FAQ's

ESCB-PKI certificate management

  • Can an individual hold several digital ESCB-PKI certificates?
    • Yes, an individual can hold different ESCB-PKI certificates. For example, the same user can get a set of three "ESCB-PKI advanced certificates" (stored in a secure token) used to authenticate, encrypt and sign, and an "ESCB-PKI standard certificate" (software).

  • Which information is needed to obtain an ESCB-PKI certificate?
    • The detailed information can be found in the CPS and CPs. As an example, to obtain advanced certificates the following information will be required:

    • - Personal data: Name, surname, date and place of birth, national id (passport or any equivalent document) number and a copy of the document used to verify his identity (passport, national id-card, etc.)

      - Organisation data: name of the organisation the user belongs to and a copy of the documents used to verify this relation (for NCB and ECB users, the personal id-card)

      - Secure token information: the serial number of his personal secure token

      - Legal agreement: the terms and conditions document signed by the user. This document will contain the personal an token information described above and the user responsibilities with regards to the use of ESCB-PKI certificates

  • How should I proceed to obtain ESCB-PKI certificates?
    • The detailed information can be found in the CPS and CPs. As an example, the process to obtain advanced certificates is as follows:

    • - Step 0, preparation: The user must obtain his personal secure token (an ESCB-PKI token or a token that has been certified by the ESCB-PKI Competency Centre).

      - Step 1, request: The user requests ESCB-PKI certificates, the request can be sent using IAM interfaces.

      - Step 2, verification and acceptance: This step requires face-to face verification of the data to be included in the certificate. The user must come before his local Registration Officer (RO) with a copy of the documentation used to validate both, his identity and the organization he belongs to. If everything is correct the RO will approve the certificate download and the user must sign the terms & conditions document.

      - Step 3, download: Certificates can be downloaded in that moment or later on by the end-user itself. In both cases, the end user must provide his secure token and type his PIN.

  • Which is the relationship between ESCB-PKI project and IAM project?
    • The relationship between ESCB-PKI and IAM cam be summarised as follows:

    • - ESCB-PKI requests can be sent using IAM interfaces.

      - ESCB-PKI uses IAM directory service to publish end-user certificates and CRLs.

      - Like any other ESCB application, ESCB-PKI uses the access control infrastructure provided by IAM and also the services provided by IAM to manage application roles.

  • How often do I need to get a new ESCB-PKI certificate?
    • In normal conditions this will happen every 3 years, as this is the defined lifespan for any ESCB-PKI certificate.

  • How should I proceed to renew an ESCB-PKI certificate?
    • The detailed information can be found in the CPS and CPs. The procedure is similar to the one described to obtain ESCB-PKI certificates for the first time:, during the renewal process the Registration Officer (RO) will check that the information used to verify the identity and attributes of the subscriber is still valid. If any of the subscriber's data have changed they must be verified and registered. As an example, the process to renew advanced certificates next to expire is as follows:

    • - Step 0, preparation: The user receives a message informing him that his personal certificates will expire soon.

      - Step 1, request: The request for certificate renewal can be sent using IAM interfaces.

      - Step 2, verification and acceptance: This step requires face-to face verification of the data to be included in the certificate. The user must come before his local RO with a copy of the documentation used to validate both, his identity and the organiszation he belongs to. If everything is correct the RO will approve the certificate download and the user must sign the terms & conditions document.

      - Step 3, download: Certificates can be downloaded in that moment or later on by the end-user itself. In both cases, the end user must provide his secure token and type his PIN

  • How should I proceed to suspend/reactivate an ESCB-PKI certificate?
    • Certificate suspension is the action that renders a certificate invalid for a period of time prior to its expiry date. The main effect of suspension as regards the certificate is that certificates become invalid until they are again reactivated. Detailed information can be found in the CPS and CPs. As an example, if your personal secure token becomes unavailable (lost/stolen/broken) the process to suspend your advanced certificates can be done as follows:

    • - Use the web tool available in the ESCB-PKI web page to suspend your certificates.

      - To get access you must either provide your suspension code or, if you also have a personal standard certificate (software-based), you can use it to authenticate.

    • See also: What is the suspension code?

  • What is the suspension code?
    • The suspension code is a shared secret between a certificate subscriber and the ESCB-PKI CA. To set your personal suspension code you must use the web tool available in the ESCB-PKI web page.

  • How to revoke an ESCB-PKI certificate?
    • Certificate revocation is the action that renders a certificate invalid prior to its expiry date. Detailed information can be found in the CPS and CPs. This action is executed by an ESCB-PKI Registration Officer (RO) and requires face-to face verification of the user identity. The RO will use the web tool available in the ESCB-PKI web page to revoke your certificates.

  • How to recover an ESCB-PKI encryption certificate?
    • This feature will be available only to those Central Banks that demand this service. Please contact your local Service Desk to know if this feature has been allowed within your organisation. The detailed information for this process can be found in the CPS and CPs. As an example, the process to recover your personal advanced encryption certificates is as follows:

    • - Use the web tool available in the ESCB-PKI web page to manage your certificates.

      - To get access you must authenticate using your secure token.

  • How to install a software certificate?
    • Once the ESCB-PKI CA has issued your standard certificate and you have downloaded it to your computer you must proceed to install it in your browser. This action is also called "import a software certificate".
      The specific procedure you should use depends on the browser and operating system you are using on your computer. Please contact your local Help Desk for assistance.

  • How should I proceed to import a software certificate?
    • A software certificate can be stored in (imported into) a secure token; this action is done using the specific tools provided by the token supplier. To import a software certificate into an ESCB-PKI token you must use the smart card software tool available in the ESCB-PKI web page. The licence for this tool is linked to the secure token; therefore you can download and install the tool in any PC in which you will need to use your token. Sometimes, the term "Import a software certificate" is used also to mean "install a software certificate".

    • See also: How should I proceed to install a software certificate?

  • How should I proceed to export a software certificate?
    • Software certificates stored in the browser can be exported to have a backup or to install them on other computers or browsers.
      The specific procedure you should follow depends on the browser and operating system you are using on your computer. Please contact your local Help Desk for assistance.

  • How should I proceed to remove a software certificate?
    • The specific procedure you should follows depends on the browser and operating system you are using on your computer. Please contact your local Help Desk for assistance. Remember that if you remove your software certificate from your browser you will not be able to use it anymore unless you have a back up copy.

    • See also: How should I proceed to export a software certificate?

© European System of Central Banks. All rights reserved