Registration and Renewal procedure for Belfius Certificate
Table of contents TABLE OF CONTENTS... 2 1. INTRODUCTION... 3 2. CONTACT... 3 3. CONFIGURATION... 3 4. REGISTRATION PROCEDURE... 4 4.1 PRE-REQUISITES... 4 4.2 IMPORT THE DEXIA GROUP ROOT CA CERTIFICATE... 4 4.3 IMPORT THE DEXIA BANK BUSINESS CA CERTIFICATE... 9 4.4 GENERATE YOUR CERTIFICATE REQUEST IN YOUR WINDOWS PROFILE... 12 4.5 DOWNLOAD OF YOUR PERSONAL CERTIFICATE... 15 4.6 BACKUP YOUR KEYS AND CERTIFICATE... 18 4.7 IMPORT YOUR KEYS AND CERTIFICATE ON ANOTHER COMPUTER... 23 5. RENEWAL PROCEDURE... 25
1. Introduction This document describes the issuance or renewal procedure to issue your Belfius certificate using Certificate Services website. A Belfius certificate is composed of two pieces of information (a private key and a public key). Public and private keys are like two halves of a single key (a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message). The export must be achieved to make a backup of all keys or to use the keys on another machine. 2. Contact IS4F PKI Services info-pki@is4f.com 3. Configuration Environnement Windows (Vista, 7). Internet Explorer (mandatory) with compatibility mode if version 10 or 11.
4. Registration Procedure Scenario : - You will connect to web applications using a SSL client certificate 4.1 Pre-requisites Your UserID Your Authorisation Code 4.2 Import the Dexia Group Root CA certificate This operation should only be done 1 time. It is not needed in the future in case of certificate renewal on the same machine at your side Before trusting certificates issued by IS4F/Belfius, you need to trust the Certification Authorities ( CA ). Root Certification Authority of IS4F/Belfius is at the top of the certification path. This Root CA is the single point of trust. This certificate must be imported first. 1. Download it from http://pki.dexia.com/certificate/rootca.crt 2. This panel appears. Choose «Open».
3. Select «Install Certificate». 4. And «Next».
5. Select «Place all certificates in the following store» and click «Browse». 6. Select «Trusted Root Certification Authorities» and click OK
7. Select «Next». 8. And «Finish»..
9. The following message is displayed only for RootCA import. You have to check «Serial Number», «Thumbprint (sha1)» & «Thumprint (md5)». They must be exactly the same than reported below. Afterwards, select «Yes». 10. Click «OK» to finish the import.
4.3 Import the Dexia Bank Business CA certificate This Certification Authority has been renewed in 2011 This should be reinstalled 1 time The Dexia Business Certification Authority (Business CA) issue certificates for e-transfer on all business lines of Belfius. 1. Download certificate from http://pki.dexia.com/certificate/businessca_2011.crt 2. Choose «Open» and click «OK». 3. Select «Install Certificate».
4. Choose «Next». 5. Choose «Next» again.
6. And «Finish».
4.4 Generate your certificate request in your Windows profile 1. Connect to the registration website : https://pki.dexia.com/dcm 2. Enter your UsedID (received by mail) and your Authorisation Code (received by fax or by post) and click on Login. 3. Click on «Request a certificate»
4. Click on the certificate type 5. Click «Yes» to the confirmation for the «Digital certificate operation»
6. Verify the data presented and press «Submit» if correct. 7. Your certificate request will be submitted to Dexia Technology Services in order to be issued. A Dexia Technology Services security administrator will be automatically warned of your pending request.
4.5 Download of your personal certificate As soon as Dexia Technology Services has verified all your information, you will receive a mail containing the confirmation of the generation of your personal certificate and an installation procedure. You have to reconnect to the registration web site to download your certificate. The procedure described in the mail must be achieved on the same workstation used for the creation of your request (see step 4.4). 1. Connect to the registration website : https://pki.dexia.com/dcm 2. Enter your UsedID and your Authorisation Code and click on «Login».
3. Click on «Download your requested certificate» 4. Click «Yes» to the confirmation for the «Digital certificate operation»
5. Click «Install this certificate» The certificate is now installed on your workstation. Troubleshooting : If you receive following message Error 0x80096004 or 0x800B010A, please verify the correct execution of the point 4.2 and 4.3 of the present procedure.
4.6 Backup your keys and certificate Important : Backup your certificate file somewhere in case of failure of the server 1. In Internet Explorer; click on Tools and select Internet Options 2. Select the Content tab and click on Certificates
3. Select your certificate and click on Export 4. In the Export Wizard screen, click Next.
5. In the next screen, select Yes to export the Private Key and click on Next. 6. In the Certificate Export File Format screen, select Personal Information Exchange - PKCS and check the box Include all certificates. Click Next.
7. Type in a password and click Next. 8. Enter the directory where the certificate is to be stored, name the file, and click Next.
9. Complete the Certificate Manager Export Wizard by clicking on Finish. 10. Click OK to finish the import.
4.7 Import your keys and certificate on another computer 1. Double-click on your certificate file and the Certificate Import Wizard starts. Click Next 2. Check the file location and click Next
3. Type in a password and click Next 4. Complete the Certificate Manager Import Wizard by clicking on Finish.
5. Click OK to finish the import. 5. Renewal Procedure Before the expiration of your certificate (30 days), you will receive an e-mail to invite you to renew your certificate. To achieve this procedure, please follow the steps described in the chapter 4 Registration procedure.