Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 19 Next »

Ceremony description

RA Ceremony

(Key Change Over)

RA Merger

RA Move

Date and time for the ceremony
Status for the ceremony


Date and time for the activation, switchover and revoke
Status for the activation, switchover and revoke



Resources bank and TSP:

RoleNameContact information
Key custodian


Resources Vipps:

RoleNameContact information





The physical meeting with all necessary participants.
This is when the new RA certificate is created in red zone.

ActivationWhen the new certificate is activated on Vipps side.
This is usually done at another time than the ceremony.
SwitchoverWhen the traffic is switched from the old CA to the new CA.
This is usually done within 24 hours from the activation, but can also be done separately.

Before the ceremony:

StepDescriptionResponsibleTaskDeadlineStatusDocuments and notes
1) Set up internal routinesThe respective TSP or Bank will require to have in place internal routines for move or merger of RA's.TSP or Bank

Decide the following:

  • How to deal with the OTP tokens
  • End user impact
  • Information to end users
  • How to deal with logs and how/who to archive (admin logs for certificates)

Note that the TSP/Bank is responsible for handling the end user certificates through the whole process, including revoke of old certificates.


Bank ønsker:
Orientering om hvilke tekniske løsninger bank skal basere seg på/benytte.

2) BITS ApprovalThe respective TSP or Bank will require BITS approval for the following move or merger before ordering an RA ceremony.

TSP or Bank


Information from BITS about the process:

Ny kontaktperson når Andreas slutter?

3) Formal order to Vipps

The respective TSP or Bank have to create and send a formal order to Vipps as an electronically signed document, signed by TSP or Bank.

TSP or Bank

This order should contain:

New RA:

  • Detailed information about the CA
  • Approval from BITS (from step 2)

Move or merger of RA:

  • The purpose of the move or merger of the mentioned RA
  • Detailed move or merger from and to what CA
  • Approval from BITS (from step 2)

Sign it electronically and send it by email to with cc and


Trenger vi noe mer ved opprettelse av ny RA?

Bank ønsker detaljer om tekniske løsninger.

4) Send order forms to Vipps

The respective TSP or Bank have to fill out required order forms and send it to Vipps signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

TSP or Bank


Order form templates can be found here: Order forms and information

Skjema for RA Naming legges her

5) Make sure that the prerequisites are in order

Primary CAO token "Dongle" is normally stored in a safe at the respective TSP (CA responsible).

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

Key custodian for TSP
  • Create an RA XML request on the TSP system, for example through HAT tool.
  • Make sure that the USB stick is new and unused
  • Make sure that the Key Custodian have approved identification such as a passport or driver license (if the Key Custodian is a non-Norwegian citizen, they must bring their passport)


6) RA ceremony coordination

Vipps will ensure that everything is in place and coordinate the ceremony and switchover with all stakeholders.


Check that the following is in place:

  • BITS approval - If not provided by the TSP or Bank, contact BITS and verify
  • Formal order received
  • Signed order forms
    • Signed - Naming of RA (Required)
    • Signed - Revoke RA XML Request (Optional)
  • TSPs Primary CAO token
  • TSPs/Bank RA XML Request

If all is in place, all stakeholders align and agree on date and time for the following:

  • 1. RA ceremony
  • 2. Activation of New RA XML Sign Certificate
  • 3. Switchover 
  • 4. Revoke RA XML (Optional)

Normally step 2, 3 and 4 happens within the same 24h.


7) Invitations

Vipps will send out a meeting invite for the ceremony and the switchover.


Create and send out the invitation to all stakeholders.

The invitation should contain, but not limited to:

  • Purpose and description
  • Date
  • Time
  • Duration
  • Virtual Meeting Link or Address
  • Attendees and contact points
  • Information on what to bring



The Key Custodian for the respective TSPs is on-site with their Primary CAO token and the RA XML sign request.

StepDescriptionResponsibleTaskDeadlineStatusDocuments and notes
8) Pre RA ceremony checkVipps will greet the participants and check that all is OK for moving on with the ceremony.


  • Participants need to sign in and out
  • All necessary resources are in place
    • Key Custodian
    • PKI
    • App
  • Key Custodian ID check
  • USB virus scan is done manually before High secure room (USB stick that contains the RA XML Sign request)
  • All required documentation is in place
    • Note that RA naming order forms are to be stored in the BankID High secure room. When the documentation is signed electronically, a copy of the document is to be stored


9) Perform RA ceremony

Vipps is to perform the RA ceremony


Issue New RA XML/SSL certificate(s) on New CA.

Key custodian will need to oversee that the changes made are according to the documentation.


After the ceremony:

StepDescriptionResponsibleTaskDeadlineStatusDocuments and notes
10) Request activation

TSP/Bank need to send a request to Vipps

TSP and Bank


Mal for bestillingen vil bli laget
11) Activation and switchover coordinationVipps will coordinate the switchover with all stakeholders.Vipps

Vipps will coordinate with the required resources.

If not already set, agree on the date and time for:

  • 1. Activation of New RA XML Sign Certificate
  • 2. Switchover 
  • 3. Revoke RA XML (Optional)

Normally happens within the same 24h.


12) Activation

Vipps is to activate the new certificates.

This is normally done during the same day as the Switchover.


Activate the new RA XML Sign certificate(s) in BankID COI.

Performed by AO with PKI involved.


Fra bank:

Her kunne det stått noe om oppbevaring av XML sertifikatet (for eksempel avtale mellom bank og RA leverandør/service provider) og at TSP skal sikre sine hemmeligheter ved retur (?)

13) ?
TSP and Bank


Fra bank:

Trolig burde det ha vært en ny linje i tabellen som sier noe om hva som skjer i RA sin ende FØR switchover

14) Switchover and revoke

Plan and implement the switchover and revoke.

TSP, Bank and Vipps
  1. TSP/Bank: Write a request for switchover issuing CA in BankID COI from old to New CA. Include the time wanted for this. Send by email to with cc and
  2. Vipps:
    1. Do the switchover
    2. Those who perform the switchover will inform the TSP/Bank by phone when it has been done
  3. TSP/Bank: Run test case sets to verify
    1. TSP/Bank: If successful, move to the next step
    2. Vipps: If unsuccessful, investigate and resolve then move to next step
    3. Vipps: if unsuccessful, not possible to fix, do a rollback
  4. (optional. If not done, the certificate will be active on the old CA until it expires) Bank/TSP: Send an order for revoke of old RA XML Sign certificate in BankID COI by email to with cc and
  5. (optional) Vipps: Revoke the old certificate


Mal for bestillingen vil bli laget

Skjema for revokering legges her

15) Renewals 

Renewals of end users, merchants etc.

As decided in step 1.

TSP and Bank
  1. Bank renew end user BankID certificates
  2. Bank asks merchants to renew merchant BankID's using HAT
  3. Possible change of OTP Service by adding a new and then removing the old


  • No labels