Access to RTE s Information System by software certificates under Microsoft Windows 7

Transcription

1 by software certificates under Microsoft Windows 7 PKI User guide Version 4, 01/01/2017 Programmes & SI (PSI) TOUR MARCHAND 41 RUE BERTHELOT COURBEVOIE CEDEX TEL : FAX : LONG

2 Page : 2/238 SUMMARY A. Foreword 6 1. Introduction Purpose of the document Context Warning regarding security practices The actors 8 The client 8 Registration Authority (RA) 8 RTE Historical Certification Authority (CA) 8 RTE Root Certification Authority (CA) 8 RTE Client Certification Authority (CA) 8 B. Certificates management procedures 9 2. Certificates management process Foreword Software certificate request 10 Preliminary steps 10 General diagram Certificates renewal Certificates revocation 12 Case of revocation 12 Revocation request 12 C. Workstation configuration Installation and configuration of the workstation Network configuration 14 General configuration 14 Specificity of the VPN access Software configuration 15 D. Web access to the RTE Information System Microsoft Internet Explorer Preliminary configuration 17 Configuration of the security settings 17 Adding trusted sites Installing RTE s CAs certificates 21 Download and install 21 Visualization and verification of RTE s CA certificates Installing your personal certificate 39

3 Page : 3/238 Authentication on the retrieval interface 39 Downloading your certificate 41 Installation of your personal certificate 42 Visualization and verification of your software certificate Using your certificate 51 Authentication and encryption 51 Example of access to an RTE web application Additional operations 54 Export of your personal certificate 54 Deleting your personal certificate Connecting to the SSL VPN 62 Foreword 62 Prerequisite 62 First connection 65 Using the SSL VPN Mozilla Firefox Preliminary configuration Installing RTE s CAs certificates 72 Download and install 72 Visualization and verification of RTE CAs certificates Installing your personal certificate 94 Authentication on the retrieval interface 94 Download of your certificate 96 Installation of your personal certificate 98 Visualization and verification of your software certificate Using your certificate 103 Authentication and encryption 103 Example of access to an RTE web application Additional operations 105 Defining the master password for personal security 105 Export of your personal certificate 108 Deleting your personal certificate Connecting to the SSL VPN 113 Foreword 113 Prerequisite 114 First connection 115 Using the SSL VPN 120 E. exchanges with RTE s Information System Using your certificate to exchange s Certificate usage principle Decryption and signature verification of a received message 124

4 Page : 4/ Encryption and signing of a sent message Steps to configure your client Microsoft Outlook Installing RTE Historical CA certificate Installing RTE Root CA certificate Installing RTE Client CA certificate Installing your personal certificate account configuration Installing RTE s application certificate Using the certificate: sending a signed-encrypted Mozilla Thunderbird Installing certificates of the 3 RTE s CAs 133 RTE Historical Certification Authority 133 RTE Root Certification Authority 137 RTE Client Certification Authority 142 Visualization of RTE CAs certificates Installing your personal certificate account configuration Installing RTE s application certificate Using the certificate: sending a signed-encrypted Defining the master password for personal security Lotus Notes How to know which CA signed your personal certificate 167 Using Mozilla Firefox 167 Using Internet Explorer Installation on Lotus Notes Lotus Notes Installing RTE Historical CA certificate Installing your personal certificate 170 Creation of a PKCS#12 file readable by Notes 170 Installing the PKCS#12 file in Notes 171 Visualization of the certificate account configuration Installing RTE s application certificate Using the certificate: sending a signed-encrypted Lotus Notes Installing RTE s applications certificates Installing RTE CA s certificates 185 Installing RTE Historical CA s certificate 185 Installing RTE Root and RTE Client CAs certificates Installing your personal certificate signed by RTE Historical CA 202 Creation of a PKCS#12 file readable by Notes 202

5 Page : 5/238 Installing the PKCS#12 file in Notes 203 Visualization of the certificate Installing your personal certificate signed by the new PKI of RTE 212 Creation of a PKCS#12 file readable by Notes 212 Installing the PKCS#12 file in Notes 213 Visualization of the certificate account configuration Installing RTE s application certificate Using the certificate: sending a signed-encrypted 226 F. Appendixes Secure environment (PKI) Concepts and objects managed by a PKI 229 What is a secure process? 229 The importance of dual-keys 230 The usage of keys to sign a message 231 Certificates Documentation Glossary Incidents management and support Support Frequently Asked Questions (FAQ) Error codes returned by 237

6 Page : 6/238 A. FOREWORD

7 Page : 7/ Introduction 1.1 Purpose of the document This document is intended for the end user who wants to access RTE s Information System by using software certificates under Microsoft Windows 7. This document allows the holder to: Understand the context and principles of a secure environment (authentication, confidentiality, integrity and non-repudiation) and the general operation of a Public Key management Infrastructure (PKI). Learn how to install and use his software certificates in the following environments: o Microsoft Windows 7. o o Browsers: Internet Explorer and Mozilla Firefox for secure accesses via the HTTPS protocol. Clients: Microsoft Outlook, IBM Lotus Notes, and Mozilla Thunderbird for secure exchanges in S/MIME format (a standard for cryptography and digital signatures concerning s encapsulated in MIME format). NOTE Throughout this document, the word "you" is the user of the certificate. 1.2 Context Under the law of February 10, 2000 ( ) and the implementing decree of 16 July 2001, the operator of the public transport network has an obligation to preserve the confidentiality of economic, commercial, industrial, financial or technical information of which the disclosure would be likely to undermine the rules of free and fair competition and nondiscrimination required by law. 1.3 Warning regarding security practices Each software certificate holder has its own private key, all (certificate and associated private key) is generated by RTE and made available for download by the wearer as a passwordprotected file (PKCS # 12 file, extension "p12"). Then, each software certificate holder shall take all necessary precautions to prevent: the violation of his private key, the loss of his private key, the divulgation of his private key, the alteration of his certificate, the misuse of his certificate. Each software private key and its associated certificate have to be stored on hard disk and protected by a password known only by the certificate holder.

8 Page : 8/238 The 3 Certification Authorities (CA) of RTE ( 1.4.3, 1.4.4, 1.4.5) take no responsibility for disputes related to misuse of private keys. 1.4 The actors The life cycle management of a certificate is based on three entities: the client (i.e. your company), the Registration Authority (RA), the 3 Certification Authorities (CA): 1. RTE Historical CA 2. RTE Root CA 3. RTE Client CA NOTE To understand, one can draw a parallel with the allocation of official credentials: the applicant citizen of a credential is the Client; the town is the Registration Authority and the prefecture is the Certification Authority. The client The client issues certificates requests for holders. It may also issue requests for revocation of the certificates (see Section B: certificate management procedures). Registration Authority (RA) The Registration Authority (RTE s manager of customer relations and the Operator) collects the certificates requests, affixes a date of validity for certificates and verifies the identity of their holders. RTE Historical Certification Authority (CA) The Historical Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the old PKI s operation. RTE Historical certification authority is called (CN: common name, O: Organization): CN = RTE Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE RTE Root Certification Authority (CA) The Root Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI s operation. It sets policy for the management and use of certificates. RTE Root certification authority is called (CN: common name, O: Organization): CN = RTE Root Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE RTE Client Certification Authority (CA) The Client Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI s operation. RTE Client certification authority is called (CN: common name, O: Organization): CN = RTE Client Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE

9 Page : 9/238 B. CERTIFICATES MANAGEMENT PROCEDURES

10 Page : 10/ Certificates management process 2.1 Foreword The main processes used to manage all the digital certificates issued to holders are: Obtaining a certificate, The renewal of a certificate (replacement by a new certificate for a new validity period and a new key pair) The revocation of a certificate (end of certificate validity). 2.2 Software certificate request Preliminary steps Beforehand, the following steps must be performed, The company representative issues an access request : The company representative must have completed and signed the request forms access to RTE IS services and applications" sent by his Customer Relations Manager, and then sent it back to him. In these forms, the company representative specifies in particular: o a Contact who will receive all information necessary to retrieve the certificate (see 2.2.2), o a Certificate , o a Chosen password, necessary to the retrieval of the certificate by the holder We have registered your request : Following receipt of the forms we have created your account(s) to access the applications.

11 Page : 11/238 General diagram After the access request has been saved and validated by us (within 5 working days), a notification is sent to the address "Contact " entered in the access request form (see 2.2.1). This is entitled "Access to RTE s IS services" and contains: a summary of the certificate s removal procedure, the "Certificate " and "Retrieval Code" requested by the website while retrieving your certificate, the Password" protecting the PKCS # 12 file (a ".p12" extension) that you downloaded when you retrieved your certificate. Please remember that this password is different from the password used to retrieve the certificate. In case of loss or non-receipt of this message, contact RTE s Hotline (cf 14.1). Exchange scenarios The holder has to connect from his workstation on the certificate retrieval website and download his private key and the associated certificate to his workstation in the form of the PKCS#12 file (extension ".p12"). 2.3 Certificates renewal The lifespan of the certificates is limited to 3 years, to ensure a high level of security. Forty days before the expiration date of a certificate, an electronic message is sent to the Contact to inform the holder of the forthcoming expiry of his software certificate. In case changes must be made concerning the holder s information, then the company representative contacts RTE s responsible for customer relations to inform him of the changes. Otherwise, an is sent to the contact with the information necessary for the retrieval of his new certificate.

12 Page : 12/ Certificates revocation Case of revocation The company representative must issue a revocation request when any of the following occurs: Change of the holder, Loss, theft, compromise or suspected compromise (possible, probable or certain) of his private key or associated certificate, Death or cessation of business of the certificate holder, Loss of the activation data, defective or lost support. Revocation request To revoke a certificate, the company representative should call RTE s Hotline (cf 14.1). When the certificate is revoked, an is sent to the Contact to notify the holder of the revocation of his certificate.

13 Page : 13/238 C. WORKSTATION CONFIGURATION

14 Page : 14/ Installation and configuration of the workstation All operations of this chapter are to be performed only once by a computer specialist with Administrator privileges on your workstation, upon receipt of your "PKI Access Kit". Also note that only a few chapters of this manual concern you: the chapters corresponding to the software you use. All operations are done under the Windows Session of the certificate holder. 3.1 Network configuration General configuration The web browser access uses - in a way that is transparent to the user - a software certificate authentication system for access to the RTE portal and encryption of data exchanged via the Internet (HTTPS protocol). Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol, S/MIME format). IMPORTANT NOTE Messaging and antivirus gateways, firewalls and content analyzers should be configured not to alter or reject messages that are encrypted and signed S/MIME (application / x-pkcs7-mime,.p7s,.p7m) and not to prohibit the flow of HTTPS data (port 443). The network administrator may be requested to perform these operations. Specificity of the VPN access The VPN allows from your workstation to establish a secure connection (based on the authentication to a dedicated site) to RTE s IS via the Internet. Access to the SSL VPN requires that your workstation can resolve the address secure.iservices.rte-france.com. To see if this you can resolve the address, open a web browser and go to the URL The following web page must appear:

15 Page : 15/238 In addition to this test, you need to install on your workstation the module PSIS (Pulse Secure Installation Service) available on the RTE customer site. Refer to the section concerning the browser you are using for more details: if you are using Internet Explorer if you are using Mozilla Firefox. 3.2 Software configuration The software configuration required for your workstation is as follows: Operating Systems: Microsoft Windows 7 32 bit without SP or with SP1 Microsoft Windows 7 64 bit without SP or with SP1 Web browser either: Microsoft Internet Explorer 11 Mozilla Firefox > 45 ESR client either: Microsoft Outlook 2013 Mozilla Thunderbird > 45 ESR IBM Lotus Notes 8.5 or 9 NOTE In general, consulting messages on a webmail like interface does not allow to sign your messages.

16 Page : 16/238 D. WEB ACCESS TO THE RTE INFORMATION SYSTEM Please refer directly to the chapter associated with the browser you are using for your default Web exchanges with RTE: Chapter 4 if you are using Microsoft Internet Explorer as web browser Chapter 5 if you are using Mozilla Firefox as web browser

17 Page : 17/ Microsoft Internet Explorer 4.1 Preliminary configuration Configuration of the security settings This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection (HTTPS protocol). In the browser, select the menu "Tools> Internet Options":

18 Page : 18/238 Select the tab Advanced : In the section Security, make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above. Adding trusted sites In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites. The Trusted Sites zone allows the declaration of sites names you consider safe. In this section, you must be logged into the workstation with the Windows account that will use the software certificate. To do this: open Internet Explorer and click the menu "Tools> Internet Options".

19 Page : 19/238 In the window that appears, click the "Security" tab. select the "Trusted Sites" icon and click the "Sites" button.

20 Page : 20/238 The following window appears: In the field Add this website to the zone, enter the URL corresponding to the PKI: Then click Add. The site then appears in the list Websites as shown below. Proceed in the same way to add the following websites: this is the internet portal this is the SSL VPN connection portal The 3 websites shall now appear in the list Websites.

21 Page : 21/238 Click Close, then OK. 4.2 Installing RTE s CAs certificates Download and install RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The download window appears: Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" containing RTE Historical CA s certificate.

22 Page : 22/238 Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "Certification_Autority_RTE_2048.cer" file you just downloaded and choose "Install Certificate".

23 Page : 23/238 The installation wizard of the certificate is displayed: Click Next. Select "Place all certificates in the following store" and click "Browse". In the window that appears, select "Trusted Root Certification Authorities" and click "OK".

24 Page : 24/238 Once you have chosen the certificate store, you get the following window: Click «Next».

25 Page : 25/238 Click "Finish. Click OK. RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The download window appears:

26 Page : 26/238 Click the "Save" button and choose a location to save the file "ACR_RTE_Root_CA_ cer" containing RTE Root CA s certificate. Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "ACR_RTE_Root_CA_ cer" file you just downloaded and choose "Install Certificate". The installation wizard of the certificate is displayed: Click Next.

27 Page : 27/238 Select "Place all certificates in the following store" and click "Browse". In the window that appears, select "Trusted Root Certification Authorities" and click "OK". Once you have chosen the certificate store, you get the following window:

28 Page : 28/238 Click «Next». Click "Finish", and if the next window display a security Warning then click Yes :

29 Page : 29/238 Click OK. RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The download window appears: Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_ cer" containing RTE Client CA s certificate.

30 Page : 30/238 Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "ACF_RTE_Client_CA_ cer" file you just downloaded and choose "Install Certificate". The installation wizard of the certificate is displayed: Click Next.

31 Page : 31/238 Select "Automatically select the certificate store based on the type of certificate" and click "Next". Click "Finish".

32 Page : 32/238 Click OK. Visualization and verification of RTE s CA certificates Visualization of installed RTE s CA certificates The certificates of RTE s CA you just import are stored in the Certification Authorities store of Internet Explorer. To view them, click the menu "Tools > Internet Options". A window appears. Go to the "Content" tab and click the "Certificates" button.

33 Page : 33/238

34 Page : 34/238 In the window that appears, go to the tab "Trusted Root Certification Authorities". You can see RTE Historical CA s certificate ( ) and RTE Root CA s certificate ( ): On the tab Intermediate Certification Authorities you can see RTE Client CA s certificate ( ):

35 Page : 35/238 Verification of RTE Certification Authority certificate Select the certificate "RTE Certification Authority". Click the button "View" then click the "Details" tab.

36 Page : 36/238 To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Certification Authority" is identical to the one presented below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1). Verification of RTE Root Certification Authority certificate Select the certificate "RTE Root Certification Authority". Click the button "View" then click the "Details" tab.

37 Page : 37/238 To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Root Certification Authority" is identical to the one presented below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1).

38 Page : 38/238 Verification of RTE Client Certification Authority certificate In the tab Intermediate Certification Authorities, select the certificate "RTE Client Certification Authority". Click the button "View" then click the "Details" tab. To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Client Certification Authority" is identical to the one presented below.

39 Page : 39/238 Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1). 4.3 Installing your personal certificate Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see 2.2.2): The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE s IS (see 2.2.1). Certificate , Retrieval code and Password for the PKCS#12 file included in the Access to RTE s IS services (see 2.2.2). For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. Click the button Retrieval of your personal certificate.

40 Page : 40/238 Fill the field «Certificate » with the value indicated in the Access to RTE s IS services (see 2.2.2). Click Submit. Fill the fields: Retrieval code as indicated in the Access to RTE s IS services (see 2.2.2). Chosen password which is the password you or your company representative chose and provided to RTE in the form to request access to RTE s IS (see 2.2.1). Finally click Submit.

41 Page : 41/238 Downloading your certificate The following page appears. Click Download. In the window that appears, click Save. Choose a directory to save your certificate, then click "Save." A window shows the progress of the download. Once the download is completed, click "Open Folder". The folder containing your personal certificate appears.

42 Page : 42/238 Installation of your personal certificate Go to the download folder of the file. IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick or an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (see 2.2.2) that contains the password. Right-click the "certificate.p12" file and choose "Install PFX". The Certificate Import Wizard opens: Click Next.

43 Page : 43/238 The name of the file containing your certificate is automatically filled, click Next.

44 Page : 44/238 The window below appears: In the field Password, enter the Password present in the Access to RTE s IS services ( 2.2.2). The case Enable strong private key protection. [ ] is optional. Tick it if you wish to define a password that will be asked before every use of your private key in Internet Explorer. The case Mark this key as exportable. [ ] is optional. Tick it if you wish to be able to export you private key later (see chapter to export). Tick the case Include all extended properties. Click Next.

45 Page : 45/238 Select "Automatically select the certificate store based on the type of certificate" and click "Next". Finally, click Finish.

46 Page : 46/238 If you previously ticked the case Enable strong private key protection, then the following window appears: Click the button Set security level. Select the case High then click Next.

47 Page : 47/238 Enter a name for the private key to protect and a password then click the "Finish" button. Warning: this password is required upon each use of the certificate. Click OK. Finally, the following window appears: Click OK. Your certificate and your private key have been successfully imported in Internet Explorer.

48 Page : 48/238 Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs. In the case of downloading with Internet Explorer, open the certificate store via the menu "Tools> Internet Options", "Content" tab, button "Certificates..." Select your certificate then click View.

49 Page : 49/238 It is valid for 3 years from the date of withdrawal. The "Certification Path" tab allows checking the validity of your certificate. The "Certificate status" and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.

50 Page : 50/238 The tab "Details" allows you to view the full name of the holder and the address to which are attached the certificate.

51 Page : 51/ Using your certificate Authentication and encryption Steps to follow run Internet Explorer, enter the URL to RTE s application or to RTE s customer service portal : during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password, if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted.

52 Page : 52/238 Example of access to an RTE web application Enter the URL in the Internet Explorer address bar then press Return. Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site. The line Click here to view certificate properties lets you view the content of the selected certificate. Click the OK button to access the application. The window below asks for the password that protects the private key associated with your certificate if it has been set. The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):

53 Page : 53/238

54 Page : 54/ Additional operations Export of your personal certificate This section explains how to save the certificate with its private key and RTE s trust chain. The procedure is to generate a file in PKCS#12 format (".pfx" extension), protected by a password. You can only export your certificate and private key if you checked "Mark this key as exportable" when Installing your personal certificate (see 4.3.3). In Internet Explorer, click the menu "Tools> Internet Options..." Then, click the "Content" tab and then the "Certificates" button.

55 Page : 55/238

56 Page : 56/238 Another window appears. Select your certificate, then click "Export...". Click Next.

57 Page : 57/238 Select "Yes, export the private key" and then click "Next". Select the check box "Include all certificates in the certification path if possible" and then click "Next".

58 Page : 58/238 Enter a password of your choice to protect the PKCS#12 file, and then click "Next". Select the location of the PKCS#12 file, and then click "Next".

59 Page : 59/238 Finally, click the "Finish" button. Click "OK". You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer s store. Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Internet Explorer s Certificate store. IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to to export your certificate and private key as a PKCS#12 file.

60 Page : 60/238 In Internet Explorer, go to "Tools> Internet Options". A window appears. Click the Content tab, then the Certificates button:

61 Page : 61/238 Select the certificate to delete and click Remove. Click Yes.

62 Page : 62/238 The certificate is removed from the certificates list. 4.6 Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 4.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice. Prerequisite The website secure.iservices.rte-france.com must be declared as a trusted site (see 4.1.2). IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1).

63 Page : 63/238 PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: And decompress the compressed file: Once the file is executed, the following window appears, asking you the authorization to start the service. Click Run.

64 Page : 64/238 The following window appears. Click «Yes». It will be automatically activated at every operating system launch.

65 Page : 65/238 First connection This paragraph applies only to your first login to the SSL VPN with Internet Explorer. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application. Before continuing, you need to disable ActiveX controls on Internet Explorer. To do so, press the "Alt" key on your keyboard. A menu bar at the top of the window. Then click the Tools button, and make sure "ActiveX Filtering" is not selected (see the following screenshot). Launch your browser and go to the following website: The following window appears: Select your certificate then click OK.

66 Page : 66/238 If necessary, this window will ask for the password that protects the private key associated to your certificate. The browser displays a link to install SAM (if it s not already installed on your computer):

67 Page : 67/238 If no manual intervention is performed, the following installation pop-up appears: If necessary, the following window appears: Click Yes. The Pulse Secure client then installs and the installation of the SAM application starts:

68 Page : 68/238 Wait during the installation. If the following window appears, click Yes : Once the installation is completed, the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

69 Page : 69/238 Then, the icon appears in your taskbar: Click the "Sign out" button (top right of the page) to end the session: Using the SSL VPN Establishing the connection Launch your browser and go to the following website: The following window appears: Select your certificate then click OK.

70 Page : 70/238 If necessary, a window will ask you the password that protects the private key associated with your certificate. If necessary, the window below appears. Click Yes. The SAM application launches automatically and the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then, the icon appears in your taskbar.

71 Page : 71/238 Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click the Sign out button (top right of the page). Use case to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard client. Access to hosted mailboxes requires the SSL VPN connection to be established (see ). The account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your address. NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.

72 Page : 72/ Mozilla Firefox 5.1 Preliminary configuration The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS) is disabled by default in recent versions of Firefox. The supported versions of Firefox are specified in 3.2. The standards supported by default are: TLS 1.0 to TLS 1.2. In case of problems, thank you to notify the issue to RTE s Hotline (cf 14.1). 5.2 Installing RTE s CAs certificates Download and install RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

73 Page : 73/238 Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

74 Page : 74/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button. Select the Authorities tab and click Import.

75 Page : 75/238 Select the previously saved file. A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click View to check that the certificate you just install is RTE Historical CA s certificate:

76 Page : 76/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1).

77 Page : 77/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Historical CA certificate is now installed in the certificate store of Mozilla Firefox.

78 Page : 78/238 RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file ACR_RTE_Root_CA_ cer will eventually be requested. Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

79 Page : 79/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button.

80 Page : 80/238 Select the Authorities tab and click Import. Select the previously saved file.

81 Page : 81/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click View to check that the certificate you just install is RTE Root CA s certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

82 Page : 82/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Root CA certificate is now installed in the certificate store of Mozilla Firefox.

83 Page : 83/238 RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file ACF_RTE_Client_CA_ cer will eventually be requested. Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

84 Page : 84/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button.

85 Page : 85/238 Select the Authorities tab and click Import. Select the previously saved file.

86 Page : 86/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click View to check that the certificate you just install is RTE Client CA s certificate: To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

87 Page : 87/238 Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Client CA certificate is now installed in the certificate store of Mozilla Firefox.

88 Page : 88/238 Visualization and verification of RTE CAs certificates To see the certificates in Mozilla Firefox, click the menu Tools in the right corner of the window then click the icon Options : A window appears. Choose the Advanced tab then the subcategory Certificates.

89 Page : 89/238 Click the View certificates button. In Authorities tab, you can verify that the certificates you import are register with RESEAU DE TRANSPORT D ELECTRICITE organization and are saved on your computer disk ( Software Security Device ). You can see the content of each certificate by clicking on the certificate and then clicking on View. Select RTE Certification Authority and click View :

90 Page : 90/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). If, after verification, the hash of RTE Historical CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

91 Page : 91/238 Select RTE Root Certification Authority and click View : To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

92 Page : 92/238 If, after verification, the hash of RTE Root CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

93 Page : 93/238 Select RTE Client Certification Authority and click View : To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

94 Page : 94/238 If, after verification, the hash of RTE Client CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. 5.3 Installing your personal certificate Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see 2.2.2): The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE s IS (see 2.2.1). Certificate , Retrieval code and Password for the PKCS#12 file included in the Access to RTE s IS services (cf 2.2.2). For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website:

95 Page : 95/238 IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. Click the button Retrieval of your personal certificate. Fill the field Certificate with the value indicated in the Access to RTE s IS services (cf 2.2.2). Click Submit.

96 Page : 96/238 Fill the fields: Retrieval code as indicated in the Access to RTE s IS services (cf 2.2.2). Chosen password which is the password you or your company representative chose and provided to RTE in the form to request access to RTE s IS (see 2.2.1). Finally, click Submit. Download of your certificate The following page appears. Click Download.

97 Page : 97/238 In the window that appears, click Save then OK. Choose a directory to save your certificate, then click "Save". IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick, an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (cf 2.2.2) that contains the password.

98 Page : 98/238 Installation of your personal certificate In Firefox, go to the menu "Tools" on the top right of the window and click the "Options" icon: A window appears. Choose the tab Advanced then the subcategory Certificates. Click View Certificates.

99 Page : 99/238 Click Import. Go to the folder you saved your certificate in, select your certificate name_certificate.p12 and click Open.

100 Page : 100/238 If necessary, the window below will ask you the access password to the Mozilla Firefox certificate store (see to set this password): Enter it and click OK. The window below appears. Enter the Password present in the Access to RTE s IS services (cf 2.2.2), then click OK. Your certificate and its associated private key have been successfully imported in Mozilla Firefox s certificate store. Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs.

101 Page : 101/238 In the case of Mozilla Firefox, go to the Tools menu (top-right corner of the window) then click the Options icon: A window appears. Choose the Advanced tab then the Certificates subcategory. Then click the View Certificates button.

102 Page : 102/238 Select the tab Your Certificates. The certificate is a software certificate: indeed, the "Software Security Dev " indication appears at the right of its name. You can view it by selecting it and clicking "View. The first tab General displays the following message This certificate has been verified for the following uses. It is valid for 3 years from the date of withdrawal.

103 Page : 103/238 The second tab Details displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met. 5.4 Using your certificate Authentication and encryption Steps to follow run Mozilla Firefox, enter the URL to RTE s application or to RTE s customer service portal : during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password, if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted.

104 Page : 104/238 Example of access to an RTE web application When you access the homepage, you will be asked to choose your certificate. Select your certificate from the drop down list entitled Choose a certificate to present as identification then click OK. The following window will ask you the access password to the Mozilla Firefox certificate store if it was defined.

105 Page : 105/238 The home page is then securely displayed, (appearance of the closed padlock near to the URL entry field): 5.5 Additional operations Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password.

106 Page : 106/238 To do this, click the Tools menu on the top right of the window and click on the Options icon: A window appears. Choose the Security tab. If Use a master password is already checked, it means you already have a personal security password, and you have nothing to do.

107 Page : 107/238 Otherwise, check the Use a master password case. The following window appears: Enter your new master password in both fields and click OK. Your personal security password is now defined. You can change your personal security password at any time by going to the menu Tools on the top right of the window and clicking the Options icon.

108 Page : 108/238 A window appears. Choose the Security tab and click Change Master Password. Export of your personal certificate This section explains how to save the certificate with its private key and trust chain. The procedure is to generate a file in PKCS#12 format (".p12"), protected by a password. Go the Tools menu at the top-right corner of the window then click the Options icon:

109 Page : 109/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates. Select your certificate and click Backup : Choose a folder and a name for the output file in PKCS#12 format (extension «.p12»):

110 Page : 110/238 Click Save. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store: Then the following window appears: Enter a password of your choice to protect access to the PKCS#12 file and click OK.

111 Page : 111/238 Your certificate, your private key and the trust chain are exported in the PKCS#12 generated file (extension.p12 ). Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Mozilla Firefox s Certificate store. IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to to export your certificate and private key as a PKCS#12 file. Go to the Tools menu at the top-right corner of the window then click the Options icon:

112 Page : 112/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates.... Select your certificate and click Delete.

113 Page : 113/238 Validate by clicking OK. The certificate is then removed from the list of certificates. 5.6 Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 5.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice.

114 Page : 114/238 Prerequisite In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) or higher needs to be installed on your workstation. If this is not the case, you can download the latest version on Oracle s website: IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1). PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: And decompress the compressed file: Once the file is executed, the following window appears, asking you the authorization to start the service. Click Run.

115 Page : 115/238 Once the file is executed, the following window appears. Click «Yes». It will be automatically activated at every operating system launch. First connection This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application. Launch your browser and go to the following website:

116 Page : 116/238 The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store. If a window asking you permission to execute a script from Pulse Secure, LLC. appears, click Yes. If the following red icon appears, click it in the address bar. Then in the dropdown menu of the message, select Activate all plugins and then choose "Allow and remember.

117 Page : 117/238 The following window appears, click Run : If necessary, the following window appears:

118 Page : 118/238 If the window below appears, click Yes. The installation of the SAM application starts: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then the window below appears: Then, the icon VPN. appears in your taskbar which means you are now connected to the SSL

119 Page : 119/238 Click the "Sign out" button (top right of the page) to end the session:

120 Page : 120/238 Using the SSL VPN Establishing the connection Run your browser and access the following website: The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store. If a window appears asking you permission to execute a script from Pulse Secure, LLC. : click Yes : If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

121 Page : 121/238 Then the window below appears: Then, the icon appears in your taskbar which means you are now connected to the SSL VPN. Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click on the Sign out button (top right of the page). Use to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard client. Access to hosted mailboxes requires the SSL VPN connection to be established (see ). The account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your address.

122 Page : 122/238 NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.

123 Page : 123/238 E. EXCHANGES WITH RTE S INFORMATION SYSTEM This section only applies if you need to exchange signed-encrypted with RTE applications. After reading the chapter 6 (overview), directly refer to the chapter associated with the client that you use for your mail exchanges with RTE: Chapter 7 if you use Microsoft Outlook 2013 as client. Chapter 8 if you use Mozilla Thunderbird as client. Chapter 9 if you use Lotus Notes as client.

124 Page : 124/ Using your certificate to exchange s 6.1 Certificate usage principle Using your personal certificate, its associated private key, RTE CAs certificates and RTE s application certificate, you can: decrypt and verify the signature of s you receive from RTE applications, encrypt and sign s you send to RTE applications. 6.2 Decryption and signature verification of a received message Decryption and verification of the signature of a message are disjoint processes. When you receive an encrypted-signed message: you decrypt the message with the private key associated to your personal certificate, you verify the message signature with the certificate of the sender (that of the RTE application) contained in the message, and with the certificate you own of the issuing CA that you trust. These two processes are done automatically when you open a signed-encrypted with a properly configured client that supports the secure format S/MIME. IMPORTANT NOTE To verify the signature of a message you need to own the right certificate and trust the CA that issued the certificate of the sender. 6.3 Encryption and signing of a sent message Encrypting and signing message are two disjoint processes. When you send an encryptedsigned message: you sign the message with the private key associated to your personal certificate, you encrypt the message with the recipient s certificate (RTE s application certificate). The certificate of the recipient can be obtained in several ways. RTE applications transmit to you their certificate by sending a signed message: that is the way you will get their certificate. In doing so, when you receive a signed message, use "Add sender to contacts" to save at the same time its certificate, which you can use to send encrypted messages to him. IMPORTANT NOTE Encrypting a message requires to possess a valid certificate corresponding to the recipient's address.

125 Page : 125/ Steps to configure your client In order to be able to exchange signed-encrypted s with RTE, the steps are as follows: Install the certificate of the 3 RTE s CAs (Historical, Root, and Client), so that your mail client trusts RTE s applications certificates and is able to verify the signature of signed-encrypted s you receive from them. Install your personal certificate, so your mail client can decrypt the messages from RTE and sign messages to RTE. Configure the account you will use to exchange with RTE so that your client always encrypts and signs messages to the RTE applications using the standard S/MIME. Install RTE s application certificate, so that your client can encrypt s you send to RTE applications. To perform these steps, please refer directly to one of the following chapters: the one concerning the client that you use for your mail exchanges with RTE.

126 Page : 126/ Microsoft Outlook Installing RTE Historical CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Historical CA in Internet Explorer by following the procedure described in chapter if not already done. 7.2 Installing RTE Root CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Root CA in Internet Explorer by following the procedure described in chapter if not already done. 7.3 Installing RTE Client CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Client CA in Internet Explorer by following the procedure described in chapter if not already done. 7.4 Installing your personal certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install your personal certificate in Internet Explorer by following the procedure described in chapter if not already done.

127 Page : 127/ account configuration Start Outlook 2013 and click the menu File > Options > Trust Center then click Trust Center Settings. In the left column, click security, then click the Settings button.

128 Page : 128/238 Click the two Choose buttons in order to select your personal certificate for signing and encryption. A list of selectable certificates is presented to you (you can also display a certificate from the list to view its contents and make sure you choose the right one).

129 Page : 129/238 Make sure the settings are similar to the ones above (S/MIME, check boxes, certificates, algorithms); if the field Security Settings Name is empty, enter a label such as RTE Certification. Finally click OK. Check the boxes Encrypt contents and attachments for outgoing messages and Add digital signature to outgoing messages, then click OK. All your s sent to RTE applications using the default account will now be encrypted and signed. 7.6 Installing RTE s application certificate After receiving the first encrypted and signed message from an application, you must install the certificate of the issuing application. For this, you need to add the address of the application to your address book by clicking the sender of the received with the right mouse button and then Add to Outlook contacts :

130 Page : 130/238 Click General :

131 Page : 131/238 Click Certificates : Click Save & Close to save. All your encrypted s sent to this application will be encrypted automatically with the application s certificate.

132 Page : 132/ Using the certificate: sending a signed-encrypted To encrypt and sign a message: first create a new message by clicking New. To sign and encrypt your message, verify that both icons below are activated or click on them to activate.

133 Page : 133/ Mozilla Thunderbird 8.1 Installing certificates of the 3 RTE s CAs The certificates of the 3 RTE s CAs (Historical, Root and Client) must first be installed for Thunderbird to be able to verify the signature of s sent by RTE. IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the following websites addresses. RTE Historical Certification Authority With your web browser go to the address below to download the file Certification_Autority_RTE_2048.cer containing RTE Historical CA certificate: With Internet Explorer: Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

134 Page : 134/238 The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Click the button View Certificates.

135 Page : 135/238 Select the Authorities tab and click Import. Select the previously saved file Certification_Autority_RTE_2048.cer and click Open.

136 Page : 136/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Historical CA: To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

137 Page : 137/238 Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate": Click the "OK" button: RTE Historical CA's certificate is then installed. RTE Root Certification Authority With your web browser go to the address below to download the file ACR_RTE_Root_CA_ cer containing RTE Root CA certificate: With Internet Explorer:

138 Page : 138/238 Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file ACR_RTE_Root_CA_ cer will eventually be requested. The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory.

139 Page : 139/238 Click the button View Certificates. Select the Authorities tab and click Import.

140 Page : 140/238 Select the previously saved file ACR_RTE_Root_CA_ cer and click Open. A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Root CA:

141 Page : 141/238 To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate":

142 Page : 142/238 Click the "OK" button: RTE Root CA's certificate is then installed. RTE Client Certification Authority With your web browser go to the address below to download the file ACF_RTE_Client_CA_ cer containing RTE Client CA certificate: With Internet Explorer: Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_ cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file ACF_RTE_Client_CA_ cer will eventually be requested.

143 Page : 143/238 The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Click the button View Certificates.

144 Page : 144/238 Select the Authorities tab and click Import. Select the previously saved file ACF_RTE_Client_CA_ cer and click Open.

145 Page : 145/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Client CA.

146 Page : 146/238 To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate": Click the "OK" button: RTE Client CA's certificate is then installed. Visualization of RTE CAs certificates To view the CAs certificates later in Mozilla Thunderbird, go to the "Tools" menu on the top right of the window then click the "Options" icon:

147 Page : 147/238 A window appears. Select the Advanced tab then the subcategory Certificates. Click the View Certificates button. In Authorities tab, you can verify that the certificates RTE Certification Authority, RTE Root Certification Authority, RTE Client Certification Authority you import are registered in Thunderbird ( Software Security Device ). You can see the content of each certificate by clicking on the certificate and then clicking on View.

148 Page : 148/238 Select RTE Certification Authority and click View : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

149 Page : 149/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

150 Page : 150/238 Select RTE Root Certification Authority and click View : To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

151 Page : 151/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

152 Page : 152/238 Select RTE Client Certification Authority and click View : To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

153 Page : 153/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. 8.2 Installing your personal certificate To be able to import your certificate in Mozilla Thunderbird, you must have the file name_certificate.p12 downloaded with your browser when retrieving your certificate (see for Internet Explorer, for Mozilla Firefox). Start Mozilla Thunderbird, go to the menu "Tools" on the top right of the window and click the "Options" icon:

154 Page : 154/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Click View Certificates.

155 Page : 155/238 In the Your certificates tab, click Import. In the drop-down menu File type select PKCS12 Files (*.p12;*.pfx) : Go to the folder you saved your certificate in, select your certificate name_certificate.p12 and click Open.

156 Page : 156/238 If necessary, the window below will ask you the access password to the Mozilla Thunderbird certificate store (see 8.6 to set this password): Click OK. N.B.: if there is no master password, Thunderbird will ask you to define one. Enter the password protecting the PKCS#12 file and click OK. Your certificate and its associated private key have been successfully imported in Mozilla Thunderbird s certificate store.

157 Page : 157/238 Verify this is the right certificate by clicking on View. The second tab Details displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met.

158 Page : 158/238

159 Page : 159/ account configuration To sign and encrypt with your certificate, it must be associated with the account corresponding to the address specified in the Certificate subject. For this, start Mozilla Thunderbird, press the Alt key on your keyboard, a menu bar appears at the top of the window. Click Tools then Account Settings.

160 Page : 160/238 A window appears. Select the Security item of the account you use to exchange with RTE: Click Select to open the following window: Select your certificate in the drop-down list and click OK. The following message appears:

161 Page : 161/238 Click Yes to automatically define the same certificate to decrypt received s. NOTE Although for encryption, the text indicates that your certificate will be used to encrypt and decrypt messages sent, it will not actually be used to decrypt messages received. All your s sent to RTE applications using this account will now be encrypted and signed. 8.4 Installing RTE s application certificate After receiving the first encrypted and signed message from an application, the application certificate installs automatically. However you can add the application s address to your address book by right-clicking the sender of the received and then clicking Add to Address Book : The contact has been added to the address book.

162 Page : 162/238 To verify that the application certificate is correctly installed, go to the menu Tools (top-right corner of the window) and click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates. A window appears. Click the People tab.

163 Page : 163/238 Every time an encrypted is sent to this application, the application s certificate will be used automatically to encrypt it.

164 Page : 164/ Using the certificate: sending a signed-encrypted To encrypt and sign a message, first create a new message by clicking Write. Click the Security tab to verify the options: Encrypt this message and Digitally sign this message. These options should be checked by default, if not: check them. 8.6 Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password. To do this, click the Tools menu on the top right of the window and click on the Options icon:

165 Page : 165/238 A window appears. Choose the Security tab and then click on the Passwords tab. If Use a master password is already checked, it means you already have a personal security password, and you have nothing to do. Otherwise, check the Use a master password case. The following window appears: Enter your new master password in both fields and click OK. Your personal security password is now defined. You can modify your personal security password by following the same steps.

166 Page : 166/238

167 Page : 167/ Lotus Notes 9.1 How to know which CA signed your personal certificate If you follow previously in this document 5.2 with Mozilla Firefox please follow the section If you follow previously in this document 4.2 with Internet Explorer please follow the section The RTE Root CA and RTE Client CA certificates need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store. Using Mozilla Firefox In Mozilla Firefox certificate store, select your personal certificate and click on View : Select the Details tab: A certificate signed by RTE Historical CA. A certificate signed by RTE s new PKI.

168 Page : 168/238 The trust chain has only one level. Only the certificate RTE Certification Authority of RTE Historical CA can be seen. The trust chain has two levels. The certificate RTE Root Certification Authority of RTE Root CA and the certificate RTE Client Certification Authority of RTE Client CA are present. Using Internet Explorer In Internet Explorer certificate store, select your personal certificate and click on View : Select the Certification Path tab: A certificate signed by RTE Historical CA. A certificate signed by RTE s new PKI. The trust chain has only one level. Only the certificate RTE Certification Authority of RTE Historical CA can be seen. The trust chain has two levels. The certificate RTE Root Certification Authority of RTE Root CA and the certificate RTE Client Certification Authority of RTE Client CA are present. If your personal certificate is signed by RTE Historical CA, please follow the 11.3.

169 Page : 169/ Installation on Lotus Notes After you read the chapter 9.1 which explains how to know which CA has signed your personal certificate, please refer to the chapter corresponding to this CA to the version of lotus Notes you use. If you use Lotus Notes 8.5 If you use Lotus Notes 9 If your personal certificate is signed by RTE Historical CA If your personal certificate is signed by RTE New PKI Please go to chapter 10 Lotus Notes 8.5 Please contact RTE s Hotline (cf 14.1). Please go to chapter 11 Lotus Notes 9 Please go to chapter 11 Lotus Notes 9

170 Page : 170/ Lotus Notes 8.5 Don t follow this section if your personal certificate is not signed by RTE new PKI (see 9.1) Installing RTE Historical CA certificate RTE s certificates will be installed by Cross certification when you received your first signedencrypted from the application (see 10.4). Note: The Cross certification is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that Cross certification Installing your personal certificate Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains RTE Historical CA. This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE Historical CA and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install RTE Historical CA certificate, see o o Install your personal certificate making sure to check the case Mark this key as exportable. see Export your certificate in a PKCS#12 file making sure to check the case Include all certificates in the certification path if possible, see With Mozilla Firefox : o Install RTE Historical CA certificate, see o Install your personal certificate, see o Export your certificate to a PKCS#12 file, see (RTE Historical CA will automatically be included).

171 Page : 171/238 Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password:

172 Page : 172/238 The following window appears: Click Your Identity then Your Certificates :

173 Page : 173/238 Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported. Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at containing your personal certificate, its private key and RTE Historical CA s certificate:

174 Page : 174/238 Click Open and in the window below choose the format: PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed:

175 Page : 175/238 Your personal certificate you want to import, and the RTE Historical CA s certificate, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window: Click Cancel to go back to the previous window.

176 Page : 176/238 To see the content of RTE Historical CA s certificate, you must select it: And click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Import Internet Certificate.

177 Page : 177/238 Click Close to go back to the main screen: Click Accept All. Enter your Notes password and click OK. Click OK, the window below appears:

178 Page : 178/238 The certificate, now visible here, has successfully been imported. Click OK to end the import. Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below:

179 Page : 179/238 To view RTE Historical CA's certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

180 Page : 180/238 To see the content of RTE Historical CA s certificate, you must select it, and click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1) account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu File > Security > User Security, then click Your Identity and Your Certificates :

181 Page : 181/238 Select Your Internet Certificates in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the Advanced Details button. If you only have one certificate, the case Use this certificate as your default signing certificate will be grey and checked. If not, check it, as above, and click OK Installing RTE s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer:

182 Page : 182/238 For this, you must click on the Cross certify button. Then, when you display this signed received message, you will need to choose the Add Sender to Contacts in the menu by right-clicking on the , which will add the issuer and its certificate to your book Address. The following window appears:

183 Page : 183/238 Only verify that the case Include X.509 certificates when encountered is checked and click OK. Whenever an encrypted will be sent to this application, its installed certificate will now automatically be selected to perform the encryption Using the certificate: sending a signed-encrypted When composing a message, you can sign and encrypt it if you own your signature certificate (see 10.4) and that of your correspondent. For that, when you write a new message, you must click the Delivery Options button.

184 Page : 184/238 Check the Sign and Encrypt cases as shown below: Click OK. The rest of the mailing process has no more particularity, Notes then automatically signs and encrypts your message transparently.

185 Page : 185/ Lotus Notes Installing RTE s applications certificates RTE s applications certificates will be installed by Cross certification when you received your first signed-encrypted from the application (see 11.6). Note: The Cross certification is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that Cross certification Installing RTE CA s certificates Installing RTE Historical CA s certificate With your web browser go to the address below to download the file Certification_Autority_RTE_2048.cer containing RTE Historical CA s certificate: With Internet Explorer: Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

186 Page : 186/238 Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

187 Page : 187/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

188 Page : 188/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select file. Choose to see all the extensions. Select the certificate of RTE Historical AC Certification_Authority_RTE_2048.cer previously downloaded:

189 Page : 189/238 Click Open and in the window below chose the format Base 64 encoded X.509 : Click Continue and the window below is displayed: RTE Historical CA s certificate is listed. If you click Advanced Details the content of the selected certificate appears in the following window:

190 Page : 190/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Import Internet Certificate.

191 Page : 191/238 Click Accept All. Click OK, the certificate has successfully been imported. Installing RTE Root and RTE Client CAs certificates In order to import the trust chain made by RTE Root CA and RTE Client CA, it requires to create a PKCS#7 file that contains the 2 certificates of these 2 CAs. To manage to create the file you must follow one of the 2 sections or which depend on the process you follow before in this document: 5.2 with Mozilla Firefox or 4.2 with Internet Explorer. To succeed in the file creation, the certificates of RTE Root and RTE Client CAs need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store. Creating P7c file containing RTE Root CA/RTE Client CA trust chain with Mozilla Firefox In the certificate store of Mozilla Firefox, select the RTE Client CA s certificate RTE Client Certification Authority and click on Export : Choose where to save the file, choose the file type X.509 Certificate with chain (PKCS#7) (*.p7c) :

192 Page : 192/238 Click on Save. Pass to the step to import the trust chain on Lotus Notes 9. Creating P7b file containing RTE Root CA/RTE Client CA trust chain with Internet Explorer In Internet Explorer certificate store, select the RTE Client CA s certificate RTE Client Certification Authority and click on Export :

193 Page : 193/238 The Certificate Export wizard opens, click on Next : Choose Cryptographic Message Syntax Standart PKCS #7 Certificates (.P7B) option and ticket Include all certificates in the certification path if possible.clik on Next>.

194 Page : 194/238 Click on Browse. Choose a place ta save your.p7b file and click on Save : Clik on Next>.

195 Page : 195/238 Clik on Finish.

196 Page : 196/238 Clik on OK. Pass to the next step to import the trust chain on Lotus Notes 9.

197 Page : 197/238 Importing PKCS7 file in Lotus Notes 9 Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

198 Page : 198/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

199 Page : 199/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a file, choose PKCS#7 type of file (extension.p7b or.p7c ). If you followed the process on Mozilla Firefox If you followed the process on Internet Explorer Select the.p7c file you create on containing the trust chain RTE Root CA / RTE Client CA. Select the.p7b file you create on containing the trust chain RTE Root CA / RTE Client CA.

200 Page : 200/238 Click Open and the window below is displayed: To see the content of the RTE Root CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you import the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

201 Page : 201/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to return to the initial window: "Import Internet Certificates" To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you import the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: Import Internet Certificates ".

202 Page : 202/238 Click Accept All. Click OK, the certificates have successfully been imported Installing your personal certificate signed by RTE Historical CA Follow the steps below only if your personal certificate is signed by RTE Historical CA (see 9.1). Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKCS #12 file that contains the trust chain (RTE Historical CA / personal certificate). This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate.

203 Page : 203/238 To generate a file accepted by Lotus Notes, install RTE CA s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see 4.2. o o Install your personal certificate making sure to check the case Mark this key as exportable. see 4.3. Export your certificate in a PKCS#12 file making sure to check the case «Include all certificates in the certification path if possible» see With Mozilla Firefox : o Install the three certificate of RTE CAs, see 5.2. o Install your personal certificate, see 5.3. o Export your certificate to a PKCS#12 file, see (The trust chain will automatically be included). Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

204 Page : 204/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

205 Page : 205/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at containing your personal certificate, its private key and RTE Historical CA certificate:

206 Page : 206/238 Click Open and in the window below chose the format PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed: Your certificate, you want to import, and the certificate of RTE Historical CA, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window:

207 Page : 207/238 Click Close to go back to the previous window. To see the content of RTE Historical CA s certificate, you must select it: And click Advanced Details :

208 Page : 208/238 To ensure that you are installing the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to go back to the main screen: Click Accept All. If necessary, enter your Notes password and click OK.

209 Page : 209/238 Click OK, the window below appears: The certificate, now visible here, has successfully been imported. Click OK to end the import.

210 Page : 210/238 Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below: To view RTE Historical CA s certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

211 Page : 211/238 To see the content of RTE Historical CA s certificate, you must select it, and click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1).

212 Page : 212/ Installing your personal certificate signed by the new PKI of RTE Follow the steps below only if your personal certificate is signed by RTE s new PKI (see 9.1). Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains the trust chain (RTE Root CA / RTE Client CA / personal certificate). This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE CA s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see 4.2. o o Install your personal certificate making sure to check the case Mark this key as exportable. see Export your certificate in a PKCS#12 file making sure to check the case «Include all certificates in the certification path if possible» see With Mozilla Firefox : o Install the three certificate of RTE CAs, see 5.2. o Install your personal certificate, see 5.3. o Export your certificate to a PKCS#12 file, see (The trust chain will automatically be included).

213 Page : 213/238 Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

214 Page : 214/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

215 Page : 215/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at containing your personal certificate, its private key and RTE Root CA and RTE Client CA certificates:

216 Page : 216/238 Click Open and in the window below chose the format PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed: Your certificate, you want to import, and the trust chain, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window:

217 Page : 217/238 Click Close to go back to the previous window. To see the content of the RTE Root CA s certificate, you must select it.

218 Page : 218/238 If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to return to the initial window: "Import Internet Certificates" To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate:

219 Page : 219/238 To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: Import Internet Certificates ": Click Accept All. If necessary, enter your Notes password and click OK.

220 Page : 220/238 Click OK, the window below appears: The certificate, now visible here, has successfully been imported. Click OK to end the import.

221 Page : 221/238 Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below: To view RTE Root CA and RTE Client CA s certificates, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

222 Page : 222/238 To see the content of the RTE Root CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

223 Page : 223/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). Click Close to return to the initial window. To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). Click Close to return to the initial window account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu File > Security > User Security, then click Your Identity and Your Certificates :

224 Page : 224/238 Select Your Internet Certificates in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the Advanced Details button. If you only have one certificate, the case Use this certificate as your default signing certificate will be grey and checked. If not, check it, as above, and click OK.

225 Page : 225/ Installing RTE s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer: For this, you must click on the Cross certify button. Then, when you display this signed received message, you will need to choose the Add Sender to Contacts feature, which will add the issuer and its certificate to your book Address.

226 Page : 226/238 The following window appears: Only verify that the case Include X.509 certificates when encountered is checked and click OK. Whenever an encrypted will be sent to this application, its installed certificate will now automatically be selected to perform the encryption Using the certificate: sending a signed-encrypted When composing a message, you can sign and encrypt it if you have your own and correspondent certificate (see the import procedure for your certificate above). For that, when you write a new message, you must click the Delivery Options button and check the Sign and Encrypt cases as shown below:

227 Page : 227/238 Click OK. That is all, Notes then automatically signs and encrypts your message.

228 Page : 228/238 F. APPENDIXES

229 Page : 229/ Secure environment (PKI) This appendix describes the secure environment in which the PKI is operated. It describes in particular: the concepts of secure environment and the corresponding data objects handled by the PKI, the role of the various entities involved in the operation process of a PKI Concepts and objects managed by a PKI This appendix presents the key concepts for understanding the role of objects managed by a PKI: presentation of the principles structuring a safe process, the role of dual-keys, certificates. What is a secure process? Definition of a PKI With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known only by his owner, and a public key - linked by a complex mathematical relationship, making it virtually impossible to determine the private key from the only knowledge of the public key. This means that the probability of determining the private key from the public key in a reasonable time is very low. Data encrypted with a key (typically, the public key) can only be decrypted with the other (typically the private key). It is on the basis of this principle that is particularly assured the confidentiality of messages exchanged. This process is commonly called "asymmetric cryptography" as opposed to "symmetric cryptography" that uses a common key for both encryption and decryption. The four pillars of information exchange security This electronic identity card aims at establishing an environment of trust whose four pillars are: authentication identifies parties in a sure and reliable way, confidentiality prevents non-recipients to read the data, integrity ensures that data has not been altered, non-repudiation makes it impossible for a party to refute the transmitted information. The cryptographic solution Because of the technology used (protocols, architectures, etc.), the information circulating on the Internet is not confidential. The technologies also do not allow to meet the other three security requirements set out above. To preserve the confidentiality of exchanges via the Internet, the data must be rendered incomprehensible to all, except for the recipients. Encryption is the right solution.

230 Page : 230/238 Data encryption naturally accompanies system s users authentication. While some data are confidential, it is necessary for issuers and recipients of this information to authenticate safely and unequivocally, to conduct secure exchanges. Authentication is based on the possession of a certificate. This element is issued by a Certification Authority that stakeholders of a transaction trust (in our case, the Certification Authority is RTE). Thus, the carriers can have confidence in the information provided to them and RTE knows that only authorized holders access the information. NOTE In a similar process, in daily life, it is necessary to provide a piece of identification issued by an authority to access certain privileges reserved for citizens of the country (expensive purchases, voting, etc.). The importance of dual-keys Each holder has a public key and an associated private key. The private key is a key that the holder must keep confidential. He is the only one to possess and with the ability to use it. He does not necessarily know it himself (for example: it may be in a smart card of which it cannot come out, but access to the card is protected by a PIN code known only to its owner) The public key, as its name suggests, is public and can be communicated to all. The public keys of holders are used only to encrypt messages intended for them. If an encrypted message was intercepted, it would be without consequence on its confidentiality as it cannot be decrypted (in a reasonable time) by a person not having the associated private key. The private key enables its owner to sign a message he sends and to decrypt an encrypted message he receives. In contrast, the public key of a person is used to encrypt a message sent to him and to verify the signature of a message he receives. Encryption and decryption of a message Each message is encrypted by the recipient's public key that will decrypt it with his private key. When RTE sends a message to the client A: 1. RTE has the public key of client A (via the public part of the certificate). 2. RTE automatically encrypts the message using the public key of client A and sends it via RTE s system. 3. Client A receives the message and automatically decrypts it with his private key.

231 Page : 231/238 Encryption and decryption with dual-keys. The usage of keys to sign a message Each message is signed by the private key of the issuer. The origin (the signature) of a message can be controlled by the public key of the issuer, freely accessible via its certificate. To prove to client A that the received message is actually from RTE, RTE automatically signs the message with its (RTE s) private key before sending to the client A. Signing and signature verification with dual-keys. When the client A receives the message from RTE, it automatically verifies the signature of the received message with the public key of RTE.

232 Page : 232/238 Certificates Objectives of digital certificates Since public keys are used to verify electronic signatures and encrypt messages, it is essential for any carrier to be certain of the identity of the owner of a public key: it is the role of the certificate. A certificate is a digital ID: Characteristics of a certificate that guarantees the identity of the holder from a remote site, that includes data facilitating the identification, that is resistant to counterfeit and issued by a trusted third party: the Certification Authority. A Certification Authority is an entity that creates and manages certificates. It defines the rules for registration in the various holders PKI. Structure of a certificate A digital certificate contains: the public key of its holder, the name of the holder and any other identification information ( address of the person if the certificate is used to sign s), the certificate s period of validity, the name of the certification authority that issued the certificate, a unique serial number, the signature of the certification authority.

233 Page : 233/238 Examples of certificates A digital certificate on Internet Explorer

234 Page : 234/238 A digital certificate on Mozilla Firefox 12.2 Documentation Reference documentation: Subscription contract to RTE s secure Information System. Websites: Law of 13th March 2000 on the adaptation of law of evidence to information technologies and on electronic signature: Directive 1999/93/CE of 13th december 1999 on a Community framework for electronic signatures : Draft decree on electronic signatures : OpenTrust (formerly Keynectis) :