Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web: ANF AC MALTA, LTD

Transcription

1 Maltese Registrar of Companies Number C75870 and VAT number MT Certificate for Secure Server (OV), Secure Server (DV), Secure Server (EV), Electronic s and Extended Validation Electronic s Certificates (EV s). ANF AC MALTA, LTD Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web:

2 Security Level Public Document Important Notice This document is property of ANF AC MALTA Distribution and reproduction prohibited without authorization by ANF AC MALTA Copyright ANF AC MALTA 2016 Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web: 2

3 Certificate for Secure Server (OV), Secure Server (DV), Secure Server (EV), Electronic s and Extended Validation Electronic s Certificates (EV s) TOKEN BY SOFTWE - HSM TOKEN Field OID value Standard APP Clarification Version 2 = (V3) RFC 5280 Serial number SignatureAl gorithm SignatureH ashalgorith m AuthorityCe rt AuthorityCe rtserialnum ber Identifier of the issuer entity key - Authority RFC sha256withrsaencryption RFC sha256 Common Name (CN) e.g. ANF Trusted ID CA SERIALNUMBER MT Organisation Identifier This is the VAT number. At present ANF AC does not include it eidas Address (E) info@anfacmalta.com CA Organisational Unit (OU) Organizational unit within the Certification Services Provider responsible for the certificate issuance Organisation (O) e.g. ANF AC Malta, Ltd Locality (L) e.g. Qormi (see current address at State (ST) e.g. Qormi Country (C) e.g. MT Hash with SHA1 of the public key used for signing the certificate (2 character ISO 3166 country code [5]) (String UTF8) Size 128 (Integer) RFC 5280 (String UTF8) Integer: = 2 ([RFC5280] describes the certificate version when using extensions e.g. v3 its value must be 2) Automatically set by ANF AC. [RFC5280] positive integer, no more than 20 octets ( ) It is used to univocally identify the certificate String UTF8 (40) Signature Algorithm identifier. Identifying the algorithm type. Identifier of the signature hash Algorithm Common name of the CA issuing the certificate ANF AC VAT number Identification of the issuer organization. As specified in clause of ETSI EN [7]. As it appears in the certificate of the issuer. (String UTF8) Size [RFC 5280] 128 Official name of the Certification Services Provider Locality/address of the Certification Services Provider (String UTF8) Size [RFC 5280] 128 Province of the Certification Services Provider Country of the Certification Services Provider (PrintableString). It will be coded according to ISO alpha- 2 code elements Size 2 [RFC 5280] Name of the CA to which the key identified in keyidentifier corresponds Serial number of the CA certificate Identifier derived from using the hash function on the subject's public key. It is a mean to identify the public Cri t Man d 3

4 KeyIdentifie r Alternative Name Valid from NotBefore Valid until NotAfter Country (C) Subject's country = subscriber Two digit country code ISO key corresponding to the private key used to sign a certificate Validity start date Validity end date According to ETSI-QC this field must be completed obligatorily See RFC 3739 / ETSI Locality (L) Subject's city (String UTF8) Size [RFC 5280] State (ST) Subject's state Address (E) Subject's Subject SERIAL NUMBER (SN) E.g.: IDCMT A. 3 characters to indicate the document number (IDC= national identity document) + 2 characters to identify the country (MT) + ID number (Printable String)) Size [RFC 5280] 64 Tax Identification number of the certificate subscriber Preferably the semantics proposed by the standard ETSI EN will be used (all fields encoded using UTF- 8) OrganisationIde ntifier The certificate must include at least= Serial Number or OrganizationIdentifi er (VAT number), e.g. VATMT According to the technical standard ETSI EN (VATES + VAT number of the entity) VAT number. VAT number, as it appears in the official registries. Coded According to the European Standard EN Do not confuse with the National ID Card, it is the VAT number for the EU OrganisationNa me (O) e.g. Company name. LTD. (String UTF8) Size [RFC 5280] 128 ETSI EN [i.4], clause 5 Name ("official" name of the organization) of the subscriber Given Name (G) Name of legal representative, according to identification document (National/Foreign Citizen ID Card / Passport) (String UTF8) Size 40. Mandatory according to ETSI EN Name of the legal representative (as it appears on his/her National/Foreign Citizens ID Card / Passport) SurName (SN) Surname(s) of the legal representative. (String UTF8) Size 80. Mandatory according to Surname(s) of the legal representative (as it appears on his/her National/Foreign Citizens 4

5 First surname, blank space, second surname of the person responsible for the certificate in accordance with the National ID Card or in case of foreigner the passport ETSI EN ID Card / Passport) Common Name (CN) e.g. anfacmalta.com (String UTF8) Size 132 [RFC 5280] Domain (DNS) where the certificate will reside. DV SSL Certificate for DV Secure Server SSL Organisational Unit (OU) OV SSL EV SSL Medium Level s Medium Level EV s Certificate for OV Secure Server SSL Certificate for EV Secure Server SSL Certificate for Medium Level Electronic Certificate for Medium Level EV Electronic String UTF8) Size [RFC 5280] 128 Description of certificate type High Level s Certificate for High Level Electronic Public Administ ration Profile Only if the device is HSM High Level EV s Certificate for High Level EV Electronic Public Administ ration Profile Only if the device is HSM Organizational Unit (OU) Certificate for ELECTRONIC HEADQUTER e.g.: GENERAL ACCESS POINT Public Administ ration Profile The descriptive name of the headquarter. PrivateOrganization for private organization businesscatego ry GovernmentEntity BusinessEntity for public entity for company CAB FORUM Category of organization (required for EV certificates) Non-commercialEntity for non-commercial entity JurisdictionCountryName EV certificates only e.g. MT CAB FORUM Jurisdiction (required for EV certificates) JurisdictionOfIncorporationL EV certificates e.g. Valletta 5

6 ocalityname only JurisdictionOfIncorporationS tateorprovincename EV certificates only e.g. Valletta Subject alternative name SubjectAlter nativename See NOTE 2 Subject alternative name SubjectAlternativeName e.g: peter@cial.com DNSName Directory Name e.g. anfacmalta.com frater.com Nombre RFC822 (String) Size [RFC 5280] 255 (String UTF8) Size = 128 manage of the person responsible for the certificate Domain Name DNS It may contain multiple domains Subject Key Identifier Hash in SHA1 of the public key used for signing the certificate RFC 5280 In accordance with standards RFC2459 & PKCS#1 Identifier derived from using the hash function on the subject public key. SubjectPubl ickeyinfo RSA (2048) (String UTF8) RSA. In accordance with the RFC 4055 [1 0] and ECC algorithm in accordance with the RFC 5639 [11] Field to transport the public key and to identify the algorithm with which the key is used. [1] Access to authority information AccessMethod [1] Access method = On line certificate status protocol Id-ad-ocsp with OID: (OCSP) ( ) Access to issuer entity information AccessLocation [1] Alternative name: URL Address = OCSP Responder Address AccessMethod [2] id-ad-cas with OID AccessLocation [2] URL Address = Location of CA certificate [1] CRL distribution point CRL distribution points crldistributionpoin t[1] Distribution point name : Complete name in http protocol: Indicates the CRL download point. URL Address Qualified Certificate QcComplian ce Present if the certificate is issued with the consideration of qualified. Annex I qcstatements in accordance with 6

7 Statement eidas ETSI EN TSI EN , before ETSI TS QcSSCD with HSM ONLY if the device is SSCD Secure Signature Creation Device (SSCD) Determines that the private key associated with the public key contained in the electronic certificate is on a secure signature creation device, Regulation (EU) 910/2014 [I.8] id-etsi-qcsqctype clause in ETSI EN QcTypeweb QcType 3 QcType 3 is outlined ETSI EN Follows the following encoding: id-etsi-qct-esign (id-etsi-qcs-qctype 1) id-etsi-qct-eseal (id-etsi-qcs-qctype 2) id-etsi-qct-web (id-etsi-qcs-qctype 3) QcPDS URL that allows access to all policies of the PKI in English. Https protocol Not included in ENCRYPTION type ETSI EN <QcLimitValue> <money>eur</money> QcLimitValu e Responsibility limit amount assumed by the issuer expressed in EUROS <qcbase>1</qcbase> <qcexp>3</qcexp> </QcLimitValue> Not included in ENCRYPTION type Integer: = QcRetention Period ([ETSI EN ] describes the conservation period of all information relevant to the use of a certificate, after its Not included in ENCRYPTION type 7

8 expiration) semnaticsid- Legal To indicate the semantics of a natural person defined by EN To indicate the semantics of a legal person defined by EN Certificate Policies PolicyIdentifi er DV SSL OV SSL EV SSL Medium Level Electronic Medium Level EV Electronic High Level Electronic High Level EV Electronic policy: ANF AC proprietary OID DV SSL PolicyIdentifi er OV SSL EV SSL If the subscriber is a natural person CA/B FORUM and Public Administration profile PolicyIdentifi er HIGH LEVEL Electronic headquarter MEDIUM LEVEL Electronic headquarter DV SSL OV SSL EV SSL EV Standard ETSI TS and ETSI Issued as qualified + HSM PolicyCPSLo cation [1,1] Policy certifier information: Policy certifier ID =CPS Certifier: 8

9 User notice [1,2] Policy certifier information: Policy certifier ID = User notice Certifier: Notice text = Certificate in compliance to electronic signature legislation. Before accepting it check integrity, limitations, validity and authorized uses. Maximum 200 characters. A statement is made by the issuing CA, which refers to certain legal norms. PolicyIdentifi er EV SSL EV (qcp-web) All certificates are issued as qualified. Web site qualified certificate according to Regulation EU 910/2014 Basic Constraints Matter type = End entity Route length restriction = None Determines that it is an end-user certificate Y E S CA = FALSE Key usage Digital Signature Key Encipherment Used when the authentication function is performed Used for management and transport of keys Y E S Server authentication web Server TSL authentication Extended key usage Client authentication web Client TSL authentication Identification algorithm Signature Value sha1 Signature encoded as bit string Digital fingerprint Certificate digital fingerprint 9