Key custodian

Other

Coordinator

PKI

App

Ceremony

The physical meeting with all necessary participants.
This is when the new RA certificate is created in red zone.

Activation

When the new certificate is activated on BankID side.
This is usually done at another time than the ceremony.

Switchover

When the traffic is switched from the old CA to the new CA.
Only applicable when moving from one CA to another.

1)

Set up internal routines

The respective TSP or Bank will require to have in place internal routines for move or merger of RA's.

TSP or Bank

Decide the following:

• How to deal with the OTP tokens

• End user impact

• Information to end users

• How to deal with logs and how/who to archive (admin logs for certificates)

Note that the TSP/Bank is responsible for handling the end user certificates through the whole process, including revoke of old certificates.

2) BITS Approval

The respective TSP or Bank

will require BITS approval for the following move or merger before ordering an RA ceremony.

TSP or Bank

• The TSP/Bank describes the change

• Send email to Torgeir.Sorvik@bits.no for approval

Information from BITS about the process:

3) Send order forms to

BankID

The respective TSP or Bank have to fill out required order forms and send it to

BankID signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

TSP or Bank

TSP/

bank creates a ticket here including the following:

• RA order form

• Approval from BITS (from step 2)

• Revoke RA XML Request (Optional)

Order form templates can be found here: Misc forms for BankID Support

4) Send change request to BankID

BankID needs information from TSP/bank to make sure all internal systems are updated after the change.

TSP or Bank

TSP/bank creates a ticket here with all the relevant information.

Will be done after the activation/ switchover.

Examples:
Splunk Partnerinnsikt
BankID App
Biometri Backoffice
etc.

5) Make sure that the prerequisites are in order

Primary CAO token "Dongle"

is normally stored in a safe at the respective TSP (CA responsible).

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

Key custodian for TSP

• Create an RA XML request on the TSP system, for example through HAT tool.

• Make sure that the USB stick is new and

• unused

• Make sure that the Key Custodian

• have approved identification such as a passport or driver license

• (if the Key Custodian is a non-Norwegian citizen, they must bring their passport

• )

6) RA ceremony coordination

BankID will ensure that everything is in place and coordinate the ceremony and switchover with all stakeholders.

All stakeholders align and agree on date and time for the following:

•  1. RA ceremony
•  2.

• Switchover
•  3

• . Revoke the old RA

• Certificate (Optional)

7) Invitations

BankID will send out

a meeting invite for the ceremony and the switchover.

Create and send out the invitation to all stakeholders.

The invitation should contain, but not limited to:

• Purpose and description

• Date

• Time

• Duration

• Address

• Attendees and contact points

• Information on what to bring

8) Pre RA ceremony check

BankID will greet the participants and check that all is OK for moving on with the ceremony.

• Participants need to sign in and out

• All necessary resources are in place

  • Key Custodian

  • PKI

• Key Custodian ID check is done by the SO

• USB virus scan is done manually before High secure room (USB stick that contains the RA XML Sign request)

• All required documentation is in place

  • Note that RA naming order forms are to be stored in the BankID High secure room. When the documentation is signed electronically, a copy of the document

• • is to be stored

9) Perform RA ceremony

BankID is to perform the RA ceremony

BankID will guide the key custodian through issuing of the new RA XML/SSL certificate(s) on

the new CA.

Key custodian will need to oversee that the changes made are according to the documentation.

10)

Activation

BankID is to activate the new certificates.

Activate the new RA certificate(s) in BankID

. Normally done within 24 hours after the ceremony.

Performed by AO with PKI involved.

11)

Certificate check

Check that the certificate is working

TSP and Bank

TSP/Bank needs to check that the new activated certificate is working towards ODS. 

When moving from one CA to another:
Check that the new certificate have access to display the existing certificates on the old CA.

12) Switchover

Plan and implement the switchover

.

TSP, Bank and

1. BankID:

   1. Do the switchover

1. 1. Those who perform the switchover will inform the TSP/Bank by phone or email when it has been done

2. TSP/Bank:

1. Run test case sets to verify

   1. TSP/Bank: If successful, move to the next step

   2. BankID: If unsuccessful, investigate and resolve then move to next step

   3. BankID: if unsuccessful, not possible to fix, do a rollback

      • Bank/TSP: When rollback is done,

1. 1. • run test case sets to verify

Order form templates can be found here: Misc forms for BankID Support

13) Revoke (optional)

Revoke the old certificate

BankID

BankID: Revoke the old certificate as decided in step 6.

14) Renewals 

Renewals of end users, merchants etc.

As decided in step 1.

TSP and Bank

When moving from one CA to another:

1. Bank renew end user BankID certificates

2. Bank asks merchants to renew merchant BankID's using HAT

3. Possible change of OTP Service by adding a new and then removing

1. the old

This is best done outside of peak hours to reduce the risk of latencies.

15) Other changes

Name changes etc.

BankID will follow up on activites internally, as ordered in step 4:

•  BankID App
•  Biometri
•  BASS
•  Splunk Partnerinnsikt
•  Antisvindel
•  Database
•  Tilgangspakker
•  Bestillingsportalen