An electronic certificate can be seen as a digital identity card. It us used mostly to identify and authenticate a natural or legal person, but alsto to encrypt the exchanges. It is signed by a trusted third party who certifies the link between the physical identity and the digital (virtual) entity. The most used for creating digital certificates is the X.509.
Depending on my mode of connection, I do not have the same pre-requisites
The table below specifies the type of certificate expected based on your Chorus Pro connection mode.
Server authentication certificate = SSL Server
Client type server authentication certificate = SSL Client
I must acquire one certificate or more of those listed in the previous table.
I must contact a supplier from the LSTI list
Once I have chosen my provider, I can make contact to explain I would like to order a « server authentication » certificate or a « client type server authentication » certificate depending on my RGS* compliant case. I might have to acquire both certificates (EDI PesIT) online.
- Server authentication certificate = SSL Server
- Client type server authentication certificate = SSL Client
For the naming of a SSL Server certificate or a SSL applicative customer certificate, refer to the A3 annex of RGS V2 chapter III.1 : Naming
The certificate must be sent in a pkcs7 format with the complete certification chain.
You can ask for a free test certificate from a Certificate Authority for your test environment. After validating your tests, you can ask for a certificate for your production environment.
I must check the compliance of the certificate(s) with the requirements of the CPP qualification platform according to my connection mode.
In the certificate detail tab :
The Extended key usage indicate the role of the certificate. This must contain « SERVER authentication » or « CLIENT authentication».
It’s an exclusive OR.
The use of the Key usage must show :
- For a server certificate = Digital signature, key encryption
- For a client certificate = Digital signature
Certificate Policy : this field indicates the reference of the certificate.
- You must check that the reference is listed in the LSTI list
- The certificate must be listed at least at a RGS* level
- The certificate must be sent in a pkcs7 format with the complete certification chain.
If all the items listed above are confirmed, the certificate is valid.
Whichever protocol you choose, you will need to provide server authentication certificates. Please note that there are two types of authentication certificates: server and people. Do not use personal authentication certificates, as they will not be accepted. If you want to exchange signed flows, you will need to provide an additional certificate dedicated to signing.
1 Attributes of certificates
Certificates contain attributes that determine how they are used.
For Chorus Pro, two attributes are essential:
- advanced use of the key (Extended KeyUsage)
- Use of the key (KeyUsage)
You will find in the following paragraphs the exact value of the attributes of the certificates.
Extended KeyUsage Vocabulary
Regarding the values of the Extended KeyUsage attribute, depending on the supplier, you will find other names. Note that:
SSL Server and Server Authentication are equivalent;
SSL Client and Client-type authentication server are equivalent.
Naming of your certificates
For the naming of an SSL Server or SSL Client Application certificate, you can consult the following link (appendix A3 of RGS V2 chapter III.1: Naming): http: //www.ssi.gouv. fr / uploads / 2014/11 / RGS_v-2-0_A3.pdf
Qualification test certificates
The suppliers of certification products can accept to provide free test certificates for the realization of the tests, which is the case for your work on the qualification platform. These certificates have a limited lifespan and must comply with all the constraints specified in this chapter. Contact your supplier.
Please note: it will not be possible to go into production with test certificates as they are marked as such. From then on, you will need to acquire a "standard certificate".
Can the certificates used in qualification be used in production?
Certificates identify a service. As such, a certificate used for the qualification platform can completely be used on the production platform, except if it is a test certificate, as indicated above.
2 Certificates used for signing flows
You must supply this certificate ONLY if you have opted to exchange signed flows.
This certificate is independent of the protocol chosen and must meet the following characteristic:
Certificate Stamp without server
3 Recommendations for the acquisition of certificates
For the acquisition of your certificate (s), we recommend the following approach:
for authentication , choose the protocol;
for the signature, choose to work in signed or unsigned flow;
contact your certificate supplier:
pass on the constraints related to the certification authority and format;
send him the table corresponding to the choice of your protocol;
if (and ONLY if) you have opted for signed flows, specify that you want a server stamp certificate without time;
the supplier has information that will allow him to offer you the correct certificate (s).
Depending on your connection method, you do not have the same prerequisites.
The table below specifies the type of certificate expected depending on how you connect to Chorus PRO
A certificate having a limited period of validity, it is important to renew it periodically, to be able to keep its connection active. To do this, when its certificate expires, the organization that provided the connection (the connected entity or its connection provider) must acquire a new certificate, then go to the Chorus Pro portal, in the "EDI and API connection" area.
Then, you must select "Search record EDI" and launch a search to find the record initially created for its connection: in the "Search criteria" block, in the "Period connection ", delete the pre-filled date then click on the" Search "button at the bottom of the page.
You must position yourself on the "EDI and API connections" space, "Manage API connection" tab.
Click on the small pencil at the end of the line on the right opposite the certificate you wish to renew
On the new page, in the "Certificate" block, click on "Update certificate".
Then click on the button in the "Choice of file to import" field to search your PC for the updated certificate in PKCS # 7 format. Then click on "Validate". You must wait between 2h and 24h for the update to be taken into account.
Last Update: April 1, 2020