TSP or Bank

The respective TSP or Bank will require to have in place internal routines for move or merger of RA's.

Such as:

• How to deal with the OTP tokens
• End user impact
• Information to end users
• How to deal with logs and how/who to archive (admin logs for certificates)

The respective TSP or Bank have to create and send a formal order to Vipps. Either on a signed or electronically signed document by TSP or Bank.

This order should contain:

• The purpose of the move or merger of the mention RA
• Detailed move or merger from and to what CA

The respective TSP or Bank have to fill out required order forms and send it to Vipps signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

Order forms templates can be found here: Order forms and information

RA XML request and Primary CAO token "Dongle"

The RA XML request must be created on the TSP system, for example through HAT tool. Primary CAO token is normally stored in a safe at the respective TSP (CA responsible). 

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

USB stick and Identification

Vipps recommend that Key Custodian always bring a new and unused USB stick and approved identification such as passport or driver license. If the Key Custodian is a non-Norwegian citizen, they must bring their passport. 

Vipps will ensure that the following is in place, before going further:

•  BITS approval
  If not provided by the

• TSP or Bank, contact BITS (Andreas Havsberg Andreas.Havsberg@bits.no or Torgeir Sørvik torgeir.sorvik@bits.no) and verify with them
•  Formal Order received
•  Order forms
  •  Signed - Naming of RA (Required)
  •  Signed - Revoke RA XML Request (Optional)
•  TSPs Primary CAO token
•  TSPs/Bank RA XML Request

If all is in place: all stakeholders align and agree on date and time for the following:

1. RA ceremony
2. Activation of New RA XML Sign Certificate
3. Switchover 
4. Revoke RA XML (Optional)

Normally step 2, 3 and 4 happens within the same 24h.

Vipps are to invite for RA ceremony and the Switchover. These invitation should contain, but not limited to:

• Purpose and description
• Date
• Time
• Duration
• Virtual Meeting Link or Address
• Attendees and contact points
• Information on what to bring

• Key Custodian ID check
• USB virus scan (USB stick that contains the RA XML Sign request)
• All required documentation in place
  • Note that RA naming order forms are to be stored in the BankID High secure room
    • Important that it is the original document (not scan or copies) 
      • If the documentation is signed with electronic signing, then a copy of that are to be stored in the BankID high secure room

TSP, Bank and Vipps

Issue New RA XML/SSL certificate(s) on New CA

Request activation of New RA XML Sign certificate(s) in BankID COI.

This is normally done during the same day as the Switchover.

1. Order

1. cutover issuing CA in BankID COI from old to New CA
2. Run test case sets to verify
   1. If successful, move to the next step
   2. If unsuccessful, investigate and resolve then move to next step
   3. if unsuccessful, not possible to fix, do a rollback
      1. When rollback is done, run test case sets to verify
3. Order revoke of old RA XML Sign certificate in BankID COI (optional)

This is normally done at midnight 00:00.

1. Bank renew end user BankID certificates
2. Bank asks merchants to renew merchant BankID's using HAT
3. Possible change of OTP Service by adding new and then removing old for each Banklagret BankID