Access to RTE s Information System by software certificates under Microsoft Windows 7

Similar documents
Access to RTE s Information System by software certificates under Microsoft Windows Seven

Smart card access to RTE s IS under Microsoft Windows 7

Accessing the IS by smart card with Microsoft Windows Vista

Managing Certificates

How to Configure SSL Interception in the Firewall

PKI Contacts PKI for Fraunhofer Contacts

Registration and Renewal procedure for Belfius Certificate

Odette CA Help File and User Manual

SECARDEO. certbox. Help-Manual. Secardeo GmbH Release:

KeyA3 Certificate Manager

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware AirWatch Integration with RSA PKI Guide

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

CertAgent. Certificate Authority Guide

Sophos Mobile Control SaaS startup guide. Product version: 6.1

CertAgent. Certificate Authority Guide

Sophos Mobile Control SaaS startup guide. Product version: 7

Using VMware View Client for Mac

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

RB Digital Signature Proxy Guide for Reporters

PKI Configuration Examples

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Deposit Wizard TellerScan Installation Guide

NetExtender for SSL-VPN

VII. Corente Services SSL Client

How to Set Up External CA VPN Certificates

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

SafeConsole On-Prem Install Guide

Exostar LDAP Proxy/Secure Setup Guide September 2017

Common Access Card for Xerox VersaLink Printers

Setting up IMAP Mail in Outlook

Key Management and Distribution

3.1 Getting Software and Certificates

SSL Certificates Certificate Policy (CP)

IceWarp SSL Certificate Process

AirWatch Mobile Device Management

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

User guide NotifySCM Installer

HP Instant Support Enterprise Edition (ISEE) Security overview

FedLine Web Certificate Retrieval Procedures

VMware AirWatch Integration with SecureAuth PKI Guide

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

Cisco CTL Client setup

SSH Communications Tectia SSH

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide Installation and User Guide - Mac

Schneider Electric Floating License Manager

Schneider Electric License Manager

User Guide for Accessing Cisco Unity Connection Voice Messages in an Application

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

How to Configure SSL Interception in the Firewall

WP doc5 - Test Programme

Configuring Certificate Authorities and Digital Certificates

Transport Gateway Installation / Registration / Configuration

Configuring SSL. SSL Overview CHAPTER

Assureon Installation Guide Client Certificates. for Version 6.4

Genesys Security Deployment Guide. What You Need

Configuring SSL CHAPTER

Sophos Mobile as a Service

Registration and Renewal procedure for Belfius Certificate

Send documentation comments to

Certificate service General description Implementation project of a national Incomes Register

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Managed Access Gateway. User Guide

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

Certificate Retrieval Procedures

Blue Coat Security First Steps Solution for Controlling HTTPS

Connect to Wireless, certificate install and setup Citrix Receiver

Guide Installation and User Guide - Windows

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Transport Gateway Installation / Registration / Configuration

Welch Allyn RetinaVue Network

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

OCSP Client Tool V2.2 User Guide

Dell License Manager Version 1.2 User s Guide

Managed Access Gateway. User Guide

Configuring the Cisco APIC-EM Settings

Cloud Access Manager Configuration Guide

QUICK SET-UP VERIFICATION...3

Electronic Seal Administrator Guide Published:December 27, 2017

Dubai Financial Services Authority DFSA eportal User Guide v1.docx Page 1 of 21

Version Installation Guide. 1 Bocada Installation Guide

Introduction. Introduction

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

Internet Explorer/ Edge/ Chrome/ Opera (Windows) Edition

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Public Key Enabling Oracle Weblogic Server

Manage Certificates. Certificates Overview

VMware AirWatch Certificate Authentication for EAS with ADCS

Instructions For Configuring Your Browser Settings and Online Banking FAQ's

Transcription:

by software certificates under Microsoft Windows 7 PKI User guide Version 4, 01/01/2017 Programmes & SI (PSI) TOUR MARCHAND 41 RUE BERTHELOT - 92411 COURBEVOIE CEDEX TEL : 01.78.66.50.00 - FAX : 01.78.66.50.64 www.rte-france.com/en/ 05-09-00-LONG

Page : 2/238 SUMMARY A. Foreword 6 1. Introduction 7 1.1 Purpose of the document 7 1.2 Context 7 1.3 Warning regarding security practices 7 1.4 The actors 8 The client 8 Registration Authority (RA) 8 RTE Historical Certification Authority (CA) 8 RTE Root Certification Authority (CA) 8 RTE Client Certification Authority (CA) 8 B. Certificates management procedures 9 2. Certificates management process 10 2.1 Foreword 10 2.2 Software certificate request 10 Preliminary steps 10 General diagram 11 2.3 Certificates renewal 11 2.4 Certificates revocation 12 Case of revocation 12 Revocation request 12 C. Workstation configuration 13 3. Installation and configuration of the workstation 14 3.1 Network configuration 14 General configuration 14 Specificity of the VPN access 14 3.2 Software configuration 15 D. Web access to the RTE Information System 16 4. Microsoft Internet Explorer 17 4.1 Preliminary configuration 17 Configuration of the security settings 17 Adding trusted sites 18 4.2 Installing RTE s CAs certificates 21 Download and install 21 Visualization and verification of RTE s CA certificates 32 4.3 Installing your personal certificate 39

Page : 3/238 Authentication on the retrieval interface 39 Downloading your certificate 41 Installation of your personal certificate 42 Visualization and verification of your software certificate 48 4.4 Using your certificate 51 Authentication and encryption 51 Example of access to an RTE web application 52 4.5 Additional operations 54 Export of your personal certificate 54 Deleting your personal certificate 59 4.6 Connecting to the SSL VPN 62 Foreword 62 Prerequisite 62 First connection 65 Using the SSL VPN 69 5. Mozilla Firefox 72 5.1 Preliminary configuration 72 5.2 Installing RTE s CAs certificates 72 Download and install 72 Visualization and verification of RTE CAs certificates 88 5.3 Installing your personal certificate 94 Authentication on the retrieval interface 94 Download of your certificate 96 Installation of your personal certificate 98 Visualization and verification of your software certificate 100 5.4 Using your certificate 103 Authentication and encryption 103 Example of access to an RTE web application 104 5.5 Additional operations 105 Defining the master password for personal security 105 Export of your personal certificate 108 Deleting your personal certificate 111 5.6 Connecting to the SSL VPN 113 Foreword 113 Prerequisite 114 First connection 115 Using the SSL VPN 120 E. Email exchanges with RTE s Information System 123 6. Using your certificate to exchange emails 124 6.1 Certificate usage principle 124 6.2 Decryption and signature verification of a received message 124

Page : 4/238 6.3 Encryption and signing of a sent message 124 6.4 Steps to configure your email client 125 7. Microsoft Outlook 2013 126 7.1 Installing RTE Historical CA certificate 126 7.2 Installing RTE Root CA certificate 126 7.3 Installing RTE Client CA certificate 126 7.4 Installing your personal certificate 126 7.5 Email account configuration 127 7.6 Installing RTE s application certificate 129 7.7 Using the certificate: sending a signed-encrypted email 132 8. Mozilla Thunderbird 133 8.1 Installing certificates of the 3 RTE s CAs 133 RTE Historical Certification Authority 133 RTE Root Certification Authority 137 RTE Client Certification Authority 142 Visualization of RTE CAs certificates 146 8.2 Installing your personal certificate 153 8.3 Email account configuration 159 8.4 Installing RTE s application certificate 161 8.5 Using the certificate: sending a signed-encrypted email 164 8.6 Defining the master password for personal security 164 9. Lotus Notes 167 9.1 How to know which CA signed your personal certificate 167 Using Mozilla Firefox 167 Using Internet Explorer 168 9.2 Installation on Lotus Notes 169 10. Lotus Notes 8.5 170 10.1 Installing RTE Historical CA certificate 170 10.2 Installing your personal certificate 170 Creation of a PKCS#12 file readable by Notes 170 Installing the PKCS#12 file in Notes 171 Visualization of the certificate 178 10.3 Email account configuration 180 10.4 Installing RTE s application certificate 181 10.5 Using the certificate: sending a signed-encrypted email 183 11. Lotus Notes 9 185 11.1 Installing RTE s applications certificates 185 11.2 Installing RTE CA s certificates 185 Installing RTE Historical CA s certificate 185 Installing RTE Root and RTE Client CAs certificates 191 11.3 Installing your personal certificate signed by RTE Historical CA 202 Creation of a PKCS#12 file readable by Notes 202

Page : 5/238 Installing the PKCS#12 file in Notes 203 Visualization of the certificate 210 11.4 Installing your personal certificate signed by the new PKI of RTE 212 Creation of a PKCS#12 file readable by Notes 212 Installing the PKCS#12 file in Notes 213 Visualization of the certificate 221 11.5 Email account configuration 223 11.6 Installing RTE s application certificate 225 11.7 Using the certificate: sending a signed-encrypted email 226 F. Appendixes 228 12. Secure environment (PKI) 229 12.1 Concepts and objects managed by a PKI 229 What is a secure process? 229 The importance of dual-keys 230 The usage of keys to sign a message 231 Certificates 232 12.2 Documentation 234 13. Glossary 235 14. Incidents management and support 237 14.1 Support 237 14.2 Frequently Asked Questions (FAQ) 237 14.3 Error codes returned by email 237

Page : 6/238 A. FOREWORD

Page : 7/238 1. Introduction 1.1 Purpose of the document This document is intended for the end user who wants to access RTE s Information System by using software certificates under Microsoft Windows 7. This document allows the holder to: Understand the context and principles of a secure environment (authentication, confidentiality, integrity and non-repudiation) and the general operation of a Public Key management Infrastructure (PKI). Learn how to install and use his software certificates in the following environments: o Microsoft Windows 7. o o Browsers: Internet Explorer and Mozilla Firefox for secure accesses via the HTTPS protocol. Email Clients: Microsoft Outlook, IBM Lotus Notes, and Mozilla Thunderbird for secure exchanges in S/MIME format (a standard for cryptography and digital signatures concerning emails encapsulated in MIME format). NOTE Throughout this document, the word "you" is the user of the certificate. 1.2 Context Under the law of February 10, 2000 (2000-108) and the implementing decree 2001-630 of 16 July 2001, the operator of the public transport network has an obligation to preserve the confidentiality of economic, commercial, industrial, financial or technical information of which the disclosure would be likely to undermine the rules of free and fair competition and nondiscrimination required by law. 1.3 Warning regarding security practices Each software certificate holder has its own private key, all (certificate and associated private key) is generated by RTE and made available for download by the wearer as a passwordprotected file (PKCS # 12 file, extension "p12"). Then, each software certificate holder shall take all necessary precautions to prevent: the violation of his private key, the loss of his private key, the divulgation of his private key, the alteration of his certificate, the misuse of his certificate. Each software private key and its associated certificate have to be stored on hard disk and protected by a password known only by the certificate holder.

Page : 8/238 The 3 Certification Authorities (CA) of RTE ( 1.4.3, 1.4.4, 1.4.5) take no responsibility for disputes related to misuse of private keys. 1.4 The actors The life cycle management of a certificate is based on three entities: the client (i.e. your company), the Registration Authority (RA), the 3 Certification Authorities (CA): 1. RTE Historical CA 2. RTE Root CA 3. RTE Client CA NOTE To understand, one can draw a parallel with the allocation of official credentials: the applicant citizen of a credential is the Client; the town is the Registration Authority and the prefecture is the Certification Authority. The client The client issues certificates requests for holders. It may also issue requests for revocation of the certificates (see Section B: certificate management procedures). Registration Authority (RA) The Registration Authority (RTE s manager of customer relations and the Operator) collects the certificates requests, affixes a date of validity for certificates and verifies the identity of their holders. RTE Historical Certification Authority (CA) The Historical Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the old PKI s operation. RTE Historical certification authority is called (CN: common name, O: Organization): CN = RTE Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE RTE Root Certification Authority (CA) The Root Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI s operation. It sets policy for the management and use of certificates. RTE Root certification authority is called (CN: common name, O: Organization): CN = RTE Root Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE RTE Client Certification Authority (CA) The Client Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI s operation. RTE Client certification authority is called (CN: common name, O: Organization): CN = RTE Client Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE

Page : 9/238 B. CERTIFICATES MANAGEMENT PROCEDURES

Page : 10/238 2. Certificates management process 2.1 Foreword The main processes used to manage all the digital certificates issued to holders are: Obtaining a certificate, The renewal of a certificate (replacement by a new certificate for a new validity period and a new key pair) The revocation of a certificate (end of certificate validity). 2.2 Software certificate request Preliminary steps Beforehand, the following steps must be performed, The company representative issues an access request : The company representative must have completed and signed the request forms access to RTE IS services and applications" sent by his Customer Relations Manager, and then sent it back to him. In these forms, the company representative specifies in particular: o a Contact email who will receive all information necessary to retrieve the certificate (see 2.2.2), o a Certificate email, o a Chosen password, necessary to the retrieval of the certificate by the holder We have registered your request : Following receipt of the forms we have created your account(s) to access the applications.

Page : 11/238 General diagram After the access request has been saved and validated by us (within 5 working days), a notification email is sent to the address "Contact Email" entered in the access request form (see 2.2.1). This email is entitled "Access to RTE s IS services" and contains: a summary of the certificate s removal procedure, the "Certificate email" and "Retrieval Code" requested by the website while retrieving your certificate, the Password" protecting the PKCS # 12 file (a ".p12" extension) that you downloaded when you retrieved your certificate. Please remember that this password is different from the password used to retrieve the certificate. In case of loss or non-receipt of this message, contact RTE s Hotline (cf 14.1). Exchange scenarios The holder has to connect from his workstation on the certificate retrieval website and download his private key and the associated certificate to his workstation in the form of the PKCS#12 file (extension ".p12"). 2.3 Certificates renewal The lifespan of the certificates is limited to 3 years, to ensure a high level of security. Forty days before the expiration date of a certificate, an electronic message is sent to the Contact email to inform the holder of the forthcoming expiry of his software certificate. In case changes must be made concerning the holder s information, then the company representative contacts RTE s responsible for customer relations to inform him of the changes. Otherwise, an email is sent to the contact email with the information necessary for the retrieval of his new certificate.

Page : 12/238 2.4 Certificates revocation Case of revocation The company representative must issue a revocation request when any of the following occurs: Change of the holder, Loss, theft, compromise or suspected compromise (possible, probable or certain) of his private key or associated certificate, Death or cessation of business of the certificate holder, Loss of the activation data, defective or lost support. Revocation request To revoke a certificate, the company representative should call RTE s Hotline (cf 14.1). When the certificate is revoked, an email is sent to the Contact email to notify the holder of the revocation of his certificate.

Page : 13/238 C. WORKSTATION CONFIGURATION

Page : 14/238 3. Installation and configuration of the workstation All operations of this chapter are to be performed only once by a computer specialist with Administrator privileges on your workstation, upon receipt of your "PKI Access Kit". Also note that only a few chapters of this manual concern you: the chapters corresponding to the software you use. All operations are done under the Windows Session of the certificate holder. 3.1 Network configuration General configuration The web browser access uses - in a way that is transparent to the user - a software certificate authentication system for access to the RTE portal and encryption of data exchanged via the Internet (HTTPS protocol). Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol, S/MIME format). IMPORTANT NOTE Messaging and antivirus gateways, firewalls and content analyzers should be configured not to alter or reject messages that are encrypted and signed S/MIME (application / x-pkcs7-mime,.p7s,.p7m) and not to prohibit the flow of HTTPS data (port 443). The network administrator may be requested to perform these operations. Specificity of the VPN access The VPN allows from your workstation to establish a secure connection (based on the authentication to a dedicated site) to RTE s IS via the Internet. Access to the SSL VPN requires that your workstation can resolve the address secure.iservices.rte-france.com. To see if this you can resolve the address, open a web browser and go to the URL https://secure.iservices.rte-france.com. The following web page must appear:

Page : 15/238 In addition to this test, you need to install on your workstation the module PSIS (Pulse Secure Installation Service) available on the RTE customer site. Refer to the section concerning the browser you are using for more details: 4.6.2 if you are using Internet Explorer. 5.6.2 if you are using Mozilla Firefox. 3.2 Software configuration The software configuration required for your workstation is as follows: Operating Systems: Microsoft Windows 7 32 bit without SP or with SP1 Microsoft Windows 7 64 bit without SP or with SP1 Web browser either: Microsoft Internet Explorer 11 Mozilla Firefox > 45 ESR Email client either: Microsoft Outlook 2013 Mozilla Thunderbird > 45 ESR IBM Lotus Notes 8.5 or 9 NOTE In general, consulting messages on a webmail like interface does not allow to sign your messages.

Page : 16/238 D. WEB ACCESS TO THE RTE INFORMATION SYSTEM Please refer directly to the chapter associated with the browser you are using for your default Web exchanges with RTE: Chapter 4 if you are using Microsoft Internet Explorer as web browser Chapter 5 if you are using Mozilla Firefox as web browser

Page : 17/238 4. Microsoft Internet Explorer 4.1 Preliminary configuration Configuration of the security settings This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection (HTTPS protocol). In the browser, select the menu "Tools> Internet Options":

Page : 18/238 Select the tab Advanced : In the section Security, make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above. Adding trusted sites In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites. The Trusted Sites zone allows the declaration of sites names you consider safe. In this section, you must be logged into the workstation with the Windows account that will use the software certificate. To do this: open Internet Explorer and click the menu "Tools> Internet Options".

Page : 19/238 In the window that appears, click the "Security" tab. select the "Trusted Sites" icon and click the "Sites" button.

Page : 20/238 The following window appears: In the field Add this website to the zone, enter the URL corresponding to the PKI: https://kregistration-user.certificat2.com Then click Add. The site then appears in the list Websites as shown below. Proceed in the same way to add the following websites: https://portail.iservices.rte-france.com: this is the internet portal https://secure.iservices.rte-france.com: this is the SSL VPN connection portal The 3 websites shall now appear in the list Websites.

Page : 21/238 Click Close, then OK. 4.2 Installing RTE s CAs certificates Download and install RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The download window appears: https://kregistration-user.certificat2.com/kregresources/css/rte/rte/certification_autority_rte_2048.cer Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" containing RTE Historical CA s certificate.

Page : 22/238 Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "Certification_Autority_RTE_2048.cer" file you just downloaded and choose "Install Certificate".

Page : 23/238 The installation wizard of the certificate is displayed: Click Next. Select "Place all certificates in the following store" and click "Browse". In the window that appears, select "Trusted Root Certification Authorities" and click "OK".

Page : 24/238 Once you have chosen the certificate store, you get the following window: Click «Next».

Page : 25/238 Click "Finish. Click OK. RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. The download window appears: https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acr_rte_root_ca_20160303.cer

Page : 26/238 Click the "Save" button and choose a location to save the file "ACR_RTE_Root_CA_20160303.cer" containing RTE Root CA s certificate. Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "ACR_RTE_Root_CA_20160303.cer" file you just downloaded and choose "Install Certificate". The installation wizard of the certificate is displayed: Click Next.

Page : 27/238 Select "Place all certificates in the following store" and click "Browse". In the window that appears, select "Trusted Root Certification Authorities" and click "OK". Once you have chosen the certificate store, you get the following window:

Page : 28/238 Click «Next». Click "Finish", and if the next window display a security Warning then click Yes :

Page : 29/238 Click OK. RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acf_rte_client_ca_20160303.cer The download window appears: Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_20160303.cer" containing RTE Client CA s certificate.

Page : 30/238 Once the download is completed, the following window appears: Click "Open folder" to go to the directory where you saved the file. Right-click the "ACF_RTE_Client_CA_20160303.cer" file you just downloaded and choose "Install Certificate". The installation wizard of the certificate is displayed: Click Next.

Page : 31/238 Select "Automatically select the certificate store based on the type of certificate" and click "Next". Click "Finish".

Page : 32/238 Click OK. Visualization and verification of RTE s CA certificates Visualization of installed RTE s CA certificates The certificates of RTE s CA you just import are stored in the Certification Authorities store of Internet Explorer. To view them, click the menu "Tools > Internet Options". A window appears. Go to the "Content" tab and click the "Certificates" button.

Page : 33/238

Page : 34/238 In the window that appears, go to the tab "Trusted Root Certification Authorities". You can see RTE Historical CA s certificate ( 4.2.1.1) and RTE Root CA s certificate ( 4.2.1.2): On the tab Intermediate Certification Authorities you can see RTE Client CA s certificate ( 4.2.1.3):

Page : 35/238 Verification of RTE Certification Authority certificate Select the certificate "RTE Certification Authority". Click the button "View" then click the "Details" tab.

Page : 36/238 To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Certification Authority" is identical to the one presented below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1). Verification of RTE Root Certification Authority certificate Select the certificate "RTE Root Certification Authority". Click the button "View" then click the "Details" tab.

Page : 37/238 To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Root Certification Authority" is identical to the one presented below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1).

Page : 38/238 Verification of RTE Client Certification Authority certificate In the tab Intermediate Certification Authorities, select the certificate "RTE Client Certification Authority". Click the button "View" then click the "Details" tab. To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Client Certification Authority" is identical to the one presented below.

Page : 39/238 Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case, delete the certificate and call RTE s Hotline (cf 14.1). 4.3 Installing your personal certificate Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see 2.2.2): The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE s IS (see 2.2.1). Certificate email, Retrieval code and Password for the PKCS#12 file included in the email Access to RTE s IS services (see 2.2.2). For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/rte/rte2/logiciel_sha2:i Click the button Retrieval of your personal certificate.

Page : 40/238 Fill the field «Certificate email» with the value indicated in the email Access to RTE s IS services (see 2.2.2). Click Submit. Fill the fields: Retrieval code as indicated in the email Access to RTE s IS services (see 2.2.2). Chosen password which is the password you or your company representative chose and provided to RTE in the form to request access to RTE s IS (see 2.2.1). Finally click Submit.

Page : 41/238 Downloading your certificate The following page appears. Click Download. In the window that appears, click Save. Choose a directory to save your certificate, then click "Save." A window shows the progress of the download. Once the download is completed, click "Open Folder". The folder containing your personal certificate appears.

Page : 42/238 Installation of your personal certificate Go to the download folder of the file. IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick or an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (see 2.2.2) that contains the password. Right-click the "certificate.p12" file and choose "Install PFX". The Certificate Import Wizard opens: Click Next.

Page : 43/238 The name of the file containing your certificate is automatically filled, click Next.

Page : 44/238 The window below appears: In the field Password, enter the Password present in the email Access to RTE s IS services ( 2.2.2). The case Enable strong private key protection. [ ] is optional. Tick it if you wish to define a password that will be asked before every use of your private key in Internet Explorer. The case Mark this key as exportable. [ ] is optional. Tick it if you wish to be able to export you private key later (see chapter 4.5.1 to export). Tick the case Include all extended properties. Click Next.

Page : 45/238 Select "Automatically select the certificate store based on the type of certificate" and click "Next". Finally, click Finish.

Page : 46/238 If you previously ticked the case Enable strong private key protection, then the following window appears: Click the button Set security level. Select the case High then click Next.

Page : 47/238 Enter a name for the private key to protect and a password then click the "Finish" button. Warning: this password is required upon each use of the certificate. Click OK. Finally, the following window appears: Click OK. Your certificate and your private key have been successfully imported in Internet Explorer.

Page : 48/238 Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs. In the case of downloading with Internet Explorer, open the certificate store via the menu "Tools> Internet Options", "Content" tab, button "Certificates..." Select your certificate then click View.

Page : 49/238 It is valid for 3 years from the date of withdrawal. The "Certification Path" tab allows checking the validity of your certificate. The "Certificate status" and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.

Page : 50/238 The tab "Details" allows you to view the full name of the holder and the email address to which are attached the certificate.

Page : 51/238 4.4 Using your certificate Authentication and encryption Steps to follow run Internet Explorer, enter the URL to RTE s application or to RTE s customer service portal : https://portail.iservices.rte-france.com, during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password, if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted.

Page : 52/238 Example of access to an RTE web application Enter the URL https://portail.iservices.rte-france.com in the Internet Explorer address bar then press Return. Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site. The line Click here to view certificate properties lets you view the content of the selected certificate. Click the OK button to access the application. The window below asks for the password that protects the private key associated with your certificate if it has been set. The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):

Page : 53/238

Page : 54/238 4.5 Additional operations Export of your personal certificate This section explains how to save the certificate with its private key and RTE s trust chain. The procedure is to generate a file in PKCS#12 format (".pfx" extension), protected by a password. You can only export your certificate and private key if you checked "Mark this key as exportable" when Installing your personal certificate (see 4.3.3). In Internet Explorer, click the menu "Tools> Internet Options..." Then, click the "Content" tab and then the "Certificates" button.

Page : 55/238

Page : 56/238 Another window appears. Select your certificate, then click "Export...". Click Next.

Page : 57/238 Select "Yes, export the private key" and then click "Next". Select the check box "Include all certificates in the certification path if possible" and then click "Next".

Page : 58/238 Enter a password of your choice to protect the PKCS#12 file, and then click "Next". Select the location of the PKCS#12 file, and then click "Next".

Page : 59/238 Finally, click the "Finish" button. Click "OK". You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer s store. Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Internet Explorer s Certificate store. IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to 4.5.1 to export your certificate and private key as a PKCS#12 file.

Page : 60/238 In Internet Explorer, go to "Tools> Internet Options". A window appears. Click the Content tab, then the Certificates button:

Page : 61/238 Select the certificate to delete and click Remove. Click Yes.

Page : 62/238 The certificate is removed from the certificates list. 4.6 Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 4.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice. Prerequisite The website secure.iservices.rte-france.com must be declared as a trusted site (see 4.1.2). IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1).

Page : 63/238 PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp And decompress the compressed file: Once the file is executed, the following window appears, asking you the authorization to start the service. Click Run.

Page : 64/238 The following window appears. Click «Yes». It will be automatically activated at every operating system launch.

Page : 65/238 First connection This paragraph applies only to your first login to the SSL VPN with Internet Explorer. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application. Before continuing, you need to disable ActiveX controls on Internet Explorer. To do so, press the "Alt" key on your keyboard. A menu bar at the top of the window. Then click the Tools button, and make sure "ActiveX Filtering" is not selected (see the following screenshot). Launch your browser and go to the following website: https://secure.iservices.rte-france.com/ The following window appears: Select your certificate then click OK.

Page : 66/238 If necessary, this window will ask for the password that protects the private key associated to your certificate. The browser displays a link to install SAM (if it s not already installed on your computer):

Page : 67/238 If no manual intervention is performed, the following installation pop-up appears: If necessary, the following window appears: Click Yes. The Pulse Secure client then installs and the installation of the SAM application starts:

Page : 68/238 Wait during the installation. If the following window appears, click Yes : Once the installation is completed, the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Page : 69/238 Then, the icon appears in your taskbar: Click the "Sign out" button (top right of the page) to end the session: Using the SSL VPN Establishing the connection Launch your browser and go to the following website: https://secure.iservices.rte-france.com/ The following window appears: Select your certificate then click OK.

Page : 70/238 If necessary, a window will ask you the password that protects the private key associated with your certificate. If necessary, the window below appears. Click Yes. The SAM application launches automatically and the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then, the icon appears in your taskbar.

Page : 71/238 Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click the Sign out button (top right of the page). Use case to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client. Access to hosted mailboxes requires the SSL VPN connection to be established (see 4.6.4.1). The Email account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your email address. NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.

Page : 72/238 5. Mozilla Firefox 5.1 Preliminary configuration The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS) is disabled by default in recent versions of Firefox. The supported versions of Firefox are specified in 3.2. The standards supported by default are: TLS 1.0 to TLS 1.2. In case of problems, thank you to notify the issue to RTE s Hotline (cf 14.1). 5.2 Installing RTE s CAs certificates Download and install RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/kregresources/css/rte/rte/certification_autority_rte_2048.cer The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

Page : 73/238 Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

Page : 74/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button. Select the Authorities tab and click Import.

Page : 75/238 Select the previously saved file. A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click View to check that the certificate you just install is RTE Historical CA s certificate:

Page : 76/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1).

Page : 77/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Historical CA certificate is now installed in the certificate store of Mozilla Firefox.

Page : 78/238 RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acr_rte_root_ca_20160303.cer The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file ACR_RTE_Root_CA_20160303.cer will eventually be requested. Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

Page : 79/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button.

Page : 80/238 Select the Authorities tab and click Import. Select the previously saved file.

Page : 81/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click View to check that the certificate you just install is RTE Root CA s certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

Page : 82/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Root CA certificate is now installed in the certificate store of Mozilla Firefox.

Page : 83/238 RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address: IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acf_rte_client_ca_20160303.cer The following pop-up, in order to download the certificate, appears: Select Save file then click OK. A location to save the file ACF_RTE_Client_CA_20160303.cer will eventually be requested. Once the file is downloaded, click the menu Tools in the right corner of the window then click the icon Options :

Page : 84/238 A window appears. Choose the Advanced tab then the subcategory Certificates. Click the «View certificates» button.

Page : 85/238 Select the Authorities tab and click Import. Select the previously saved file.

Page : 86/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click View to check that the certificate you just install is RTE Client CA s certificate: To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

Page : 87/238 Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. Click OK. RTE Client CA certificate is now installed in the certificate store of Mozilla Firefox.

Page : 88/238 Visualization and verification of RTE CAs certificates To see the certificates in Mozilla Firefox, click the menu Tools in the right corner of the window then click the icon Options : A window appears. Choose the Advanced tab then the subcategory Certificates.

Page : 89/238 Click the View certificates button. In Authorities tab, you can verify that the certificates you import are register with RESEAU DE TRANSPORT D ELECTRICITE organization and are saved on your computer disk ( Software Security Device ). You can see the content of each certificate by clicking on the certificate and then clicking on View. Select RTE Certification Authority and click View :

Page : 90/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). If, after verification, the hash of RTE Historical CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

Page : 91/238 Select RTE Root Certification Authority and click View : To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

Page : 92/238 If, after verification, the hash of RTE Root CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

Page : 93/238 Select RTE Client Certification Authority and click View : To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

Page : 94/238 If, after verification, the hash of RTE Client CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. 5.3 Installing your personal certificate Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see 2.2.2): The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE s IS (see 2.2.1). Certificate email, Retrieval code and Password for the PKCS#12 file included in the email Access to RTE s IS services (cf 2.2.2). For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website:

Page : 95/238 IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site s address. https://kregistration-user.certificat2.com/rte/rte2/logiciel_sha2:i Click the button Retrieval of your personal certificate. Fill the field Certificate email with the value indicated in the email Access to RTE s IS services (cf 2.2.2). Click Submit.

Page : 96/238 Fill the fields: Retrieval code as indicated in the email Access to RTE s IS services (cf 2.2.2). Chosen password which is the password you or your company representative chose and provided to RTE in the form to request access to RTE s IS (see 2.2.1). Finally, click Submit. Download of your certificate The following page appears. Click Download.

Page : 97/238 In the window that appears, click Save then OK. Choose a directory to save your certificate, then click "Save". IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick, an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (cf 2.2.2) that contains the password.

Page : 98/238 Installation of your personal certificate In Firefox, go to the menu "Tools" on the top right of the window and click the "Options" icon: A window appears. Choose the tab Advanced then the subcategory Certificates. Click View Certificates.

Page : 99/238 Click Import. Go to the folder you saved your certificate in, select your certificate name_certificate.p12 and click Open.

Page : 100/238 If necessary, the window below will ask you the access password to the Mozilla Firefox certificate store (see 5.5.1 to set this password): Enter it and click OK. The window below appears. Enter the Password present in the email Access to RTE s IS services (cf 2.2.2), then click OK. Your certificate and its associated private key have been successfully imported in Mozilla Firefox s certificate store. Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs.

Page : 101/238 In the case of Mozilla Firefox, go to the Tools menu (top-right corner of the window) then click the Options icon: A window appears. Choose the Advanced tab then the Certificates subcategory. Then click the View Certificates button.

Page : 102/238 Select the tab Your Certificates. The certificate is a software certificate: indeed, the "Software Security Dev " indication appears at the right of its name. You can view it by selecting it and clicking "View. The first tab General displays the following message This certificate has been verified for the following uses. It is valid for 3 years from the date of withdrawal.

Page : 103/238 The second tab Details displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met. 5.4 Using your certificate Authentication and encryption Steps to follow run Mozilla Firefox, enter the URL to RTE s application or to RTE s customer service portal : https://portail.iservices.rte-france.com, during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password, if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted.

Page : 104/238 Example of access to an RTE web application When you access the https://portail.iservices.rte-france.com homepage, you will be asked to choose your certificate. Select your certificate from the drop down list entitled Choose a certificate to present as identification then click OK. The following window will ask you the access password to the Mozilla Firefox certificate store if it was defined.

Page : 105/238 The home page is then securely displayed, (appearance of the closed padlock near to the URL entry field): 5.5 Additional operations Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password.

Page : 106/238 To do this, click the Tools menu on the top right of the window and click on the Options icon: A window appears. Choose the Security tab. If Use a master password is already checked, it means you already have a personal security password, and you have nothing to do.

Page : 107/238 Otherwise, check the Use a master password case. The following window appears: Enter your new master password in both fields and click OK. Your personal security password is now defined. You can change your personal security password at any time by going to the menu Tools on the top right of the window and clicking the Options icon.

Page : 108/238 A window appears. Choose the Security tab and click Change Master Password. Export of your personal certificate This section explains how to save the certificate with its private key and trust chain. The procedure is to generate a file in PKCS#12 format (".p12"), protected by a password. Go the Tools menu at the top-right corner of the window then click the Options icon:

Page : 109/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates. Select your certificate and click Backup : Choose a folder and a name for the output file in PKCS#12 format (extension «.p12»):

Page : 110/238 Click Save. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store: Then the following window appears: Enter a password of your choice to protect access to the PKCS#12 file and click OK.

Page : 111/238 Your certificate, your private key and the trust chain are exported in the PKCS#12 generated file (extension.p12 ). Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Mozilla Firefox s Certificate store. IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to 5.5.2 to export your certificate and private key as a PKCS#12 file. Go to the Tools menu at the top-right corner of the window then click the Options icon:

Page : 112/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates.... Select your certificate and click Delete.

Page : 113/238 Validate by clicking OK. The certificate is then removed from the list of certificates. 5.6 Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 5.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice.

Page : 114/238 Prerequisite In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) 1.5.07 or higher needs to be installed on your workstation. If this is not the case, you can download the latest version on Oracle s website: http://java.com/fr/download/index.jsp IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1). PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp And decompress the compressed file: Once the file is executed, the following window appears, asking you the authorization to start the service. Click Run.

Page : 115/238 Once the file is executed, the following window appears. Click «Yes». It will be automatically activated at every operating system launch. First connection This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application. Launch your browser and go to the following website: https://secure.iservices.rte-france.com/

Page : 116/238 The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store. If a window asking you permission to execute a script from Pulse Secure, LLC. appears, click Yes. If the following red icon appears, click it in the address bar. Then in the dropdown menu of the message, select Activate all plugins and then choose "Allow and remember.

Page : 117/238 The following window appears, click Run : If necessary, the following window appears:

Page : 118/238 If the window below appears, click Yes. The installation of the SAM application starts: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then the window below appears: Then, the icon VPN. appears in your taskbar which means you are now connected to the SSL

Page : 119/238 Click the "Sign out" button (top right of the page) to end the session:

Page : 120/238 Using the SSL VPN Establishing the connection Run your browser and access the following website: https://secure.iservices.rte-france.com/ The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store. If a window appears asking you permission to execute a script from Pulse Secure, LLC. : click Yes : If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Page : 121/238 Then the window below appears: Then, the icon appears in your taskbar which means you are now connected to the SSL VPN. Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click on the Sign out button (top right of the page). Use to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client. Access to hosted mailboxes requires the SSL VPN connection to be established (see 5.6.4.1). The Email account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your email address.

Page : 122/238 NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.

Page : 123/238 E. EMAIL EXCHANGES WITH RTE S INFORMATION SYSTEM This section only applies if you need to exchange signed-encrypted email with RTE applications. After reading the chapter 6 (overview), directly refer to the chapter associated with the email client that you use for your mail exchanges with RTE: Chapter 7 if you use Microsoft Outlook 2013 as email client. Chapter 8 if you use Mozilla Thunderbird as email client. Chapter 9 if you use Lotus Notes as email client.

Page : 124/238 6. Using your certificate to exchange emails 6.1 Certificate usage principle Using your personal certificate, its associated private key, RTE CAs certificates and RTE s application certificate, you can: decrypt and verify the signature of emails you receive from RTE applications, encrypt and sign emails you send to RTE applications. 6.2 Decryption and signature verification of a received message Decryption and verification of the signature of a message are disjoint processes. When you receive an encrypted-signed message: you decrypt the message with the private key associated to your personal certificate, you verify the message signature with the certificate of the sender (that of the RTE application) contained in the message, and with the certificate you own of the issuing CA that you trust. These two processes are done automatically when you open a signed-encrypted email with a properly configured email client that supports the secure email format S/MIME. IMPORTANT NOTE To verify the signature of a message you need to own the right certificate and trust the CA that issued the certificate of the sender. 6.3 Encryption and signing of a sent message Encrypting and signing message are two disjoint processes. When you send an encryptedsigned message: you sign the message with the private key associated to your personal certificate, you encrypt the message with the recipient s certificate (RTE s application certificate). The certificate of the recipient can be obtained in several ways. RTE applications transmit to you their certificate by sending a signed message: that is the way you will get their certificate. In doing so, when you receive a signed message, use "Add sender to contacts" to save at the same time its certificate, which you can use to send encrypted messages to him. IMPORTANT NOTE Encrypting a message requires to possess a valid certificate corresponding to the recipient's email address.

Page : 125/238 6.4 Steps to configure your email client In order to be able to exchange signed-encrypted emails with RTE, the steps are as follows: Install the certificate of the 3 RTE s CAs (Historical, Root, and Client), so that your mail client trusts RTE s applications certificates and is able to verify the signature of signed-encrypted emails you receive from them. Install your personal certificate, so your mail client can decrypt the messages from RTE and sign messages to RTE. Configure the email account you will use to exchange with RTE so that your email client always encrypts and signs messages to the RTE applications using the standard S/MIME. Install RTE s application certificate, so that your email client can encrypt emails you send to RTE applications. To perform these steps, please refer directly to one of the following chapters: the one concerning the email client that you use for your mail exchanges with RTE.

Page : 126/238 7. Microsoft Outlook 2013 7.1 Installing RTE Historical CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Historical CA in Internet Explorer by following the procedure described in chapter 4.2.1.1 if not already done. 7.2 Installing RTE Root CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Root CA in Internet Explorer by following the procedure described in chapter 4.2.1.2 if not already done. 7.3 Installing RTE Client CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Client CA in Internet Explorer by following the procedure described in chapter 4.2.1.3 if not already done. 7.4 Installing your personal certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install your personal certificate in Internet Explorer by following the procedure described in chapter 4.3.3 if not already done.

Page : 127/238 7.5 Email account configuration Start Outlook 2013 and click the menu File > Options > Trust Center then click Trust Center Settings. In the left column, click E-mail security, then click the Settings button.

Page : 128/238 Click the two Choose buttons in order to select your personal certificate for signing and encryption. A list of selectable certificates is presented to you (you can also display a certificate from the list to view its contents and make sure you choose the right one).

Page : 129/238 Make sure the settings are similar to the ones above (S/MIME, check boxes, certificates, algorithms); if the field Security Settings Name is empty, enter a label such as RTE Certification. Finally click OK. Check the boxes Encrypt contents and attachments for outgoing messages and Add digital signature to outgoing messages, then click OK. All your emails sent to RTE applications using the default account will now be encrypted and signed. 7.6 Installing RTE s application certificate After receiving the first encrypted and signed message from an application, you must install the certificate of the issuing application. For this, you need to add the email address of the application to your address book by clicking the sender of the email received with the right mouse button and then Add to Outlook contacts :

Page : 130/238 Click General :

Page : 131/238 Click Certificates : Click Save & Close to save. All your encrypted emails sent to this application will be encrypted automatically with the application s certificate.

Page : 132/238 7.7 Using the certificate: sending a signed-encrypted email To encrypt and sign a message: first create a new message by clicking New. To sign and encrypt your message, verify that both icons below are activated or click on them to activate.

Page : 133/238 8. Mozilla Thunderbird 8.1 Installing certificates of the 3 RTE s CAs The certificates of the 3 RTE s CAs (Historical, Root and Client) must first be installed for Thunderbird to be able to verify the signature of emails sent by RTE. IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the following websites addresses. RTE Historical Certification Authority With your web browser go to the address below to download the file Certification_Autority_RTE_2048.cer containing RTE Historical CA certificate: With Internet Explorer: https://kregistration-user.certificat2.com/kregresources/css/rte/rte/certification_autority_rte_2048.cer Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

Page : 134/238 The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Click the button View Certificates.

Page : 135/238 Select the Authorities tab and click Import. Select the previously saved file Certification_Autority_RTE_2048.cer and click Open.

Page : 136/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Historical CA: To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

Page : 137/238 Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate": Click the "OK" button: RTE Historical CA's certificate is then installed. RTE Root Certification Authority With your web browser go to the address below to download the file ACR_RTE_Root_CA_20160303.cer containing RTE Root CA certificate: With Internet Explorer: https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acr_rte_root_ca_20160303.cer

Page : 138/238 Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file ACR_RTE_Root_CA_20160303.cer will eventually be requested. The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory.

Page : 139/238 Click the button View Certificates. Select the Authorities tab and click Import.

Page : 140/238 Select the previously saved file ACR_RTE_Root_CA_20160303.cer and click Open. A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Root CA:

Page : 141/238 To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate":

Page : 142/238 Click the "OK" button: RTE Root CA's certificate is then installed. RTE Client Certification Authority With your web browser go to the address below to download the file ACF_RTE_Client_CA_20160303.cer containing RTE Client CA certificate: With Internet Explorer: https://kregistration-user.certificat2.com/kregresources/css/rte/rte2/acf_rte_client_ca_20160303.cer Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_20160303.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file ACF_RTE_Client_CA_20160303.cer will eventually be requested.

Page : 143/238 The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Click the button View Certificates.

Page : 144/238 Select the Authorities tab and click Import. Select the previously saved file ACF_RTE_Client_CA_20160303.cer and click Open.

Page : 145/238 A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Client CA.

Page : 146/238 To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Downloading certificate": Click the "OK" button: RTE Client CA's certificate is then installed. Visualization of RTE CAs certificates To view the CAs certificates later in Mozilla Thunderbird, go to the "Tools" menu on the top right of the window then click the "Options" icon:

Page : 147/238 A window appears. Select the Advanced tab then the subcategory Certificates. Click the View Certificates button. In Authorities tab, you can verify that the certificates RTE Certification Authority, RTE Root Certification Authority, RTE Client Certification Authority you import are registered in Thunderbird ( Software Security Device ). You can see the content of each certificate by clicking on the certificate and then clicking on View.

Page : 148/238 Select RTE Certification Authority and click View : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

Page : 149/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

Page : 150/238 Select RTE Root Certification Authority and click View : To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

Page : 151/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window.

Page : 152/238 Select RTE Client Certification Authority and click View : To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1).

Page : 153/238 If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window. 8.2 Installing your personal certificate To be able to import your certificate in Mozilla Thunderbird, you must have the file name_certificate.p12 downloaded with your browser when retrieving your certificate (see 4.3.2 for Internet Explorer, 5.3.2 for Mozilla Firefox). Start Mozilla Thunderbird, go to the menu "Tools" on the top right of the window and click the "Options" icon:

Page : 154/238 A window appears. Choose the Advanced tab then the Certificates subcategory. Click View Certificates.

Page : 155/238 In the Your certificates tab, click Import. In the drop-down menu File type select PKCS12 Files (*.p12;*.pfx) : Go to the folder you saved your certificate in, select your certificate name_certificate.p12 and click Open.

Page : 156/238 If necessary, the window below will ask you the access password to the Mozilla Thunderbird certificate store (see 8.6 to set this password): Click OK. N.B.: if there is no master password, Thunderbird will ask you to define one. Enter the password protecting the PKCS#12 file and click OK. Your certificate and its associated private key have been successfully imported in Mozilla Thunderbird s certificate store.

Page : 157/238 Verify this is the right certificate by clicking on View. The second tab Details displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met.

Page : 158/238

Page : 159/238 8.3 Email account configuration To sign and encrypt with your certificate, it must be associated with the email account corresponding to the email address specified in the Certificate subject. For this, start Mozilla Thunderbird, press the Alt key on your keyboard, a menu bar appears at the top of the window. Click Tools then Account Settings.

Page : 160/238 A window appears. Select the Security item of the email account you use to exchange with RTE: Click Select to open the following window: Select your certificate in the drop-down list and click OK. The following message appears:

Page : 161/238 Click Yes to automatically define the same certificate to decrypt received emails. NOTE Although for encryption, the text indicates that your certificate will be used to encrypt and decrypt messages sent, it will not actually be used to decrypt messages received. All your emails sent to RTE applications using this account will now be encrypted and signed. 8.4 Installing RTE s application certificate After receiving the first encrypted and signed message from an application, the application certificate installs automatically. However you can add the application s email address to your address book by right-clicking the sender of the received email and then clicking Add to Address Book : The contact has been added to the address book.

Page : 162/238 To verify that the application certificate is correctly installed, go to the menu Tools (top-right corner of the window) and click Options : A window appears. Choose the Advanced tab then the Certificates subcategory. Then click View Certificates. A window appears. Click the People tab.

Page : 163/238 Every time an encrypted email is sent to this application, the application s certificate will be used automatically to encrypt it.

Page : 164/238 8.5 Using the certificate: sending a signed-encrypted email To encrypt and sign a message, first create a new message by clicking Write. Click the Security tab to verify the options: Encrypt this message and Digitally sign this message. These options should be checked by default, if not: check them. 8.6 Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password. To do this, click the Tools menu on the top right of the window and click on the Options icon:

Page : 165/238 A window appears. Choose the Security tab and then click on the Passwords tab. If Use a master password is already checked, it means you already have a personal security password, and you have nothing to do. Otherwise, check the Use a master password case. The following window appears: Enter your new master password in both fields and click OK. Your personal security password is now defined. You can modify your personal security password by following the same steps.

Page : 166/238

Page : 167/238 9. Lotus Notes 9.1 How to know which CA signed your personal certificate If you follow previously in this document 5.2 with Mozilla Firefox please follow the section 9.1.1. If you follow previously in this document 4.2 with Internet Explorer please follow the section 9.1.2. The RTE Root CA and RTE Client CA certificates need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store. Using Mozilla Firefox In Mozilla Firefox certificate store, select your personal certificate and click on View : Select the Details tab: A certificate signed by RTE Historical CA. A certificate signed by RTE s new PKI.

Page : 168/238 The trust chain has only one level. Only the certificate RTE Certification Authority of RTE Historical CA can be seen. The trust chain has two levels. The certificate RTE Root Certification Authority of RTE Root CA and the certificate RTE Client Certification Authority of RTE Client CA are present. Using Internet Explorer In Internet Explorer certificate store, select your personal certificate and click on View : Select the Certification Path tab: A certificate signed by RTE Historical CA. A certificate signed by RTE s new PKI. The trust chain has only one level. Only the certificate RTE Certification Authority of RTE Historical CA can be seen. The trust chain has two levels. The certificate RTE Root Certification Authority of RTE Root CA and the certificate RTE Client Certification Authority of RTE Client CA are present. If your personal certificate is signed by RTE Historical CA, please follow the 11.3.

Page : 169/238 9.2 Installation on Lotus Notes After you read the chapter 9.1 which explains how to know which CA has signed your personal certificate, please refer to the chapter corresponding to this CA to the version of lotus Notes you use. If you use Lotus Notes 8.5 If you use Lotus Notes 9 If your personal certificate is signed by RTE Historical CA If your personal certificate is signed by RTE New PKI Please go to chapter 10 Lotus Notes 8.5 Please contact RTE s Hotline (cf 14.1). Please go to chapter 11 Lotus Notes 9 Please go to chapter 11 Lotus Notes 9

Page : 170/238 10. Lotus Notes 8.5 Don t follow this section if your personal certificate is not signed by RTE new PKI (see 9.1). 10.1 Installing RTE Historical CA certificate RTE s certificates will be installed by Cross certification when you received your first signedencrypted email from the application (see 10.4). Note: The Cross certification is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that Cross certification. 10.2 Installing your personal certificate Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains RTE Historical CA. This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE Historical CA and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install RTE Historical CA certificate, see 4.2.1.1. o o Install your personal certificate making sure to check the case Mark this key as exportable. see 4.3.3 Export your certificate in a PKCS#12 file making sure to check the case Include all certificates in the certification path if possible, see 4.5.1. With Mozilla Firefox : o Install RTE Historical CA certificate, see 5.2.1.1. o Install your personal certificate, see 5.3.3. o Export your certificate to a PKCS#12 file, see 5.5.2 (RTE Historical CA will automatically be included).

Page : 171/238 Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password:

Page : 172/238 The following window appears: Click Your Identity then Your Certificates :

Page : 173/238 Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported. Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at 10.2.1 containing your personal certificate, its private key and RTE Historical CA s certificate:

Page : 174/238 Click Open and in the window below choose the format: PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed:

Page : 175/238 Your personal certificate you want to import, and the RTE Historical CA s certificate, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window: Click Cancel to go back to the previous window.

Page : 176/238 To see the content of RTE Historical CA s certificate, you must select it: And click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Import Internet Certificate.

Page : 177/238 Click Close to go back to the main screen: Click Accept All. Enter your Notes password and click OK. Click OK, the window below appears:

Page : 178/238 The certificate, now visible here, has successfully been imported. Click OK to end the import. Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below:

Page : 179/238 To view RTE Historical CA's certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

Page : 180/238 To see the content of RTE Historical CA s certificate, you must select it, and click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). 10.3 Email account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu File > Security > User Security, then click Your Identity and Your Certificates :

Page : 181/238 Select Your Internet Certificates in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the Advanced Details button. If you only have one certificate, the case Use this certificate as your default signing certificate will be grey and checked. If not, check it, as above, and click OK. 10.4 Installing RTE s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer:

Page : 182/238 For this, you must click on the Cross certify button. Then, when you display this signed received message, you will need to choose the Add Sender to Contacts in the menu by right-clicking on the email, which will add the issuer and its certificate to your book Address. The following window appears:

Page : 183/238 Only verify that the case Include X.509 certificates when encountered is checked and click OK. Whenever an encrypted email will be sent to this application, its installed certificate will now automatically be selected to perform the encryption. 10.5 Using the certificate: sending a signed-encrypted email When composing a message, you can sign and encrypt it if you own your signature certificate (see 10.4) and that of your correspondent. For that, when you write a new message, you must click the Delivery Options button.

Page : 184/238 Check the Sign and Encrypt cases as shown below: Click OK. The rest of the mailing process has no more particularity, Notes then automatically signs and encrypts your message transparently.

Page : 185/238 11. Lotus Notes 9 11.1 Installing RTE s applications certificates RTE s applications certificates will be installed by Cross certification when you received your first signed-encrypted email from the application (see 11.6). Note: The Cross certification is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that Cross certification. 11.2 Installing RTE CA s certificates Installing RTE Historical CA s certificate With your web browser go to the address below to download the file Certification_Autority_RTE_2048.cer containing RTE Historical CA s certificate: With Internet Explorer: https://kregistration-user.certificat2.com/kregresources/css/rte/rte/certification_autority_rte_2048.cer Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer will eventually be requested.

Page : 186/238 Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

Page : 187/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

Page : 188/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select file. Choose to see all the extensions. Select the certificate of RTE Historical AC Certification_Authority_RTE_2048.cer previously downloaded:

Page : 189/238 Click Open and in the window below chose the format Base 64 encoded X.509 : Click Continue and the window below is displayed: RTE Historical CA s certificate is listed. If you click Advanced Details the content of the selected certificate appears in the following window:

Page : 190/238 To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: "Import Internet Certificate.

Page : 191/238 Click Accept All. Click OK, the certificate has successfully been imported. Installing RTE Root and RTE Client CAs certificates In order to import the trust chain made by RTE Root CA and RTE Client CA, it requires to create a PKCS#7 file that contains the 2 certificates of these 2 CAs. To manage to create the file you must follow one of the 2 sections 11.2.2.1 or 11.2.2.2 which depend on the process you follow before in this document: 5.2 with Mozilla Firefox or 4.2 with Internet Explorer. To succeed in the file creation, the certificates of RTE Root and RTE Client CAs need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store. Creating P7c file containing RTE Root CA/RTE Client CA trust chain with Mozilla Firefox In the certificate store of Mozilla Firefox, select the RTE Client CA s certificate RTE Client Certification Authority and click on Export : Choose where to save the file, choose the file type X.509 Certificate with chain (PKCS#7) (*.p7c) :

Page : 192/238 Click on Save. Pass to the step 11.2.2.3 to import the trust chain on Lotus Notes 9. Creating P7b file containing RTE Root CA/RTE Client CA trust chain with Internet Explorer In Internet Explorer certificate store, select the RTE Client CA s certificate RTE Client Certification Authority and click on Export :

Page : 193/238 The Certificate Export wizard opens, click on Next : Choose Cryptographic Message Syntax Standart PKCS #7 Certificates (.P7B) option and ticket Include all certificates in the certification path if possible.clik on Next>.

Page : 194/238 Click on Browse. Choose a place ta save your.p7b file and click on Save : Clik on Next>.

Page : 195/238 Clik on Finish.

Page : 196/238 Clik on OK. Pass to the next step 11.2.2.3 to import the trust chain on Lotus Notes 9.

Page : 197/238 Importing PKCS7 file in Lotus Notes 9 Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

Page : 198/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

Page : 199/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a file, choose PKCS#7 type of file (extension.p7b or.p7c ). If you followed the process on Mozilla Firefox 11.2.2.1 If you followed the process on Internet Explorer 11.2.2.2 Select the.p7c file you create on 11.2.2.1 containing the trust chain RTE Root CA / RTE Client CA. Select the.p7b file you create on 11.2.2.2 containing the trust chain RTE Root CA / RTE Client CA.

Page : 200/238 Click Open and the window below is displayed: To see the content of the RTE Root CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you import the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

Page : 201/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to return to the initial window: "Import Internet Certificates" To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you import the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: Import Internet Certificates ".

Page : 202/238 Click Accept All. Click OK, the certificates have successfully been imported. 11.3 Installing your personal certificate signed by RTE Historical CA Follow the steps below only if your personal certificate is signed by RTE Historical CA (see 9.1). Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKCS #12 file that contains the trust chain (RTE Historical CA / personal certificate). This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate.

Page : 203/238 To generate a file accepted by Lotus Notes, install RTE CA s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see 4.2. o o Install your personal certificate making sure to check the case Mark this key as exportable. see 4.3. Export your certificate in a PKCS#12 file making sure to check the case «Include all certificates in the certification path if possible» see 4.5.1. With Mozilla Firefox : o Install the three certificate of RTE CAs, see 5.2. o Install your personal certificate, see 5.3. o Export your certificate to a PKCS#12 file, see 5.5.2 (The trust chain will automatically be included). Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

Page : 204/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

Page : 205/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at 11.3.1 containing your personal certificate, its private key and RTE Historical CA certificate:

Page : 206/238 Click Open and in the window below chose the format PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed: Your certificate, you want to import, and the certificate of RTE Historical CA, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window:

Page : 207/238 Click Close to go back to the previous window. To see the content of RTE Historical CA s certificate, you must select it: And click Advanced Details :

Page : 208/238 To ensure that you are installing the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to go back to the main screen: Click Accept All. If necessary, enter your Notes password and click OK.

Page : 209/238 Click OK, the window below appears: The certificate, now visible here, has successfully been imported. Click OK to end the import.

Page : 210/238 Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below: To view RTE Historical CA s certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

Page : 211/238 To see the content of RTE Historical CA s certificate, you must select it, and click Advanced Details : To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Certification Authority SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1).

Page : 212/238 11.4 Installing your personal certificate signed by the new PKI of RTE Follow the steps below only if your personal certificate is signed by RTE s new PKI (see 9.1). Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains the trust chain (RTE Root CA / RTE Client CA / personal certificate). This is not the case for the file name_certificate.p12 you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE CA s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below. With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see 4.2. o o Install your personal certificate making sure to check the case Mark this key as exportable. see 4.3.3. Export your certificate in a PKCS#12 file making sure to check the case «Include all certificates in the certification path if possible» see 4.5.1. With Mozilla Firefox : o Install the three certificate of RTE CAs, see 5.2. o Install your personal certificate, see 5.3. o Export your certificate to a PKCS#12 file, see 5.5.2 (The trust chain will automatically be included).

Page : 213/238 Installing the PKCS#12 file in Notes Start Lotus Notes and access to File > Security > User Security : If requested, enter your Notes password.

Page : 214/238 The following window appears: Click Your Identity then Your Certificates : Select Your Internet Certificates in the drop-down list to display the Internet certificates already imported.

Page : 215/238 Click the Get Certificates button and select Import Internet Certificates : A window appears asking you to select a PKCS#12 file (extension.pfx or.p12 ). Select the file you generated at 11.4.1 containing your personal certificate, its private key and RTE Root CA and RTE Client CA certificates:

Page : 216/238 Click Open and in the window below chose the format PKCS 12: Click Continue. The PKCS12 file s password is requested: Click OK and the window below is displayed: Your certificate, you want to import, and the trust chain, are listed. If you click Advanced Details the content of the selected certificate (yours) appears in the window:

Page : 217/238 Click Close to go back to the previous window. To see the content of the RTE Root CA s certificate, you must select it.

Page : 218/238 If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). Click Close to return to the initial window: "Import Internet Certificates" To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate:

Page : 219/238 To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline (cf 14.1). If this is the case, click Close to return to the initial window: Import Internet Certificates ": Click Accept All. If necessary, enter your Notes password and click OK.

Page : 220/238 Click OK, the window below appears: The certificate, now visible here, has successfully been imported. Click OK to end the import.

Page : 221/238 Visualization of the certificate To view your certificate, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select Your Internet Certificates in the drop-down list. Select your personal certificate and click the Advanced Details button. The certificate s details are then presented in the window below: To view RTE Root CA and RTE Client CA s certificates, in Lotus Notes access the menu File > Security > User Security, then click the item Your Identity and Your Certificates. Select All Internet Certificates in the drop-down list.

Page : 222/238 To see the content of the RTE Root CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.

Page : 223/238 Digital hash of the certificate RTE Root Certification Authority SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). Click Close to return to the initial window. To see the content of the RTE Client CA s certificate, you must select it. If you click on Advanced Details, a window show you the details of the selected certificate: To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below. Digital hash of the certificate RTE Client Certification Authority SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed If this is not the case: click Close to go back to the precedent window and call RTE s Hotline (cf 14.1). Click Close to return to the initial window. 11.5 Email account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu File > Security > User Security, then click Your Identity and Your Certificates :

Page : 224/238 Select Your Internet Certificates in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the Advanced Details button. If you only have one certificate, the case Use this certificate as your default signing certificate will be grey and checked. If not, check it, as above, and click OK.

Page : 225/238 11.6 Installing RTE s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer: For this, you must click on the Cross certify button. Then, when you display this signed received message, you will need to choose the Add Sender to Contacts feature, which will add the issuer and its certificate to your book Address.

Page : 226/238 The following window appears: Only verify that the case Include X.509 certificates when encountered is checked and click OK. Whenever an encrypted email will be sent to this application, its installed certificate will now automatically be selected to perform the encryption. 11.7 Using the certificate: sending a signed-encrypted email When composing a message, you can sign and encrypt it if you have your own and correspondent certificate (see the import procedure for your certificate above). For that, when you write a new message, you must click the Delivery Options button and check the Sign and Encrypt cases as shown below:

Page : 227/238 Click OK. That is all, Notes then automatically signs and encrypts your message.

Page : 228/238 F. APPENDIXES

Page : 229/238 12. Secure environment (PKI) This appendix describes the secure environment in which the PKI is operated. It describes in particular: the concepts of secure environment and the corresponding data objects handled by the PKI, the role of the various entities involved in the operation process of a PKI. 12.1 Concepts and objects managed by a PKI This appendix presents the key concepts for understanding the role of objects managed by a PKI: presentation of the principles structuring a safe process, the role of dual-keys, certificates. What is a secure process? Definition of a PKI With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known only by his owner, and a public key - linked by a complex mathematical relationship, making it virtually impossible to determine the private key from the only knowledge of the public key. This means that the probability of determining the private key from the public key in a reasonable time is very low. Data encrypted with a key (typically, the public key) can only be decrypted with the other (typically the private key). It is on the basis of this principle that is particularly assured the confidentiality of messages exchanged. This process is commonly called "asymmetric cryptography" as opposed to "symmetric cryptography" that uses a common key for both encryption and decryption. The four pillars of information exchange security This electronic identity card aims at establishing an environment of trust whose four pillars are: authentication identifies parties in a sure and reliable way, confidentiality prevents non-recipients to read the data, integrity ensures that data has not been altered, non-repudiation makes it impossible for a party to refute the transmitted information. The cryptographic solution Because of the technology used (protocols, architectures, etc.), the information circulating on the Internet is not confidential. The technologies also do not allow to meet the other three security requirements set out above. To preserve the confidentiality of exchanges via the Internet, the data must be rendered incomprehensible to all, except for the recipients. Encryption is the right solution.

Page : 230/238 Data encryption naturally accompanies system s users authentication. While some data are confidential, it is necessary for issuers and recipients of this information to authenticate safely and unequivocally, to conduct secure exchanges. Authentication is based on the possession of a certificate. This element is issued by a Certification Authority that stakeholders of a transaction trust (in our case, the Certification Authority is RTE). Thus, the carriers can have confidence in the information provided to them and RTE knows that only authorized holders access the information. NOTE In a similar process, in daily life, it is necessary to provide a piece of identification issued by an authority to access certain privileges reserved for citizens of the country (expensive purchases, voting, etc.). The importance of dual-keys Each holder has a public key and an associated private key. The private key is a key that the holder must keep confidential. He is the only one to possess and with the ability to use it. He does not necessarily know it himself (for example: it may be in a smart card of which it cannot come out, but access to the card is protected by a PIN code known only to its owner) The public key, as its name suggests, is public and can be communicated to all. The public keys of holders are used only to encrypt messages intended for them. If an encrypted message was intercepted, it would be without consequence on its confidentiality as it cannot be decrypted (in a reasonable time) by a person not having the associated private key. The private key enables its owner to sign a message he sends and to decrypt an encrypted message he receives. In contrast, the public key of a person is used to encrypt a message sent to him and to verify the signature of a message he receives. Encryption and decryption of a message Each message is encrypted by the recipient's public key that will decrypt it with his private key. When RTE sends a message to the client A: 1. RTE has the public key of client A (via the public part of the certificate). 2. RTE automatically encrypts the message using the public key of client A and sends it via RTE s email system. 3. Client A receives the message and automatically decrypts it with his private key.

Page : 231/238 Encryption and decryption with dual-keys. The usage of keys to sign a message Each message is signed by the private key of the issuer. The origin (the signature) of a message can be controlled by the public key of the issuer, freely accessible via its certificate. To prove to client A that the received message is actually from RTE, RTE automatically signs the message with its (RTE s) private key before sending to the client A. Signing and signature verification with dual-keys. When the client A receives the message from RTE, it automatically verifies the signature of the received message with the public key of RTE.

Page : 232/238 Certificates Objectives of digital certificates Since public keys are used to verify electronic signatures and encrypt messages, it is essential for any carrier to be certain of the identity of the owner of a public key: it is the role of the certificate. A certificate is a digital ID: Characteristics of a certificate that guarantees the identity of the holder from a remote site, that includes data facilitating the identification, that is resistant to counterfeit and issued by a trusted third party: the Certification Authority. A Certification Authority is an entity that creates and manages certificates. It defines the rules for registration in the various holders PKI. Structure of a certificate A digital certificate contains: the public key of its holder, the name of the holder and any other identification information (email address of the person if the certificate is used to sign emails), the certificate s period of validity, the name of the certification authority that issued the certificate, a unique serial number, the signature of the certification authority.

Page : 233/238 Examples of certificates A digital certificate on Internet Explorer

Page : 234/238 A digital certificate on Mozilla Firefox 12.2 Documentation Reference documentation: Subscription contract to RTE s secure Information System. Websites: http://www.legifrance.gouv.fr/ Law of 13th March 2000 on the adaptation of law of evidence to information technologies and on electronic signature: http://www.assemblee-nat.fr/ Directive 1999/93/CE of 13th december 1999 on a Community framework for electronic signatures : http://europa.eu/ Draft decree on electronic signatures : http://www.internet.gouv.fr/ OpenTrust (formerly Keynectis) : https://www.opentrust.com/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback