digital certificate in the CSI Store. The Password required to sign for authentication window displays.





Step 6. Click on the Client Name hyperlink (eg GangesGames)

The User/Certificate Maintenance screen redisplays.



CHANGING THE SIGNING AUTHORITY

If staff are promoted or leave your organisation, you may need to change your company Signing Authority.

Step 1. Click on the client name hyperlink.

The User/Certificate Maintenance screen redisplays.

Step 2. In the Signing Authority field, click on the drop down button and select the user to become the new Signing Authority. Then click on the Save Changes button.



A confirmation box displays.

Step 3. Click on the OK button to confirm changes.

The changes will be saved. The old Signing Authority will have to log out of the CCF before the changes will take effect.

Note: The old Signing Authority will have to log out of the CCF before the changes will take effect.

Note: to exit this screen without saving changes, click Cancel. The current signing authority will remain as the administrator.



APPLYING OR REMOVING ADMINISTRATOR PRIVILEGES

Step 1.. In the client name list, click on the name of the user to have administrator privileges added or removed.

The User/Certificate Maintenance screen redisplays with the user’s details.

The Administrator check box indicates if the user has administrator privileges.

Step 2. To add administrator privileges click the Administrator check box.

Step 3. Click on the Save Changes button to save changes.



A confirmation box displays.

Step 4. To save the changes, click OK.



RELATED TOPICS For more information on initial registration of certificates, refer to Module 2.0.

For more information on Client Registration, refer to Module 2.1.

For more information on Client Maintenance, refer to Module 3.2.

For more information on navigating in the ICS Environment, refer to Module 1.

FURTHER ASSISTANCE The quick reference guide Supplementing and Amending ICS Client Register Details is available from www.customs.gov.au

For technical support email [email protected] or phone 1300 558 099.

Documents

D IGITAL CERTIFICATE MAINTENANCE 2 · DIGITAL CERTIFICATE MAINTENANCE INDUSTRY GENERIC MANUAL – V1.0 27/08/2007 2.2.4 RENEWING A DIGITAL CERTIFICATE The certification authority