Introduction

This document should guide a user through the process to create and maintain his user account and to obtain signed certificates using Gigi.

The structure of the document is according to the workflow to create an account, adding emails and domains to the account, creating certificates and using the account.

The documentation is based on the software release 0.1-63-g15f6a8ad.

This documentation covers all elements used by an ordinary user. There are separate documentations for users with the role RA Agent, Organisation Agent and Supporter.

Convention

Addressing menu entries: topic – subtopic (key template menu)

Addressing buttons: button text (key template button)

“see link to” refers to links given on the web page and will not be given in this documentation

Create Account

To create a new account use SomeCA – Register.

Enter Name

As Gigi aims to issue certificates holding the real name of a person enter the name according to your official ID documents.

While registering the account you need to enter one name variant. Once the account is active additional name variants can be entered. (see Add further name variants)

There is the choice of different name styles:

  • First – Last – Suffix Name where a name is separated in three name parts:

    • First Names containing at least one full first name, all other first names might be left out or might be abbreviated. The order can be chosen and stays as entered.
    • Last Names containing at least one last name. If more names are entered the order needs to be according to the official ID documents.
    • Suffixes containing suffixes according to your official ID documents. For more information see link to Help on Names
Screenshot Western Style

Screenshot Western Style

  • Single Name if a name consists of only one name. Here no variation is allowed.
Screenshot Single Name

Screenshot Single Name

Enter Date of Birth

To create an account a minimum age of 16 years is required. This restriction is governed by European data protection laws. If a person is younger as 16 years there might be the possibility to create a child sub account from the parents account.

The date entered need to be the one in your official ID documents.

Enter residence country

The country in which you currently reside. This information is optional and used for statistical purposes only.

Enter email address

Enter your email address which is used as recipient address of any information provided by Gigi and to login into the system.

Once the account is active more email addresses can be entered. (see Manage Email Addresses)

Enter password

The password need to be entered twice to make sure it is entered correctly.

Your password is one of many factors to protect your account from unauthorised access. A good password is hard to guess, long, and contains a diverse set of characters. The system does some checks to assure that the given password has an approbriate strength. For more information see link to FAQ.

Enter Agreement to Terms of Service

To create an account you must accept the Terms of Service. For the current version of the Terms of Service see link to ToS.

Finish registration

To finish the registration process press Next.

The system validates all entered data and points to errors and sends a confirmation mail to the given email address if the data validation is passed.

Within the confirmation email is a link to confirm your account registration that is valid for 24 hours.

After the successful confirmation continue with logon to system.

Login to Account

Once the account is successful verified two possible ways to log in are available.

For safety reason Gigi uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.

Password Login

To login with password use SomeCA – Password Login.

Screenshot Password Login

Screenshot Password Login

Enter the default email address of the account and the password.

If the login credentials do not match your entries see link to wiki page how to reset the password.

Certificate Login

With a valid certificate use SomeCA – Certificate Login.

Screenshot Certificate Login

Screenshot Certificate Login

Select a certificate from the dialogue. Screenshot taken from Chrome. Varies depending on the browser used.

Manage Email Addresses

To mange email addresses use Verification – Email Addresses.

Add Email Address

Screenshot Add email address

Screenshot Add email address

To add a further email address add it to the field and summit it with 'I own or am authorised to control this email address'. A confirmation email is sent to the entered address containing a link that is valid for 24 h to verify the email address. After the period you need to enter the email address once more.

If you like to add an email address containing Punycode domains you need to have the code signing ability which can be obtained if your identity is proven.

Set Default Email Address

Screenshot Set default email address

Screenshot Set default email address

If at least two email addresses are registered to an account one needs to be the default email address. This address is used when ever the system sends email or notifications to the account owner.

To set an email address as default use Set as Default.

Reping Email Address

To issue a certificate to a listed email address the address must have a successful verification not older than 6 month. To verify the email address once more use Request ping to generate new confirmation mail send to the requested email address. Follow the link I the mail to verify the email address. The verification link is valid for 24 h. Afterwards you need to request a new one.

Delete Email Address

To delete an email address just press Delete.

If the email address is marked as default the default needs to be moved to another email address in the account prior to deletion.

The last email address can only be deleted in the course of the account termination.

Manage Domains

To manage domains use Verification – Domains.

Any change of this page will be submitted by using I own or am authorised to control this domain.

Certificates can only be issued for verified domains.

Add Domain

Screenshot Add domain

Screenshot Add domain

To add a domain to an account enter the domain name. It is recommended only to add the main domain and no sub domains as certificates for sub domains can be created if the main domain belongs to the account.

If you like to add a Punycode domain you need to have the code signing ability which can be obtained if your identity is proven.

Verify Domain

Prior to issuing a server certificate the owner of the domain needs to proof that he as access to the domain. The proof can be established with passing at least 2 of the following 4 verification methods.

The system will check the verification automatically every 6 months. If a verification fails the owner of the account gets informed via email to his default address.

If there are less than 2 successful methods left after the warning all certificates to that domain will be revoked automatically within 2 weeks after the warning.

Email

Screenshot Verification via email

Screenshot Verification via email

Send an email to one of the given addresses with a verification link. The mail will be send to the email address chosen where example.org is exchanged by the given domain name.

DNS-TXT

Screenshot Verification via DNS-TXT

Screenshot Verification via DNS-TXT

Add the given text to the zone file of your domain.

HTTP Content

Screenshot Verification via HTTP content

Screenshot Verification via HTTP content

Place a file with a given content at a given location on webspace. In the given example the file with the content "gAZBNJqYJGOkDcws" needs to be placed in the file http://example.org/.well-known/someca-challenge/FzpeYzdX.txt".

Certificates

Screenshot Verification via certificate

Screenshot Verification via certificate

You can place a valid server certificate obtained from the system or a self-signed certificate to be reached through one of given web services.

If you want to use a self-signed certificate you can use the given OpenSSL commands to create the self-signed certificate. The self-signed certificate needs to contain your domain as CN and a given text as organization unit. In the example "gAZBNJqYJGOkDcws".

E.g.:

openssl req -newkey rsa:4096 -subj "/CN=example.org/OU=gAZBNJqYJGOkDcws" 
-nodes -out myCSR -keyout myKey

openssl x509 -req -in myCSR -signkey myKey -out myCert -extfile <(printf 
'extendedKeyUsage = serverAuth\\n')

Delete Domain

Screenshot Delete domain

Screenshot Delete domain

To delete a domain from the account use Delete.

All server certificates containing the deleted domain will be revoked automatically by the system.

Manage Certificates

Get New Certificate

To get a new certificate use Certificate – Create Certificate.

Select Key method

There are two ways to create a certificate. If you have a CSR (Certificate Signing Request) you can use this or if the used browser supports the key generation via SPKAC within the browser.

It is recommended to use the CSR way. To obtain a CSR either use the open source tools OpenSSL or XCA (https://sourceforge.net/projects/xca/).

Screenshot New certificate via CSR

Screenshot New certificate via CSR

Just copy the CSR to the field and use Next to continue.

Or use the within browser key generation with a new private key generated by the browser. In this case the private key should be exported from the truststore used by the browser. See documentation of your browser for more details.

Screenshot New certificate via browser

Screenshot New certificate via browser

Select the key size. It is recommended to use the strongest possible strength and use Next to continue.

In the case that the browser does not support SPKAC the key size might not be visible.

If the alert “Error no action” is given this indicates that then used browser does not support SPKAC.

Select Key type

Screenshot Select key type

Screenshot Select key type

Select the appropriate key type according to the needs:

Key type Description

ssl-client

Used for authentication and login

mail

Used to sign and encrypt documents and emails

ssl-client + mail

Used for authentication & login and sign & encrypt documents & emails

ssl-server

Used for SSL/TLS encryption on servers

codesign

Used for signing code, only available with code signing ability

Depending on Verification Points (see Points) and context the number of available type vary.

Enter Name

Screenshot Enter name

Screenshot Enter name

For a server certificate leave this filed blank.

For a client certificate you can enter the name that is used as CN in the certificate.

According to the Verification Points (VP) that are available for a name variant this name variant can be used.

To use a name variant at least 50 VP need to be assigned to the variant.

By default the system uses the preferred name of the account.

If less than 50 VP are available the default “SomeCA User” will be used.

Client certificate

Screenshot Enter email address

Screenshot Enter email address

Enter an email address associated to the account with “email:my.email@example.org”.

If more than one email address should be used either concatenate the entries with comma or use separate lines.

Server Certificate

Screenshot Enter server address

Screenshot Enter server address

Enter a domain associated to the account with “dns:my.domian.example.org”.

Any sub domain or wildcard domain can be used.

If more than one domain should be used either concatenate the entries with comma or use separate lines.

Advanced Options

Screenshot Advanced options

Screenshot Advanced options

If Show advanced options is used three different types for the hash algorithm for the signing can be chosen. Default is SHA512.

If the maximum allowed valid period is 6 month for accounts with less than 50 VP and 2 years for accounts with at least 50 VP.

The start date can be changed from now to max 14 days in the future by selecting the appropriate date from the dropbox.

The period length can be changed by entering the number of years (y) or month(m) or the end date (yyyy-mm-dd).

Certificate Login

Screenshot Enable certificate login

Screenshot Enable certificate login

For ssl client certificates choose if the certificate can be used to log into the system.

It is recommend to have at least one certificate with login enabled.

Optional Comment

Screenshot Optional comment

Screenshot Optional comment

Optional comments will be visible in the certificate overview only. The comment is not added to the certificate.

Finish Process

Use Issue Certificate to finish the process.

Once the request is submitted, please be patient until the certificate is signed.

After the successful creation the certificate details page will be displayed. (See Certificate Details)

Manage Certificates

To list all certificates of an account use Certificates – Certificates.

Screenshot Certificate list

Screenshot Certificate list

By default only not revoked certificated will be shown.

Certificates that will expire during the next 2 weeks are indicated with a yellow background for the expiration date.

Expired certificates are displayed with a red background for the expiration date.

The login column indicates that this certificate can be used to log into the system.

To revoke certificates select the appropriate one and use Revoke Selected Certificates to start the revocation process.

By clicking onto the serial number the certificate details will be displayed.

Certificate Details

X.509 Info

Screenshot Certificate info

Screenshot Certificate info

The X.509 part shows the profile which is used. (See Select Key type)

Press the link to the different certificates formats.

If the private key was created in the browser the public key can be installed into the truststore of the browser. Afterwards the keys should be exported as backup. See documentation of the browser.

Validity

Screenshot Certificaate validity

Screenshot Certificaate validity

The validity shows the status of the certificate, the validity period and optional the revocation date.

Certificate Info

Screenshot Certificate info

Screenshot Certificate info

The certificate info shows the fingerprint and the PEM encoded public key. If needed just copy the PEM from here.

Certificate Details

Screenshot Certificate details

Screenshot Certificate details

The certificate details show if the certificate can be used to log into the system, the used hash algorithm for the signing, the distinguished name and the subject alternative names.

Changes in Account

To change data in the account use My Account – My Details.

Add further name variants

You can add as many name variant to you want. (See Enter Name)

Change name

Screenshot List of names

Screenshot List of names

The account uses one name variant as preferred name. This name is used where ever the account owner is addressed.

Decide which name variant is used a preferred name by using Set as Preferred.

If a name variant is removed from the account all certificates with the name variant will be revoked by the system. Use Remove Name to remove a name variant. The preferred name cannot be removed from the account by the user himself.

If a name variant is marked as deprecated the name variant will not be available to use for certificates and not be displayed to other users e.g. while entering the Verification Points. Issued certificate to the name variant will not be changed. Use Deprecate Name to mark the name variant as deprecated. You will be prompted for confirmation of the process. A deprecated name variant can be identified by the enabled button (e.g. Jonny in the picture).

Change DoB

Screenshot Change DoB

Screenshot Change DoB

If the account has not yet received a verification the owner of the account is able to change the DoB. Change the date and use Update of Birth to update the entry.

If at least one verification is entered for the account the DoB can only be changed via support.

Change Residence Country

Screenshot Change residence country

Screenshot Change residence country

This entry is used for statistics. Enter your current country of residence and not the country of birth.

Choose the appropriate country and use Update Residence Country.

Change Password

The password can be change by the user himself. Use My Account – Change Password to start the process.

Screenshot Change passowrd

Screenshot Change passowrd

Enter once the old password and twice the new password and use Update Password.

If the password is lost there is the chance to reset it with a verification. During the verification the RA Agent will start the password reset. This ensures that only the owner of an account is able to trigger the password reset.

Change Permissions

Screenshot Permissions

Screenshot Permissions

Currently three permission can be added or removed by the user himself.

Permission Description

requests to be verified via ttp

If this permission is granted the TTP RA Agents get notified that the user wants to get a TTP verification. It might take some time until the process is started.

wants access to the locate agent system

If this permission is granted the owner gets access to the locate agent system. This system is currently not available.

wants to receive an email notification for any Verification they enter

If this permission is granted, the owner recieves an email if he enters a verification to the system as RA Agent.

Verification

The system is designed to proof the identity of a user by verifications.

Therefore the owner of an account need to meet an RA Agent, who are special trained persons who are allowed to conduct a verification.

During a verification meeting the owner needs to show his governmental issued ID documents to the RA Agent. The RA Agent will check if the name variants given on the verification form match the names in the ID documents.

After the meeting the RA Agent grants verification points according to his skill level which may differ from 10 to 35 Verification Points (VP).

In some areas there might be the chance to take part in the Trusted Third Party Verification programme. (See Request TTP)

There three main level of Verification Points

Points range Description

'0-49 Verification Points'

The name variant cannot be used within a client certificate

'>= 50 Verification Points'

To use a name variant within a client certificate at least 50 VP granted to it.

'>=100 Verification Points'

With at least 100 VP there is the change to become RA Agent oneself and to apply for the ability to issue codesigning certificates.

To use a name in variant in a client certificate the last verification of it must not be older than 27 month by the time a client certificate is issued.

An RA Agent is able to verify the identity of a person more than one time. For the calculation of VP for a name variant always the last amount granted by that RA Agent is counted. The multiple verification by the same RA Agent is restricted with a timespan of at least 3 month between the verifications.

Points

To see the Verification Points given to an account use Verification Points.

Screenshot Verification Points

Screenshot Verification Points

The table shows for which name variant how many points were granted.

Request TTP

If you have not yet reached the 100 Verification Points and you are located in an area with not many RA Agent to get verifications you might be able to use the TTP programme to get a verification.

Currently this programme is supported for these countries: - Australia - Puerto Rico - USA

On Verification – Request TTP you have the change to request to be part of the programme.

Screenshot Request TTP

Screenshot Request TTP

Only two TTP verifications can be counted for the number of Verification Points.

Additional Information

Trainings

For certain roles in the system there is the need to pass some knowledge test. These knowledge tests are available on a separate system (Link???).

To get access to the knowledge tests a valid certificate issued by the system is required for login.

All passed tests are send to the system.

Screenshot Trainings

Screenshot Trainings

The list of passed tests can be viewed under My Account – Trainings.

History

Screenshot History

Screenshot History

My Account – History shows any changes to the account triggered by support.

Access to Find Agent

My Details – Access to Find Agent needs to be implemented.

Root Certificates

SomeCA – Root Certificate provides all root and intermediate certificates used to issue certificates.

Prior to use an issued certificate by SomeCA the chain of intermediate and root certificates needs to be added to the truststore used for the desired application.

Screenshot List of root certificates

Screenshot List of root certificates

Report Key Compromise

SomeCA – Report Key Compromise gives the opportunity to report a compromised key. A key is compromised if someone else has unauthorised access to the private key.

Screenshot Report compromised key

Screenshot Report compromised key

To proof that the report has access to the private key of a certificate the following data needs to be provided.

For the certificate enter either the certificate as plain text (PEM or DER) or the serial number.

For the key enter either the private key as plain text (PEM or DER) or with a special signature.

To create the signature use the following command structure. (Please adjust the challenge according to the current screen values):

printf '%s' 'This private key has been compromised. 
Challenge: lKczLqJnfyWvY35xf7CcK5qA9bNDBvmc' 
openssl dgst -sha256 -sign priv.key base64
Screenshot Additional information

Screenshot Additional information

You may provide information on how the private key was compromised to help the certificate owner prevent further key compromises. You can indicate that this information should not be sent to the certificate owner, but only be visible to SomeCA staff, by checking the checkbox.

If the report of the compromised key was successful the reported certificate will revoked and the owner of the certificate will be via email.

Certificate Status

SomeCA – Certificate Status enables any user to see if a certificate by SomeCA is still valid or revoked.

Screenshot Request certificate status

Screenshot Request certificate status

Enter either the certificate as plain text PEM or the certificate serial number.

If the provided information is realted to a certificate issued by SomeCA the answer will be either the certificate is valid or the certificate was revoke on YYYY-MM-DD hh:mm.

About

SomeCA – About shows the currently installed version of the software.

Screenshot About

Screenshot About

Statistics Roles

If logged in SomeCA – Statistics Roles provides information about how many user hold roles within the software.

If you belong to a roles you might see who else is holds the same role.

Screenshot Statistics Roles

Screenshot Statistics Roles


Back to top of page
Table of Contents | Copyright WPIA 2018-2019 | Imprint | Data Protection