Versions Compared

Version Old Version 1 New Version Current
Changes made by

Marita Gustavsen

Marita Gustavsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ceremony description

RA

XML

renewal

Date and time for the ceremony

Status for the ceremony

Status
titlePlanning

Date and time for the activation, switchover and revoke

Status for the activation, switchover and revoke

Status
titlePlanning

References

Comments

Resources bank and TSP:

Role

Name

Contact information

Key custodian

Other

Resources

...

BankID:

Role

Name

Contact information

Coordinator

PKI

App

Definitions:

What

Description

Ceremony

The physical meeting with all necessary participants.
This is when the new RA certificate is created in red zone.

Activation

When the new certificate is activated on BankID side.
This is usually done at another time than the ceremony.

Before the ceremony:

Step

Description

Responsible

Task

Deadline

Status

Documents and notes

1) Send order forms to BankID

The respective TSP or Bank have to fill out required order forms and send it to BankID signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

TSP or Bank

  • TSP/Bank fills out the required order form (.

  • Send a

copy before

  • copy before the RA ceremony by

email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.no

  • creating a ticket here.

Status
titlePlanning

Order form templates can be found here: Misc forms for BankID Support

2) Make sure that the prerequisites are in order

Primary CAO token "Dongle" is normally stored in a safe at the respective TSP (CA responsible).

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

Key custodian for TSP

  • Create an RA XML request on the TSP system, for example through HAT tool.

  • Make sure that the USB stick is new and unused

  • Make sure that the Key Custodian have approved identification such as a passport or driver license (if the Key Custodian is a non-Norwegian citizen, they must bring their passport)

Status
titlePlanning

3) RA ceremony coordination

BankID will

ensure that everything is in place and

coordinate the ceremony and

switchover If all is in place, all

activation with all stakeholders.

BankID

Check that the following is in place:

  •  Formal order received
  •  Signed order forms
    •  Signed - Naming of RA (Required)
    •  Signed - Revoke RA XML Request (Optional)
  •  TSPs Primary CAO token
  •  TSPs/Bank RA XML Request

All stakeholders align and agree on date and time for the following:

  •  1. RA ceremony
  •  2.
Activation of New RA XML Sign Certificate 3. Revoke RA XML
  • Revoke the old RA Certificate (Optional)
Normally step 2 and 3 happens within the same 24h.

Status
titlePlanning

4) Invitations

BankID will send out a meeting invite for the ceremony

and the switchover.

BankID

Create and send out the invitation to all stakeholders.

The invitation should contain, but not limited to:

  • Purpose and description

  • Date

  • Time

  • Duration

Virtual Meeting Link or

  • Address

  • Attendees and contact points

  • Information on what to bring

Status
titlePlanning

Ceremony:

The Key Custodian for the respective TSPs is on-site with their Primary CAO token and the RA XML sign request.

Step

Description

Responsible

Task

Deadline

Status

Documents and notes

5) Pre RA ceremony check

BankID will greet the participants and check that all is OK for moving on with the ceremony.

BankID

  • Participants need to sign in and out

  • All necessary resources are in place

    • Key Custodian

    • PKI

  • App

    • Key Custodian ID check is done by the SO

    • USB virus scan is done manually before High secure room (USB stick that contains the RA XML Sign request)

    • All required documentation is in place

      • Note that RA

    naming

      • order forms are to be stored in the BankID High secure room. When the documentation is signed electronically, a copy of the document is to be stored

    Status
    titlePlanning

    6) Perform RA ceremony

    BankID is to perform the RA ceremony

    BankID

    BankID will guide the key custodian through issuing of the

    new

    new RA XML/SSL certificate(s).

    Key custodian will need to oversee that everything is according to the documentation.

    Status
    titlePlanning

    After the ceremony:

    Step

    Description

    Responsible

    Task

    Deadline

    Status

    Documents and notes

    7)

    Request activation

    TSP/Bank need to send a request to BankID

    TSP and Bank

    Status
    titlePlanning

    8) Activation coordinationBankID will coordinate with all stakeholders.BankID

    BankID will coordinate with the required resources.

    If not already set, agree on the date and time for:

    •  1. Activation of New RA XML Sign Certificate
    •  2. Revoke RA XML (Optional)

    Normally happens within the same 24h.

    Status
    titlePlanning

    9) Activation

    Activation/ Revocation (optional)

    BankID is to activate the new certificates.

    BankID

    Activate the new RA

    XML Sign

    certificate(s) in BankID

    COI

    . Normally done within 24 hours after the ceremony.

    Optional: Revoke the old certificate. Date aggreed upon in step 3.

    Performed by AO with PKI involved.

    BankID will inform the TSP/Bank when this has been done.

    Status
    titlePlanning

    10

    8) Certificate check

    Check that the certificate is working

    TSP and Bank

    TSP/Bank needs to check that the new activated certificate is working towards ODS.

    Status
    titlePlanning

    11) Revoke (optional)

    Plan and implement the revoke.

    TSP, Bank and BankID
    1. BankID:
      1. Do the switchover
      2. Those who perform the switchover will inform the TSP/Bank by phone when it has been done
    2. TSP/Bank: Run test case sets to verify
      1. TSP/Bank: If successful, move to the next step
      2. BankID: If unsuccessful, investigate and resolve then move to next step
      3. BankID: if unsuccessful, not possible to fix, do a rollback
    3. (optional. If not done, the certificate will be active on the old CA until it expires) Bank/TSP: Send an order for revoke of old RA XML Sign certificate in BankID COI by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.no
    4. (optional) BankID: Revoke the old certificate

    Status
    titlePlanning

    Order form templates can be found here: Misc forms for BankID Support

    Optional: Check that the revoked certificate is no longer working towards ODS.

    Status
    titlePlanning