Access to RTE`s Information System by software certificates under

Transcription

Access to RTE’s Information System by software
certificates under Microsoft Windows 8
PKI User Guide
Version 2, June 17th 2016
Programmes & SI (PSI)
TOUR MARCHAND
41 RUE BERTHELOT - 92411 COURBEVOIE CEDEX
TEL : 01.78.66.50.00 - FAX : 01.78.66.50.64
www.rte-france.com/en/
05-09-00-LONG
Page : 2/177
Access to RTE’s Information System
by software certificates under Microsoft Windows Seven
PKI user guide
TABLE OF CONTENT
A.
Foreword
1.
B.
Introduction
C.
Purpose of the document
7
1.2
Context
7
1.3
Warning regarding security practices
8
1.4
The actors
8
1.4.1
The client
8
1.4.2
Registration Authority (RA)
8
1.4.3
Certification Authority (CA)
9
Certificates management process
11
2.2
Software certificate request
11
2.2.1
Preliminary steps
11
2.2.2
General diagram
12
2.3
Certificates renewal
12
2.4
Revocation of certificates
13
2.4.1
Case of revocation
13
2.4.2
Revocation request
13
Installation and configuration of the workstation
14
15
Network configuration
15
3.1.1
General configuration
15
3.1.2
Specificity of the VPN access
15
3.2
Software configuration
Web access to the RTE Information System
4.
11
Foreword
3.1
D.
10
2.1
Workstation configuration
3.
7
1.1
Certificates management procedures
2.
6
Microsoft Internet Explorer
4.1
Preliminary configuration
18
19
20
20
4.1.1
Configuration of the security settings
20
4.1.2
Adding trusted sites
21
4.2
Installing RTE’s CA root certificate
Copyright RTE. This document is the property of RTE. Any communication, reproduction, even partial publication is prohibited without the written consent
of the Manager of RTE.
25
Page : 3/177
PKI user guide
4.2.1
Download and install
25
4.2.2
Visualization and verification of RTE’s CA root certificate
29
4.3
32
4.3.1
Authentication on the retrieval interface
32
4.3.2
Downloading of your certificate
34
4.3.3
Installation of your personal certificate
35
4.3.4
Visualization and verification of your software certificate
42
4.4
Using your certificate
46
4.4.1
Authentication and encryption
46
4.4.2
Example of access to an RTE web application
47
4.5
Additional operations
49
4.5.1
Export of your personal certificate
49
4.5.2
Deleting your personal certificate
55
4.6
5.
Installing your personal certificate
Connecting to the SSL VPN
60
4.6.1
Foreword
60
4.6.2
Prerequisite
60
4.6.3
First connection
62
4.6.4
Using the SSL VPN
68
Mozilla Firefox
71
5.1
Preliminary configuration
71
5.2
71
5.2.1
Download and install
71
5.2.2
Visualization and verification of RTE’s CA root certificate
75
5.3
78
5.3.1
Identification on the retrieval interface
78
5.3.2
Downloading of your certificate
80
5.3.3
Installation of your personal certificate
82
5.3.4
Visualization and verification of your software certificate
84
5.4
Using your certificate
87
5.4.1
Authentication and encryption
87
5.4.2
Example of access to an RTE web application
87
5.5
Additional operations
89
5.5.1
Defining the master password for personal security
89
5.5.2
Export of your personal certificate
91
5.5.3
Deleting your personal certificate
94
5.6
Connecting to the SSL VPN
97
5.6.1
Foreword
97
5.6.2
Prerequisite
97
5.6.3
First connection
99
5.6.4
Using the SSL VPN
103
Page : 4/177
PKI user guide
Email exchanges with RTE’s Information System
E.
6.
Using your certificate to exchange emails
107
108
6.1
Certificate usage principle
108
6.2
Decryption and signature verification of a received message
108
6.3
Encryption and signing of a sent message
108
6.4
Steps to configure your email client
109
7.
Microsoft Outlook 2013
110
7.1
110
7.2
110
7.3
Email account configuration
110
7.4
Installing RTE’s application certificate
114
7.5
Using the certificate: sending a signed-encrypted email
116
8.
Mozilla Thunderbird
8.1
119
119
8.1.1
Downloading RTE’s CA root certificates
119
8.1.2
Installing RTE’s current CA certificate
120
8.1.3
Visualization of RTE’s CA root certificate
124
8.2
126
8.3
131
8.4
134
8.5
137
9.
Lotus Notes 8.5
138
9.1
138
9.2
138
9.2.1
Creation of a PKCS#12 file readable by Notes
138
9.2.2
Installing the PKCS#12 file in Notes
139
9.2.3
Visualization of the certificate
146
9.3
146
9.4
148
9.5
150
10.
Lotus Notes 9
151
10.1
151
10.2
151
10.2.1
Creation of a PKCS#12 file readable by Notes
151
10.2.2
Installing the PKCS#12 file in Notes
152
10.2.3
Visualization of the certificate
159
10.3
160
10.4
161
10.5
163
Page : 5/177
PKI user guide
F.
Appendices
11.
Secure environment (PKI)
11.1
Concepts and objects managed by a PKI
165
166
166
11.1.1
What is a secure process?
166
11.1.2
The importance of dual-keys
168
11.1.3
The usage of keys to sign a message
169
11.1.4
Certificates
170
Documentation
172
11.2
12.
Glossary
173
13.
Incidents management and support
176
13.1
Support
176
13.2
Frequently Asked Questions (FAQ)
176
13.3
Error codes returned by email
177
Page : 6/177
PKI user guide
A.
FOREWORD
Page : 7/177
PKI user guide
1. Introduction
1.1 Purpose of the document
This document is intended for the end user who wants to access RTE’s Information System
by using software certificates under Microsoft Windows 8.
This document allows the holder to:

Understand the context and principles of a secure environment (authentication,
confidentiality, integrity and non-repudiation) and the general operation of a Public
Key management Infrastructure (PKI).

Learn to install and use his software certificates in the following environments:
o
Microsoft Windows 8.
o
Browsers: Internet Explorer and Mozilla Firefox for secure accesses via the
HTTPS protocol.
o
Email Clients: Microsoft Outlook, IBM Lotus Notes, and Mozilla Thunderbird
for secure exchanges in S/MIME format (a standard for cryptography and
digital signatures concerning emails encapsulated in MIME format).
NOTE
Throughout this document, the word "you" refers to the user of the certificate.
1.2 Context
Under the law of February 10, 2000 (2000-108) and the implementing decree 2001-630 of 16
July 2001, the operator of the public transport network has an obligation to preserve the
confidentiality of economic, commercial, industrial, financial or technical information of which
the disclosure would be likely to undermine the rules of free and fair competition and nondiscrimination required by law.
Page : 8/177
PKI user guide
1.3 Warning regarding security practices
Each software certificate holder has its own private key, all (certificate and associated private
key) is generated by RTE and made available for download by the wearer as a passwordprotected file (PKCS # 12 file , extension "p12"). Then, each software certificate holder shall
take all necessary precautions to prevent:

the violation of his private key,

the loss of his private key,

the divulgation of his private key,

the alteration of his certificate,

the misuse of his certificate.
Each software private key and its associated certificates have to be stored on hard disk and
protected by a password known only by the certificate holder.
The Certification Authority (CA) "RTE Certification Authority" takes no responsibility for
disputes related to misuse of private keys.
1.4 The actors
The life cycle management of a certificate is based on three entities:

the client (i.e. your company),

the Registration Authority (RA),

the Certification Authority (CA).
NOTE
To understand, one can draw a parallel with the allocation of official credentials: the
applicant citizen of a credential is the Client; the town is the Registration Authority
and the prefecture is the Certification Authority.
1.4.1 The client
The client issues certificates requests for holders. It may also issue requests for revocation of
the certificates (see Section B: certificate management procedures).
1.4.2 Registration Authority (RA)
The Registration Authority (RTE’s manager of customer relations and the Operator) collects
the certificates requests, affixes a date of validity for certificates and verifies the identity of
their holders.
Page : 9/177
PKI user guide
1.4.3 Certification Authority (CA)
The Certification Authority (RTE) is responsible and guarantor of certificates signed in its
name and of the PKI’s operation. It sets policy for the management and use of certificates.
RTE certification authority is called:
CN = RTE Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE
B.
CERTIFICATES MANAGEMENT
PROCEDURES
Programmes & SI (PSI)
TOUR MARCHAND
41 RUE BERTHELOT - 92411 COURBEVOIE CEDEX
TEL : 01.78.66.50.00 - FAX : 01.78.66.50.64
www.rte-france.com
05-09-00-LONG
Page : 11/177
by software certificates under Microsoft Windows 8
PKI user guide
2. Certificates management process
2.1 Foreword
The main processes used to manage all the digital certificates issued to holders are:
 obtaining a certificate (obtaining one or more certificates),
 renewal of a certificate (replacement by a new certificate for a new validity period and a
new key pair)
 revocation of a certificate (end of certificate validity).
2.2 Software certificate request
2.2.1 Preliminary steps
Beforehand, the following steps must be performed:
 The company representative issues an access request :
The company representative must have completed and signed the request forms “access to
RTE IS services and applications" sent by his Customer Relations Manager, and then sent it
back to him.
In these forms, the company representative specifies in particular:
o a “Contact email” who will receive all information necessary to retrieve the certificate (see
§ ),
o a “Certificate email”,
o a “Chosen password”, necessary to the retrieval of the certificate by the holder
 We have registered your request :
Following receipt of the forms we have created your account(s) to access the applications.
Copyright RTE. Ce document est la propriété de RTE. Toute communication, reproduction, publication même partielle est interdite sauf autorisation écrite
du Gestionnaire du Réseau de Transport d'Electricité (RTE)
Page : 12/177
PKI user guide
2.2.2 General diagram
After the certificate request has been saved and validated by us (within 5 working days), a
notification email is sent to the address "Contact Email" entered in the access request form
(see § 2.2.1). This mall is entitled "Access to RTE’s IS services" and contains:
 a summary of the certificate of removal procedure,
 the "Certificate email" and "Retrieval Code" requested by the website when you retrieve
your certificate,
 the Password" protecting the PKCS # 12 file (a ".p12" extension) that you download when
you retrieve your certificate. It is important to note that this password is different from the
password for the retrieval of the certificate.
In case of loss or non-receipt of this message, contact the RTE Hotline.
Kinematic of trades
The holder will then connect from his workstation on the certificate retrieval website and will
be able to download his private key and the associated certificate to his workstation in the
form of PKCS#12 file (extension "p12").
2.3 Certificates renewal
Certificates have a lifespan limited to 3 years, in order to give them a high level of
security.
Forty days before the expiry of a certificate, an electronic message is sent to the Contact
email to inform the holder of the forthcoming expiry of his software certificate.
In case, changes must be made concerning the holder’s information, then the company
representative contacts RTE’s employee responsible for customer relations to inform him of
the changes.
Otherwise, an email is sent to the contact email with the information necessary for the
retrieval of his new certificate.
Page : 13/177
PKI user guide
2.4 Revocation of certificates
2.4.1 Case of revocation
The company representative must issue a revocation request when any of the following
occurs:

Change of the holder,

Loss, theft, compromise or suspected compromise (possible, probable or certain) of
his private key or associated certificate

Death or cessation of business of the certificate holder,

Loss of the activation data, defective or lost support.
2.4.2 Revocation request
To revoke a certificate, the company representative should call the RTE Hotline.
When the certificate is revoked, an email is sent to the contact email to notify the holder of
the revocation of his certificate.
Page : 14/177
PKI user guide
C.
WORKSTATION CONFIGURATION
Page : 15/177
PKI user guide
3. Installation and configuration of the workstation
All operations of this chapter are to be performed only once by a computer specialist
with Administrator privileges on your workstation, upon receipt of your "PKI Access
Kit".
Also note that only a few chapters of this manual concern you: the chapters corresponding
to the software you use.
All operations are done under the Windows Session of the certificate holder.
3.1 Network configuration
3.1.1 General configuration
The web browser access uses - in a way that is transparent to the user - a software
certificate authentication system for access to the RTE portal and encryption of data
exchanged via the Internet (HTTPS protocol).
Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol,
S/MIME format).
IMPORTANT NOTE
Messaging and antivirus gateways, firewalls and content analyzers should be
configured not to alter or reject messages that are encrypted and signed S/MIME
(application / x-pkcs7-mime, .p7s, .p7m ) and not to prohibit the flow of HTTPS
data (port 443).
The network administrator may be requested to perform these operations.
3.1.2 Specificity of the VPN access
The VPN allows from your workstation to establish a secure connection (based on the
authentication to a dedicated site) to RTE’s IS via the Internet.
Access to the SSL VPN requires that your workstation can resolve the address
secure.iservices.rte-france.com.
To see if this is the case, click on the Windows button of Windows 8 at the bottom left of the
screen.
Page : 16/177
PKI user guide
This enables you to access the Windows 8 Welcome menu.
Click on the magnifying glass « search » icon at the top right of the screen to access the
search taskbar. Enter « run » in the search field. Then, click on the « Run » icon.
Page : 17/177
PKI user guide
In the window that appears, enter the following command:
cmd /k ping secure.iservices.rte-france.com
Click on the OK button.
A window appears containing the following information:

If the first line begins with "Sending a query 'ping' on secure.iservices.rtefrance.com" the address secure.iservices.rte-france.com is resolved. Your
workstation is configured properly.

If the first line begins with "Ping request could not find the host
secure.iservices.rte-france.com." the address secure.iservices.rte-france.com is
not resolved. Please contact your IT support so that they make the necessary
changes.
Page : 18/177
PKI user guide
In addition to this test, you need to install on your workstation the module JIS (Juniper
Installation Service) available on the RTE customer site. Refer to the section concerning the
browser you use for more details:

§ 4.6.2 if you use Internet Explorer.

§ 5.6.2 if you use Mozilla Firefox.
3.2 Software configuration
The software configuration required for your workstation is as follows:
Operating Systems:
 Microsoft Windows 8 32 bits sans SP ou avec SP1

Microsoft Windows 8 64 bits sans SP ou avec SP1
Web browser either:

Microsoft Internet Explorer 11

Mozilla Firefox > 45 ESR
Email client either:

Microsoft Outlook 2013

Mozilla Thunderbird > 45 ESR

IBM Lotus Notes 8.5 or 9
NOTE
In general, consulting messages on a webmail like interface does not allow the
signing of messages.
Page : 19/177
PKI user guide
D.
WEB ACCESS TO THE RTE
INFORMATION SYSTEM
Please refer directly to the chapter associated with the browser you are using for your default
Web exchanges with RTE:

Chapter 4 if you are using Microsoft Internet Explorer as web browser

Chapter 5 if you are using Mozilla Firefox as web browser
Page : 20/177
PKI user guide
4. Microsoft Internet Explorer
4.1 Preliminary configuration
4.1.1 Configuration of the security settings
This section is about the configuration of the workstation to support the SSL standard,
allowing access to sites with an encrypted connection (HTTPS protocol).
In the browser, select the menu "Tools> Internet Options":
Page : 21/177
PKI user guide
Select the tab “Advanced”:
In the section “Security”, make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked,
as shown above.
4.1.2 Adding trusted sites
In order to log on web sites with you software certificate, it is imperative to add these sites to
the list of trusted sites.
The Trusted Sites zone allows the declaration of sites’ names you consider safe.
In this section, you must be logged in to the workstation with the Windows account that
will use the software certificate.
To do this: open Internet Explorer and click the menu "Tools> Internet Options".
Page : 22/177
PKI user guide
In the window that appears, click the "Security" tab. select the "Trusted Sites" icon and
click the "Sites" button.
Page : 23/177
PKI user guide
The following window appears:
Page : 24/177
PKI user guide
In the field “Add this website to the zone”, enter the URL corresponding to the PKI:
https://kregistration-user.certificat2.com
Update this URL when the PKI will be replaced by a new one.
Then click “Add”. The site then appears in the list “Websites” as shown below.
Proceed in the same way to add the following websites:
https://portail.iservices.rte-france.com: this is the internet portal
https://secure.iservices.rte-france.com: this is the SSL VPN connection portal
The 3 websites shall now appear in the list “Websites”.
Page : 25/177
PKI user guide
Click “Close”, then “OK”.
4.2 Installing RTE’s CA root certificate
4.2.1 Download and install
RTE’s CA root certificate must now be installed in your browser so that RTE is recognized as
a trusted Certificate Authority
To do so, please go to the following address:
IMPORTANT NOTE
It is imperative to respect the case (upper / lower case) of the site’s address.
https://kregistration-user.certificat2.com/kregresources/CSS/RTE/RTE/Certification_Autority_RTE_2048.cer
The download window appears:
Click
the
"Save"
button
and
choose
a
location
to
"Certification_Autority_RTE_2048.cer" containing the root certificate.
save
the
Once the download is completed, the following window appears.
Click "Open folder" to go to the directory where you saved the file.
file
Page : 26/177
PKI user guide
Right-click the "Certification_Autority_RTE_2048.cer" file you just downloaded and choose
"Install Certificate".
The installation wizard of the certificate is displayed:
Make sure “Current User” is selected, then click “Next”. Choose the button “Place al
certificates in the following store” and click “Browse”.
Page : 27/177
PKI user guide
In the window that appears, select “Trusted Root Certification Authorities” and click “OK”.
Once you have chosen the certificate store, you get the following window:
Page : 28/177
PKI user guide
Click « Next ».
Click "Finish".
Page : 29/177
PKI user guide
Click “OK”.
4.2.2 Visualization and verification of RTE’s CA root certificate
The root certificate that you just imported, is stored in the Trusted Root Certification
Authorities store of Internet Explorer.
To view them, click the menu "Tools > Internet Options".
Page : 30/177
PKI user guide
A window appears. Go to the "Content" tab and click the "Certificates" button.
In the window that appears, go to the tab "Trusted Root Certification Authorities".
Page : 31/177
PKI user guide
Select the certificate "RTE Certification Authority".
Click the button "View" then click the "Details" tab.
Page : 32/177
PKI user guide
To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" or
"MD5" related to the certificate "RTE Certification Authority" is identical to those presented
below.
Digital hashes of the certificate «RTE Certification Authority»
SHA1
39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
MD5
77:4C:12:7D:FD:1D:36:9E:8A:21:85:73:7C:2D:44:77
If this is not the case: delete the certificate and call the Hotline.
4.3 Installing your personal certificate
4.3.1 Authentication on the retrieval interface
The software certificate request must have been completed in accordance with the
procedure of chapter 0.
To proceed to the retrieval you need the following information (see § ) :

The chosen password you or your administrator have chosen and supplied to RTE
in the form to request access to RTE’s IS (see §Erreur ! Source du renvoi
introuvable.).

Certificate email, Retrieval code and Password for the PKCS#12 file included in
the email “Access to RTE’s IS services”.
For your convenience you can copy and paste different values being careful not to copy any
space at the beginning or end.
To create your certificate and the associated private key, log on the certificate retrieval
website:
IMPORTANT NOTE
The site’s address is case sensitive (upper / lower case) so it is imperative you type
it following the correct case.
https://kregistration-user.certificat2.com/RTE/RTE/Logiciel3:I
Page : 33/177
PKI user guide
Click the button “Retrieval of your personal certificate”.
Fill in the field «Certificate email» with the value indicated in the email “Access to RTE’s IS
services”.
Click “Send”.
Page : 34/177
PKI user guide
Fill in the fields:

“Retrieval code” as indicated in the email “Access to RTE’s IS services”.

“Chosen password” which is the password you or your company representative chose
and provided to RTE in the form to request access to RTE’s IS (see §2.2.1).
Finally click “Send”.
4.3.2 Downloading of your certificate
The following page appears.
Click “Download”.
In the window that appears, click “Save”.
Page : 35/177
PKI user guide
Choose a directory to save your certificate, then click "Save."
A window shows the progress of the download. Once the download is completed, click
"Open Folder".
The folder containing your personal certificate appears.
IMPORTANT NOTE
Once downloaded, the PKCS#12 file (extension ".P12") containing your
certificate and its associated private key must be stored on a removable media
(USB stick, an external hard drive), that you will put in a safe in order to protect
access to it.
Also keep the mail "Access to RTE's IS services" that contains the password.
4.3.3 Installation of your personal certificate
Go to the download folder of the file.
Double-Click the "name_certificate.p12" file containing your certificate. If the double-click
does not launch the Certificate Installation wizard, right-Click the "name_certificate.p12" file
and choose "Install PFX".
Page : 36/177
PKI user guide
Click “Next”.
Page : 37/177
PKI user guide
The name of the file containing your certificate is automatically filled in, click “Next”.
The window below appears:

In the field “Password”, enter the “Password” present in the email “Access to RTE’s IS
services”.
Page : 38/177
PKI user guide

The case “Enable strong private key protection. […]” is optional. Tick it if you wish to
define a password that will be asked before every use of your private key in Internet
Explorer.

The case “Mark this key as exportable. […]” is optional. Tick it if you wish to be able to
export you private key later (see chapter4.5.1 to export).

Tick the case “Include all extended properties”.
Click “Next”.
Select "Automatically select the certificate store based on the type of certificate" and click
"Next".
Page : 39/177
PKI user guide
Finally, click “Finish”.
If you previously ticked the case “Enable strong private key protection”, then the following
window appears:
Click the button “Set security level…”.
Page : 40/177
PKI user guide
Select the “High” radio button then click “Next”.
Enter a name for the private key to protect and a password then click the "Finish" button.
Warning: this password is required upon each use of the certificate.
Page : 41/177
PKI user guide
Click “OK”.
Finally, the following window appears:
Click “OK”.
Your certificate, your private key and RTE’s CA root certificate have been successfully
imported in Internet Explorer.
Page : 42/177
PKI user guide
4.3.4 Visualization and verification of your software certificate
Regardless of the browser used, the content of the downloaded certificate is obviously the
same, only the presentation of information on the screen differs. In the case of downloading
with Internet Explorer, open the certificate store via the menu "Tools> Internet Options",
"Content" tab, button "Certificates ..."
Select your certificate then click “View”.
Page : 43/177
PKI user guide
Page : 44/177
PKI user guide
It is valid for 3 years from the date of withdrawal.
The "Certification Path" tab allows checking the validity of your certificate. The "Certificate
status" and the complete visualization of the certification path (2 levels) indicate that your
certificate has been correctly installed and the root certificate, and hence all correct use
conditions of your certificate are met.
The tab "Details" allows you to view the full name of the holder and the email address to
which are attached the certificate.
Page : 45/177
PKI user guide
Page : 46/177
PKI user guide
4.4 Using your certificate
4.4.1 Authentication and encryption
Steps to follow

run Internet Explorer,

enter the URL to RTE’s application or to “RTE’s customer service portal”:
https://portail.iservices.rte-france.com,

during the authentication, the browser will ask you to select the certificate to use for
authentication then (if it has been defined) the certificate store protection password,

if multiple certificates are presented, you must choose the one supplied for the
application you wish to access (use the button “Display certificate” to visualize its
content).
Once authentication is completed, all data you send or receive will be encrypted.
Page : 47/177
PKI user guide
4.4.2 Example of access to an RTE web application
Enter the URL of the application (starting with “https”) in the Internet Explorer address bar
then press Return.
Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the
requested site.
The line “click here to view certificate properties…” lets you view the content of the
selected certificate.
Click the “OK” button to access the application.
The window below asks for the password that protects the private key associated with your
certificate if it has been set.
Page : 48/177
PKI user guide
The home page is then securely displayed (appearance of the closed padlock to the right of
the URL entry field):
Page : 49/177
PKI user guide
4.5 Additional operations
4.5.1 Export of your personal certificate
This section explains how to save the certificate with its private key and the root certificate.
The procedure is to generate a file in PKCS#12 format (".pfx" extension), protected by a
password.
You can only export your certificate and private key if you checked "Mark this key as
exportable" when Installing your personal certificate (see §4.3.3).
In Internet Explorer, click the menu "Tools> Internet Options..."
Then, click the "Content" tab and then the "Certificates" button.
Page : 50/177
PKI user guide
Another window appears. Select your certificate, then click "Export...".
Page : 51/177
PKI user guide
Click “Next”.
Page : 52/177
PKI user guide
Select "Yes, export the private key" and then click "Next".
Page : 53/177
PKI user guide
Select the check box "Include all certificates in the certification path if possible" and
then click "Next".
Enter a password of your choice to protect the PKCS#12 file, and then click "Next".
Page : 54/177
PKI user guide
Select the location of the PKCS#12 file, and then click "Next".
Finally, click the "Finish" button.
Page : 55/177
PKI user guide
Click "OK".
You have exported to a file in PKCS#12 format, protected by a password, your certificate's
private key and the root of the CA. These elements have therefore been exported, but
remain present in the Internet Explorer’s store.
4.5.2 Deleting your personal certificate
This section details the procedure to remove a certificate and its private key from Internet
Explorer’s Certificate store.
IMPORTANT NOTE
Before deleting your personal certificate, make sure to have a copy. If this is
not the case, refer to §4.5.1 to export your certificate and private key as a
PKCS#12 file.
In Internet Explorer, go to "Tools> Internet Options".
Page : 56/177
PKI user guide
Page : 57/177
PKI user guide
A window appears. Click the “Content” tab, then the “Certificates” button:
Page : 58/177
PKI user guide
Select the certificate to delete and click “Remove”.
Page : 59/177
PKI user guide
Click “Yes”.
Page : 60/177
PKI user guide
The certificate is removed from the certificates list.
4.6 Connecting to the SSL VPN
4.6.1 Foreword
The connection via SSL VPN is a service for establishing a secure communications channel
to RTE’s FrontOffice via the Internet. This channel is established after authenticating with
your certificate from a dedicated website (see section 4.4). Once the channel is established
all communications with the requested RTE service will be encrypted.
The use of SSL VPN requires the installation of a dedicated tool, installed during the first
login to the site. The application is called Windows Secure Application Manager (WSAM).
SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.
4.6.2 Prerequisite
The website secure.iservices.rte-france.com must be declared as a trusted site (see
§4.1.2)
IMPORTANT NOTE
Before your first connection, you must verify that your workstation can resolve
the address secure.iservices.rte-france.com (see section 3.1).
Page : 61/177
PKI user guide
JIS (Juniper Installation Service) is a Windows service made available on the RTE customer
site. This service allows, once installed, to update future WSAM versions without requiring
the intervention of a person with administrator privileges on the machine.
To do so, download the executable under the link:
http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp
And decompress the compressed file:
Once the file is executed, the following window appears. Click “Yes”.
Page : 62/177
PKI user guide
This will enable the service to start installing.
It will be automatically activated at every operating system launch.
Click “Close” to close the window.
4.6.3 First connection
This paragraph applies only to your first login to the SSL VPN with Internet Explorer.
IMPORTANT NOTE
The first connection must be made by a computer specialist with
Administrator rights on your workstation in order to install the WSAM
application.
Before continuing, you need to disable ActiveX controls. To do so, press the "Alt" key on
your keyboard. A menu bar at the top of the window. click the Tools button, and make sure
"ActiveX Filtering" is off. "
Page : 63/177
PKI user guide
Launch your browser and go to the following website:
https://secure.iservices.rte-france.com/
Select your certificate then click “OK”.
If necessary, the window below asks for the password that protects the private key
associated with your certificate if it has been set.
Page : 64/177
PKI user guide
Page : 65/177
PKI user guide
If necessary, the browser then displays a link to download the WSAM if it has not yet been
installed (see 5.6.2) :
If no manual intervention has been done, the following installation pop-up appears:
Page : 66/177
PKI user guide
If necessary, a window appears asking you the authorisation to execute the application.
Click “Yes”.
The Juniper client then gets installed and the WSAM application installation starts:
Wait for the duration of the installation. If the following window appears, click “Yes”:
Page : 67/177
PKI user guide
Once the installation is completed, the following page appears:
If your Internet access requires authentication to a proxy, a window appears asking your
login and password. Enter them and confirm.
Then, the icon
appears in your taskbar.
Click the "Sign out" button (top right of the page) to end the session:
Page : 68/177
PKI user guide
4.6.4 Using the SSL VPN
4.6.4.1 Establishing the connection
Select your certificate then click “OK”.
If necessary, the window below asks for the password that protects the private key
associated with your certificate if it has been set.
Page : 69/177
PKI user guide
If necessary, the window below appears. Click “Yes”.
The WSAM application launches automatically and the following page appears:
Then, the icon
appears in your taskbar.
Notes:
 The certificate is only used to establish the connection to the SSL VPN.
 To close the SSL VPN session, click the “Sign out” button (top right of the page).
Page : 70/177
PKI user guide
4.6.4.2 Use case to access hosted mailboxes
The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard
email client.
Access to hosted mailboxes requires the SSL VPN connection to be established (see
4.6.4.1).
The Email account configuration in your mail client is then to be made with the following
parameters:

Mail server type : POP Server

POP server address : pop.services.rte-france.com

SMTP server address : smtp.services.rte-france.com
When your access to RTE’s FrontOffice is provided, you will receive your login name,
your password and your email address.
NOTE
Because the messages are transferred through a secure channel,
sending and receiving messages do not require the use of a
certificate to encrypt messages.
Page : 71/177
PKI user guide
5. Mozilla Firefox
5.1 Preliminary configuration
The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS)
is disabled by default in recent versions of Firefox. The supported versions of Firefox are
specified in §Erreur ! Source du renvoi introuvable..
The standards supported by default are: TLS 1.0 to TLS 1.2.
In case of problems, thank you to notify the issue to the support.
5.2.1 Download and install
RTE’s CA root certificate must now be installed in your browser so that RTE is recognized as
a trusted Certificate Authority
To do so, please go to the following address:
Select
“Save
file”
then
click
“OK”.
A
location
“Certification_Autority_RTE_2048.cer” might be requested.
to
save
the
file
Page : 72/177
PKI user guide
Once the file is downloaded, click the menu “Tools” to right corner of the window then click
the icon “Options”:
A window appears. Choose the “Advanced” tab then the subcategory “Certificates”.
Page : 73/177
PKI user guide
Click «View certificates».
Select the “Authorities” tab and click “Import…”.
Page : 74/177
PKI user guide
Select the previously saved file.
A dialog box is displayed, in which you must select the three check boxes "Trust this CA to
identify [...]" to trust RTE's CA.
Page : 75/177
PKI user guide
5.2.2 Visualization and verification of RTE’s CA root certificate
Click the "View" button to verify that the certificate that you are going to trust is the RTE root
certificate:
To ensure that you have downloaded the real RTE CA's root certificate, check carefully that
the "SHA1" or "MD5" hashes displayed are identical to those shown below.
Hashes of RTE’s CA root certificate are recalled here:
SHA1
39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
MD5
77:4C:12:7D:FD:1D:36:9E:8A:21:85:73:7C:2D:44:77
If this is not the case: click “Close” to go back to the precedent window and click “Cancel”
then call RTE’s Hotline.
Page : 76/177
PKI user guide
If, after verification, the hash of the certificate that you imported matches the "SHA1" or
"MD5" hash above, it is possible to consult the details of the certificate by clicking on the
"Details" tab:
By clicking on the "Close" button, you return to the initial window: "Downloading certificate"
(see above). In this window, click the "OK" button: the RTE CA's root certificate is then
installed in Mozilla Firefox.
To view the certificate later in Mozilla Firefox, go to the "Tools" menu on the top right of the
window then click the "Options" icon:
Page : 77/177
PKI user guide
A window appears. Select the “Advanced” tab then the subcategory “Certificates”.
Click the “View certificates” button.
Page : 78/177
PKI user guide
In the “Authorities” tab you can verify that the root certificate “RTE Certification Authority”
is well saved on your PC (“Software Security Device”) and view it by clicking on “View”.
5.3.1 Identification on the retrieval interface
The software certificate request must have been completed in accordance with the
procedure of chapter 0.
To proceed to the retrieval you need the following information (see chapter
):

The chosen password you or your administrator have chosen and supplied to RTE
in the form to request access to RTE’s IS (see chapter Erreur ! Source du renvoi
introuvable.).

Certificate email, Retrieval code and Password for the PKCS#12 file included in
the email “Access to RTE’s IS services”.
For your convenience you can copy and paste different values being careful not to copy any
space at the beginning or end.
To create your certificate and the associated private key, log on the certificate retrieval
website:
IMPORTANT NOTE
The site’s address is case sensitive, so it is imperative to copy it as shown below.
https://kregistration-user.certificat2.com/RTE/RTE/Logiciel3:I
Page : 79/177
PKI user guide
Click the button “Retrieval of your personal certificate”.
Fill in the field «Certificate email» with the value indicated in the email “Access to RTE’s IS
services”.
Click “Submit”.
Page : 80/177
PKI user guide
Fill in the fields:

“Retrieval code” as indicated in the email “Access to RTE’s IS services”.

“Chosen password” which is the password you or your company representative
chose and provided to RTE in the form to request access to RTE’s IS (see §2.2.1).
Finally, click “Send”.
5.3.2 Downloading of your certificate
The following page appears.
Click “Download”.
Page : 81/177
PKI user guide
In the window that appears, click “Save” then “OK”.
Choose a directory to save your certificate, then click "Save".
IMPORTANT NOTE
Once downloaded, the PKCS#12 file (extension ".P12") containing your
certificate and its associated private key must be stored on a removable media
(e.g. USB stick, an external hard drive), that you will put in a safe in order to
protect access to it.
Also keep the mall "Access to RTE's IS services" that contains the password.
Page : 82/177
PKI user guide
5.3.3 Installation of your personal certificate
In Firefox, go to the menu "Tools" on the top right of the window and click the "Options"
icon:
A window appears. Choose the tab “Advanced” then the subcategory “Certificates”.
Click “View Certificates”.
Page : 83/177
PKI user guide
Click “Import…”.
Go to the folder you saved your certificate in, select your certificate “name_certificate.p12”
and click “Open”.
If necessary, the window below will ask you the access password to the Mozilla Firefox
certificate store:
Enter it and click “OK”. The window below appears.
Page : 84/177
PKI user guide
Enter the “Password” present in the email “Access to RTE’s IS services” then click “OK”.
Your certificate and its associated private key have been successfully imported in Mozilla
Firefox’s certificate store.
5.3.4 Visualization and verification of your software certificate
Regardless of the browser used, the content of the downloaded certificate is obviously the
same, only the presentation of information on the screen differs.
In the case of Mozilla Firefox, go to the “Tools” menu (top-right corner of the window) then
click the “Options” icon:
Page : 85/177
PKI user guide
A window appears. Choose the “Advanced” tab then the “Certificates” subcategory.
Then click the “View Certificates” button.
Select the tab “Your Certificates”.
The certificate is a software certificate: indeed, the "Software Security Dev…" indication
appears at the right of its name. You can view it by selecting it and clicking "View…”.
Page : 86/177
PKI user guide
The first tab «General» displays the following message “This certificate has been verified
for the following uses”. It is valid for 3 years from the date of withdrawal.
The second tab «Details» displays the certification hierarchy with RTE's root CA certificate.
This ensures that all certificates have been installed correctly, and that all the correct
conditions of your certificate are met.
Page : 87/177
PKI user guide
5.4 Using your certificate
5.4.1 Authentication and encryption
Steps to follow

run Mozilla Firefox,

enter the URL to RTE’s application or to «RTE’s customer service portal”:
https://portail.iservices.rte-france.com,

during the authentication, the browser will ask you to select the certificate to use for
authentication then (if it has been defined) the certificate store protection password,

if multiple certificates are presented, you must choose the one supplied for the
application you wish to access (use the button “Display certificate” to visualize its
content).
Once authentication is complete, all data you send or receive will be encrypted.
5.4.2 Example of access to an RTE web application
When you access the “https” homepage, you will be asked to choose your certificate.
Page : 88/177
PKI user guide
Select your certificate from the drop down list entitled “Choose a certificate to present as
identification” then click “OK”. The following window will ask you the access password to
the Mozilla Firefox certificate store if it was defined
The home page is then securely displayed, (appearance of the closed padlock to the left of
the URL entry field):
Page : 89/177
PKI user guide
5.5 Additional operations
5.5.1 Defining the master password for personal security
To protect the private key associated with your certificate it is strongly recommended to set a
personal security password.
To do this, click the “Tools” menu on the top right of the window and click on the
“Options” icon:
Page : 90/177
PKI user guide
A window appears. Choose the “Security” tab.
If “Use a master password” is already checked, it means you already have a personal
security password, and you have nothing to do.
Otherwise, check the “Use a master password” case. The following window then appears:
Enter your new master password in both fields and click “OK”.
Your personal security password is now defined.
You can change your personal security password at any time by going to the menu “Tools”
on the top right of the window and clicking the “Options” icon.
Page : 91/177
PKI user guide
A window appears. Choose the “Security” tab and click “Change Master Password…”.
5.5.2 Export of your personal certificate
This section explains how to save the certificate with its private key and the root certificate.
The procedure is to generate a file in PKCS#12 format (".pfx" extension), protected by a
password.
Page : 92/177
PKI user guide
Go the “Tools” menu at the top-right corner of the window then click the “Options” icon:
Then click “View Certificates…”.
Page : 93/177
PKI user guide
Select your certificate and click “Backup…”:
Choose a folder and a name for the output file in PKCS#12 format (extension «.p12»):
Click “Save”.
Page : 94/177
PKI user guide
If necessary, the following window will ask you the access password to the Mozilla Firefox
certificate store:
Then the following window appears:
Enter a password of your choice to protect access to the PKCS#12 file and click “OK”.
Your certificate, your private key and the CA’s root certificate are exported in the PKCS#12
generated file (extension “.p12”).
5.5.3 Deleting your personal certificate
This section details the procedure to remove a certificate and its private key from Mozilla
Firefox’s Certificate store.
IMPORTANT NOTE
Before deleting your personal certificate, make sure to have a copy. If this is
not the case, refer to §5.5.2 to export your certificate and private key as a
PKCS#12 file.
Go to the “Tools” menu at the top-right corner of the window then click the ”Options” icon:
Page : 95/177
PKI user guide
Then click “View Certificates...”.
Page : 96/177
PKI user guide
Select your certificate and click “Delete…”.
Validate by clicking “OK”.
The certificate is then removed from the list of certificates.
Page : 97/177
PKI user guide
5.6 Connecting to the SSL VPN
5.6.1 Foreword
The connection via SSL VPN is a service for establishing a secure communications channel
to RTE’s FrontOffice via the Internet. This channel is established after authenticating with
your certificate from a dedicated website (see section 5.4). Once the channel is established
all communications with the requested RTE service will be encrypted.
The use of SSL VPN requires the installation of a dedicated tool, installed during the first
login to the site. The application is called Windows Secure Application Manager (WSAM).
SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.
5.6.2 Prerequisite
In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) 1.5.07
or higher needs to be installed on your workstation. If this is not the case, you can download
the latest version on Oracle’s website:
http://java.com/fr/download/index.jsp
IMPORTANT NOTE
Before your first connection, you must verify that your workstation can resolve
the address secure.iservices.rte-france.com (see section 3.1).
Page : 98/177
PKI user guide
JIS (Juniper Installation Service) is a Windows service made available on the RTE customer
site. This service allows, once installed, to update future WSAM versions without requiring
the intervention of a person with administrator privileges on the machine.
To do so, download the executable under the link:
http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp
And decompress the compressed file:
Once the file is executed, a window appears that asks the authorization to start the service.
Click “Yes”:
Page : 99/177
PKI user guide
This enables the service installation to start.
This service will be automatically activated at every operating system launch.
Click “Close” to close the window.
5.6.3 First connection
This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox.
IMPORTANT
The first connection must be made by a computer specialist with
Administrator rights on your workstation in order to install the WSAM
application.
Page : 100/177
PKI user guide
Select your certificate from the dropdown list entitled “Choose a certificate to present as
identification” and click “OK”. If necessary, the following window will ask you the access
password to the Mozilla Firefox certificate store.
If a window asking you permission to execute a script from “Juniper Network, Inc.” appears,
click “Yes”.
Page : 101/177
PKI user guide
If the next red icon appears, click it in the address bar. Then in the dropdown menu of the
message, select "Allow and remember».
If necessary, the following window appears:
If the window below appears: click “Yes”.
Page : 102/177
PKI user guide
The installation of the WSAM application starts:
Then the window below appears:
Page : 103/177
PKI user guide
Then, the icon
VPN.
appears in your taskbar which means you are now connected to the SSL
Click the "Sign out" button (top right of the page) to end the session:
5.6.4 Using the SSL VPN
5.6.4.1 Establishing the connection
Run your browser and access the following website:
Page : 104/177
PKI user guide
Select your certificate from the dropdown list entitled “Choose a certificate to present as
identification” and click “OK”. If necessary, the following window will ask you the access
password to the Mozilla Firefox certificate store.
If a window appears asking you permission to execute a script from “Juniper Network, Inc.”:
click “Ok”.
Page : 105/177
PKI user guide
Then the window below appears:
Then, the icon
VPN.
appears in your taskbar which means you are now connected to the SSL
Notes:
 The certificate is only used to establish the connection to the SSL VPN.
 To close the SSL VPN session, click on the “Sign out” button (top right of the page).
Page : 106/177
PKI user guide
5.6.4.2 Use to access hosted mailboxes
The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard
email client.
Access to hosted mailboxes requires the SSL VPN connection to be established (see
§Erreur ! Source du renvoi introuvable.).
The Email account configuration in your mail client is then to be made with the following
parameters:

Mail server type : POP Server

POP server address : pop.services.rte-france.com

SMTP server address : smtp.services.rte-france.com
When your access to RTE’s FrontOffice is provided, you will receive your login name,
your password and your email address.
NOTE
Because the messages are transferred through a secure channel,
sending and receiving messages do not require the use of a
certificate to encrypt messages.
Page : 107/177
PKI user guide
E.
EMAIL EXCHANGES WITH RTE’S
INFORMATION SYSTEM
This section only applies if you need to exchange signed-encrypted email with RTE
applications.
After reading the chapter Erreur ! Source du renvoi introuvable. (overview), directly refer
to the chapter associated with the email client that you use for your mail exchanges with
RTE:

Chapter 7 if you use Microsoft Outlook 2013 as email client.

Chapter 8 if you use Mozilla Thunderbird as email client.

Chapter 9 if you use Lotus Notes 8.5 as email client.

Chapter 10 if you use Lotus Notes 9 as email client.
Page : 108/177
PKI user guide
6. Using your certificate to exchange emails
6.1 Certificate usage principle
Using your personal certificate, its associated private key, RTE’s CA certificate's and RTE’s
application certificate, you can:

decrypt and verify the signature of emails you receive from RTE applications,

encrypt and sign emails you send to RTE applications.
6.2 Decryption and signature verification of a received message
Decryption and verification of the signature of a message are disjoint processes. When you
receive an encrypted-signed message:

you decrypt the message with the private key associated to your personal certificate,

you verify the message signature with the certificate of the sender (that of the RTE
application) contained in the message, and with the certificate you own of the issuing
CA that you trust.
These two processes are done automatically when you open a signed-encrypted email with a
properly configured email client that supports the secure email format S/MIME.
IMPORTANT NOTE
To verify the signature of a message you need to own the right certificate and trust
the CA that issued the certificate of the sender.
6.3 Encryption and signing of a sent message
Encrypting and signing message are two disjoint processes. When you send an encryptedsigned message:

you sign the message with the private key associated to your personal certificate,

you encrypt the message with the recipient’s certificate (RTE’s application certificate).
The certificate of the recipient can be obtained in several ways. RTE applications transmit to
you their certificate by sending a signed message: that is the way you will get their certificate.
In doing so, when you receive a signed message, use "Add sender to contacts" to save at
the same time its certificate, which you can use to send encrypted messages to him.
Page : 109/177
PKI user guide
IMPORTANT NOTE
Encrypting a message requires to possess a valid certificate corresponding to the
recipient's email address.
6.4 Steps to configure your email client
In order to be able to exchange signed-encrypted emails with RTE, the steps are as follows:

Install RTE’s CA certificate, so that your mail client trusts RTE’s applications
certificates and is able to verify the signature of signed-encrypted emails you receive
from them.

Install your personal certificate, so your mail client can decrypt the messages from
RTE and sign messages to RTE.

Configure the email account you will use to exchange with RTE so that your
email client always encrypts and signs messages to the RTE applications using the
standard S/MIME.

Install RTE’s application certificate, so that your email client can encrypt emails
you send to RTE applications.
To perform these steps, please refer directly to one of the following chapters: the one
concerning the email client that you use for your mail exchanges with RTE.
Page : 110/177
PKI user guide
7. Microsoft Outlook 2013
Outlook 2013 uses the same certificate store as Internet Explorer.
Install RTE’s CA root certificate in Internet Explorer by following the procedure described in
chapter 4.2 if not already done.
Outlook 2013 uses the same certificate store as Internet Explorer.
Install your personal certificate in Internet Explorer by following the procedure described in
chapter 4.3.3 if not already done.
7.3 Email account configuration
Start Outlook 2013 and click the menu “File > Options > Trust Center” then click “Trust
Center Settings…”.
Page : 111/177
PKI user guide
In the left column, click “E-mail security”, then click the “Settings…” button.
Click the two ”Choose…” buttons in order to select your personal certificate for signing and
encryption. A list of selectable certificates is presented to you (you can also display a
certificate from the list to view its contents and make sure you choose the right one).
Page : 112/177
PKI user guide
Make sure the settings are similar to the ones above (S/MIME, check boxes, certificates,
algorithms); if the field “Security Settings Name” is empty, enter a label such as “RTE
Certification”. Finally click “OK”.
Page : 113/177
PKI user guide
The window above appears.
Check the boxes “Encrypt contents and attachments for outgoing messages” and “Add
digital signature to outgoing messages”, then click “OK”.
All your emails sent to RTE applications using the default account will now be encrypted and
signed.
Page : 114/177
PKI user guide
7.4 Installing RTE’s application certificate
After receiving the first encrypted and signed message from an application, you must install
the certificate of the issuing application. For this, you need to add the email address of the
application to your address book by clicking the sender of the email received with the right
mouse button and then “Add to Outlook contacts”:
Page : 115/177
PKI user guide
Click “General”:
Click “Certificates”:
Click “Save & Close” to save.
Page : 116/177
PKI user guide
All your encrypted emails sent to this application will be encrypted automatically with the
application’s certificate.
7.5 Using the certificate: sending a signed-encrypted email
To encrypt and sign a message: first create a new message by clicking “New”.
To sign and encrypt your message, go to the “Options” tab, then verify that both icons below
are activated or click on them to activate.
Page : 117/177
PKI user guide
To verify security settings, click « Other Options » on the right:
Then click « Security Settings… »
Page : 118/177
PKI user guide
Verify that boxes « Encrypt message contents and attachments » and « Add digital
signature to this message», are checked by default, otherwise check them.
.
Page : 119/177
PKI user guide
8. Mozilla Thunderbird
RTE’s CA root certificate must first be installed for Thunderbird to be able to verify the
signature of emails sent by RTE.
IMPORTANT NOTE
The following websites’ addresses are case sensitive, so it is imperative to type the
URLs as they are.
8.1.1 Downloading RTE’s CA root certificates
With your web browser go to the address below to download the
“Certification_Autority_RTE_2048.cer” containing RTE’s current CA certificate:
With Internet Explorer :
Click the "Save" button and choose a location to save the file
"Certification_Autority_RTE_2048.cer"
With Mozilla Firefox:
file
Page : 120/177
PKI user guide
Select “Save file” then click “OK”. A location to save the file
“Certification_Autority_RTE_2048.cer” will eventually be requested.
8.1.2 Installing RTE’s current CA certificate
The first certificate you just downloaded must be installed in Thunderbird certificate store.
In the menu "Tools" on the top right of the window click “Options”:
Page : 121/177
PKI user guide
Select the “Authorities” tab and click “Import…”.
Page : 122/177
PKI user guide
Select the previously saved file “Certification_Autority_RTE_2048.cer” and click “Open”.
A dialog box is displayed, in which you must select the three check boxes "Trust this CA to
identify [...]" to trust RTE's CA.
Click the "View" button to verify that the certificate that you are going to trust is the RTE root
certificate:
Page : 123/177
PKI user guide
To ensure that you have downloaded the real RTE CA's root certificate, check carefully that
the "SHA1" or "MD5" hashes displayed is identical to that shown below.
Digital hashes of the certificate «RTE Certification Authority
SHA1
39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
MD5
77:4C:12:7D:FD:1D:36:9E:8A:21:85:73:7C:2D:44:77
If this is not the case: click “Close” to go back to the precedent window and click “Cancel”
then call RTE’s Hotline.
If this is the case, click “Close” to return to the initial window: "Downloading certificate" (see
above). In this window click the "OK" button: RTE CA's root certificate is then installed.
Page : 124/177
PKI user guide
8.1.3 Visualization of RTE’s CA root certificate
To view the certificate later in Mozilla Thunderbird, go to the "Tools" menu on the top right of
the window then click the "Options" icon:
A window appears. Select the “Advanced” tab then the subcategory “Certificates”.
Click the “View Certificates” button.
Page : 125/177
PKI user guide
In the “Authorities” tab you can verify that the root certificate “RTE Certification Authority”
is well saved on your PC (“Software Security Device”) and view it by clicking on “View”.
Page : 126/177
PKI user guide
To be able to import your certificate in Mozilla Thunderbird, you must have the file
“name_certificate.p12” downloaded with your browser when retrieving your certificate (see
§4.3.2 for Internet Explorer, §5.3.2 for Mozilla Firefox).
Start Mozilla Thunderbird, go to the menu "Tools" on the top right of the window and click the
"Options" icon:
Page : 127/177
PKI user guide
In the “Your certificates” tab, click “Import”. In the drop-down menu “File type” select
“PKCS$12 Files (*.p12;*.pfx)”:
Page : 128/177
PKI user guide
Go to the folder you saved your certificate in, select your certificate “name_certificate.p12”
and click “Open”.
If necessary, the window below will ask you the access password to the Mozilla Thunderbird
certificate store:
Click “OK”.
N.B.: if there is no master password, Thunderbird will ask you to define one.
Enter the password protecting the PKCS#12 file and click “OK”.
Page : 129/177
PKI user guide
Your certificate and its associated private key have been successfully imported in Mozilla
Thunderbird’s certificate store.
Verify this is the right certificate by clicking on “View…”.
Page : 130/177
PKI user guide
Page : 131/177
PKI user guide
To sign and encrypt with your certificate, it must be associated with the email account
corresponding to the email address specified in the Certificate subject.
For this, start Mozilla Thunderbird, press the “Alt” key on your keyboard, a menu bar appears
at the top of the window. Click “Tools” then “Account Settings”.
Page : 132/177
PKI user guide
A window appears. Select the “Security” item of the email account you use to exchange with
RTE:
Click “Select…” to open the following window:
Select your certificate in the drop-down list and click “OK”. The following message appears:
Page : 133/177
PKI user guide
Click “Yes” to automatically define the same certificate to decrypt received emails.
NOTE
Although for encryption, the text indicates that your certificate will be used to
“encrypt and decrypt sent messages”, it will not actually be used to decrypt
received messages.
All your emails sent to RTE applications using this account will now be encrypted and signed.
Page : 134/177
PKI user guide
After receiving the first encrypted and signed message from an application, the application
certificate installs automatically. However you can add the application’s email address to
your address book by right-clicking the sender of the received email and then clicking “Add
to Address Book”:
The contact has been added to the address book.
To verify that the application certificate is correctly installed, go to the menu “Tools” (top-right
corner of the window) and click “Options”:
Page : 135/177
PKI user guide
Then click “View Certificates”.
A window appears. Click the “People” tab.
Page : 136/177
PKI user guide
Every time an encrypted email is sent to this application, the application’s certificate will be
used automatically to encrypt it.
Page : 137/177
PKI user guide
To encrypt and sign a message, first create a new message by clicking “Write”.
Click the “Security” tab to verify the options: “Encrypt this message” and “Digitally sign
this message”. These options should be checked by default, if not: check them.
Page : 138/177
PKI user guide
9. Lotus Notes 8.5
RTE’s root certificate will be installed by «crossed certification» when you received your first
signed-encrypted email from the application (see §0).
Note:
The « Crossed certificate » is a process which makes a user able to install the certificate of
another entity while he receives message form that entity. Messages sent to that specific
entity will be encrypted with that « Crossed certificate ».
9.2.1 Creation of a PKCS#12 file readable by Notes
Lotus Notes can install a certificate and its associated private key only from a PKC #12 file
that contains RTE's CA. This is not the case for the file “name_certificate.p12” you
downloaded when you retrieved your certificate.
To generate a file accepted by Lotus Notes, install RTE's CA and your certificates in a
browser and then export your personal certificate as a PKCS#12 file. Depending on the
browser you are using, perform one of the procedures below.


With Microsoft Internet Explorer :
o
Install RTE’s CA root certificate, see §4.2.
o
Install your personal certificate making sure to check the case “Mark this key as
exportable.”, see §4.3.3.
o
Export your certificate in a PKCS#12 file making sure to check the case “Include
all certificates in the certification path if possible”, see §4.5.1.
With Mozilla Firefox :
o Install RTE’s CA root certificate, see §5.2.
o Install your personal certificate, see §5.3.
o Export your certificate to a PKCS#12 file, see §5.5.2 (RTE’s CA will automatically
be included).
Page : 139/177
PKI user guide
9.2.2 Installing the PKCS#12 file in Notes
Start Lotus Notes and access to “File > Security > User Security…”:
If requested, enter your Notes password:
Page : 140/177
PKI user guide
Click “Your Identity” then “Your Certificates”:
Select “Your Internet Certificates” in the drop-down list to display the Internet certificates
already imported.
In general, the list will be empty.
Page : 141/177
PKI user guide
Click the “Get Certificates…” button and select “Import Internet Certificates…”:
A window appears asking you to select a PKCS#12 file (extension ”.pfx” or “.p12”) Select the
file you generated at §9.2.1 containing your personal certificate, its private key and RTE’s CA
root certificate:
Click “Open” and in the window below choose the format: PKCS 12:
Page : 142/177
PKI user guide
:
Click “Continue”. The PKCS12 file’s password is requested:
Click “OK” and the window below is displayed:
Your certificate, which you want to import, and the root certificate, are listed. If you click
“Advanced Details…” the content of the selected certificate (yours) appears in the window:
Page : 143/177
PKI user guide
Click “Cancel” to go back to the previous window.
To see the content of the root certificate, you must select it:
And click “Advanced Details…”:
Page : 144/177
PKI user guide
Click “Close” to go back to the main screen:
Click “Accept All”.
Enter your Notes password and click “OK”.
Page : 145/177
PKI user guide
Click “OK”, the window below appears:
The certificate, now visible here, has successfully been imported. Click “OK” to end the
import.
Page : 146/177
PKI user guide
9.2.3 Visualization of the certificate
To view your certificate, in Lotus Notes access the menu “File > Security > User
Security…”, then click the item “Your Identity” and “Your Certificates”. Select “Your
Internet Certificates” in the drop-down list.
Select your personal certificate and click the “Advanced Details…” button. The certificate’s
details are then presented in the window below:
If you have multiple certificates used to sign your sent messages, you have to set by default
the one that will serve for exchanges with RTE.
Page : 147/177
PKI user guide
In Lotus Notes, open the menu “File > Security > User Security…”, then click “Your
Identity” and “Your Certificates”:
Select “Your Internet Certificates” in the drop-down list to display your Internet certificates
that are already imported.
Select your certificate and click the “Advanced Details” button.
If you only have one certificate, the case “Use this certificate as your default signing
certificate” will be grey and checked. If not, check it, as above, and click “OK”.
Page : 148/177
PKI user guide
When you select, for the first time, a signed and encrypted message you received a dialog
box similar to the one below appears, allowing you to give your trust to the issuer:
For this, you must click on the “Cross certify” button.
Then, when you display this signed received message, you will need to choose the “Add
Sender to Contacts…” in the menu by right-clicking on the email, which will add the issuer
and its certificate to your Address Book:
Page : 149/177
PKI user guide
Only verify that the case “Include X.509 certificates when encountered” is checked and
click “OK”.
Whenever an encrypted email will be sent to this application, its installed certificate will now
automatically be selected to perform the encryption.
Page : 150/177
PKI user guide
When composing a message, you can sign and encrypt it if you own your signature
certificate (see the import procedure for your certificate above) and that of your
correspondent.
For that, when you write a new message, you must click the “Delivery Options” button.
Check the “Sign” and “Encrypt” cases as shown below:
Click “OK”.
The rest of the mailing process has no more particularity, Notes then automatically signs and
encrypts your message.
Page : 151/177
PKI user guide
10. Lotus Notes 9
RTE’s root certificate will be installed by “crossed certification” when you received your first
signed-encrypted email from the application (see §Erreur ! Source du renvoi introuvable.).
Note:
The « Crossed certificate » is a process which makes a user able to install the certificate of
another entity while he receives message form that entity. Messages sent to that specific
entity will be encrypted with that « Crossed certificate ».
10.2.1 Creation of a PKCS#12 file readable by Notes
Lotus Notes can install a certificate and its associated private key only from a PKC #12 file
that contains RTE's CA. This is not the case for the file “name_certificate.p12” you
downloaded when you retrieved your certificate.
To generate a file accepted by Lotus Notes, install RTE's CA and your certificates in a
browser and then export your personal certificate as a PKCS#12 file. Depending on the
browser you are using, perform one of the procedures below.


With Microsoft Internet Explorer :
o
Install RTE’s CA root certificate, see §4.2.
o
Install your personal certificate making sure to check the case “Mark this key as
exportable.” see §4.3.3.
o
Export your certificate in a PKCS#12 file making sure to check the case
«Include all certificates in the certification path if possible» see §4.5.1.
With Mozilla Firefox :
o Install RTE’s CA root certificate, see §5.2.
o Install your personal certificate, see §5.3.
o Export your certificate to a PKCS#12 file, see §5.5.2 (RTE’s CA will automatically
be included).
Page : 152/177
PKI user guide
10.2.2 Installing the PKCS#12 file in Notes
Start Lotus Notes and access to “File > Security > User Security…”:
If requested, enter your Notes password:
Page : 153/177
PKI user guide
Click “Your Identity” then “Your Certificates”:
Select “Your Internet Certificates” in the drop-down list to display the Internet certificates
already imported.
In general, the list will be empty.
Page : 154/177
PKI user guide
Click the “Get Certificates…” button and select “Import Internet Certificates…”:
A window appears asking you to select a PKCS#12 file (extension “.pfx” or “.p12”). Select the
file you generated at §10.2.1 containing your personal certificate, its private key and RTE’s
CA root certificate:
Page : 155/177
PKI user guide
Click “Open” and in the window below chose the format: PKCS 12:
:
Click “Continue”. The PKCS12 file’s password is requested:
Page : 156/177
PKI user guide
Click “OK” and the window below is displayed:
Your certificate, which you want to import, and the root certificate, are listed. If you click
“Advanced Details…” the content of the selected certificate (yours) appears in the window:
Click “Close” to go back to the previous window.
Page : 157/177
PKI user guide
To see the content of the root certificate, you must select it:
And click “Advanced Details…”:
Click “Close” to go back to the main screen:
Page : 158/177
PKI user guide
Click “Accept All”.
If necessary, enter your Notes password and click “OK”.
Click “OK”, the window below appears:
Page : 159/177
PKI user guide
The certificate, now visible here, has successfully been imported. Click “OK” to end the
import.
10.2.3 Visualization of the certificate
To view your certificate, in Lotus Notes access the menu “File > Security > User
Security…”, then click the item “Your Identity” and “Your Certificates”. Select “Your
Internet Certificates” in the drop-down list.
Select your personal certificate and click the “Advanced Details…” button. The certificate’s
details are then presented in the window below:
Page : 160/177
PKI user guide
If you have multiple certificates used to sign your sent messages, you have to set by default
the one that will serve for exchanges with RTE.
In Lotus Notes, open the menu “File > Security > User Security…”, then click ”Your
Identity” and “Your Certificates”:
Select “Your Internet Certificates” in the drop-down list to display your Internet certificates
that are already imported.
Select your certificate and click the “Advanced Details” button.
Page : 161/177
PKI user guide
If you only have one certificate, the case “Use this certificate as your default signing
certificate” will be grey and checked. If not, check it, as above, and click “OK”.
When you select, for the first time, a signed and encrypted message you received a dialog
box similar to the one below appears, allowing you to give your trust to the issuer:
For this, you must click on the “Cross certify” button.
Then, when you display this signed received message, you will need to choose the “Add
Sender to Contacts…” feature, which will add the issuer and its certificate to your book
Address.
Page : 162/177
PKI user guide
Click “OK”.
Page : 163/177
PKI user guide
Whenever an encrypted email will be sent to this application, its installed certificate will now
automatically be selected to perform the encryption.
When composing a message, you can sign and encrypt it if you have your own and
correspondent certificate (see the import procedure for your certificate above).
For that, when you write a new message, you must click the “Delivery Options” button and
check the “Sign” and “Encrypt” cases as shown below:
Page : 164/177
PKI user guide
Click “OK”.
That is all, Notes then automatically signs and encrypts your message.
Page : 165/177
PKI user guide
F.
APPENDICES
Page : 166/177
PKI user guide
11. Secure environment (PKI)
This appendix describes the secure environment in which the PKI is operated. It describes in
particular:

The concepts of secure environment and the corresponding data objects handled by
the PKI,

The role of the various entities involved in the operation process of a PKI.
11.1 Concepts and objects managed by a PKI
This appendix presents the key concepts for understanding the role of objects managed by a
PKI:

presentation of the principles structuring a safe process,

the role of dual-keys,

certificates.
11.1.1 What is a secure process?
11.1.1.1 Definition of a PKI
With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known
only by his owner, and a public key - linked by a complex mathematical relationship, making
it virtually impossible to determine the private key from the only knowledge of the public key.
This means that the probability of determining the private key from the public key in a
reasonable time is very low.
Data encrypted with a key (typically, the public key) can only be decrypted with the other
(typically the private key). It is on the basis of this principle that is particularly assured the
confidentiality of messages exchanged. This process is commonly called "asymmetric
cryptography" as opposed to "symmetric cryptography" that uses a common key for both
encryption and decryption.
Page : 167/177
PKI user guide
11.1.1.2 The four pillars of information exchange security
This electronic identity card aims at establishing an environment of trust whose four pillars
are:

authentication identifies parties in a sure and reliable way,

confidentiality prevents non-recipients to read the data,

integrity ensures that data has not been altered,

non-repudiation makes it impossible for a party to refute the transmitted information.
11.1.1.3 The cryptographic solution
Because of the technology used (protocols, architectures, etc.), the information circulating on
the Internet is not confidential. The technologies also do not allow to meet the other three
security requirements set out above.
To preserve the confidentiality of exchanges via the Internet, the data must be rendered
incomprehensible to all, except for the recipients. Encryption is the right solution.
Data encryption naturally accompanies system’s users’ authentication. While some data are
confidential, it is necessary for issuers and recipients of this information to authenticate
safely and unequivocally, to conduct secure exchanges.
Authentication is based on the possession of a certificate. This element is issued by a
Certification Authority that stakeholders of a transaction trust (in our case, the Certification
Authority is RTE). Thus, the carriers can have confidence in the information provided to them
and RTE knows that only authorized holders access the information.
NOTE
In a similar process, in daily life, it is necessary to provide a piece of
identification issued by an authority to access certain privileges reserved
for citizens of the country (expensive purchases, voting, etc.).
Page : 168/177
PKI user guide
11.1.2 The importance of dual-keys
Each holder has a public key and an associated private key.

The private key is a key that the holder must keep confidential. He is the only one to
possess and with the ability to use it. He does not necessarily know it himself (for
example: it may be in a smart card of which it cannot come out, but access to the
card is protected by a PIN code known only to its owner)

The public key, as its name suggests, is public and can be communicated to all. The
public keys of holders are used only to encrypt messages intended for them. If an
encrypted message was intercepted, it would be without consequence on its
confidentiality as it cannot be decrypted (in a reasonable time) by a person not having
the associated private key.
The private key enables its owner to sign a message he sends and to decrypt an encrypted
message he receives. In contrast, the public key of a person is used to encrypt a message
sent to him and to verify the signature of a message he receives.
11.1.2.1 Encryption and decryption of a message
Each message is encrypted by the recipient's public key that will decrypt it with his private
key.
When RTE sends a message to the client A:
1. RTE has the public key of client A (via the public part of the certificate).
2. RTE automatically encrypts the message using the public key of client A and sends it
via RTE’s email system.
3. Client A receives the message and automatically decrypts it with his private key.
Encryption and decryption with dual-keys.
Page : 169/177
PKI user guide
11.1.3 The usage of keys to sign a message
Each message is signed by the private key of the issuer. The origin (the signature) of a
message can be controlled by the public key of the issuer, freely accessible via its certificate.
To prove to client A that the received message is actually from RTE, RTE automatically signs
the message with its (RTE’s) private key before sending to the client A.
Signing and signature verification with dual-keys.
When the client A receives the message from RTE, it automatically verifies the signature of
the received message with the public key of RTE.
Page : 170/177
PKI user guide
11.1.4 Certificates
11.1.4.1 Objectives of digital certificates
Since public keys are used to verify electronic signatures and encrypt messages, it is
essential for any carrier to be certain of the identity of the owner of a public key: it is the role
of the certificate.
11.1.4.2 Characteristics of a certificate
A certificate is a digital ID:

that guarantees the identity of the holder from a remote site,

that includes data facilitating the identification,

that is resistant to counterfeit and issued by a trusted third party: the Certification
Authority.
A Certification Authority is an entity that creates and manages certificates. It defines the rules
for registration in the various holders’ PKI..
11.1.4.3 Structure of a certificate
A digital certificate contains:

the public key of its holder,

the name of the holder and any other identification information (email address of the
person if the certificate is used to sign emails),

the certificate’s period of validity,

the name of the certification authority that issued the certificate,

a unique serial number,

the signature of the certification authority.
Page : 171/177
PKI user guide
11.1.4.4 Examples of certificates
A digital certificate on Internet Explorer
Page : 172/177
PKI user guide
A digital certificate on Mozilla Firefox
11.2 Documentation
Reference documentation:
 Subscription contract to RTE’s secure Information System.
Websites:
 http://www.legifrance.gouv.fr/

Law of 13th March 2000 on the adaptation of law of evidence to information
technologies and on electronic signature:
http://www.assemblee-nat.fr/

Directive 1999/93/CE of 13th december 1999 on a Community framework for
electronic signatures :
http://europa.eu/

Draft decree on electronic signatures :
http://www.internet.gouv.fr/

OpenTrust (formerly Keynectis) :
https://www.opentrust.com/
Page : 173/177
PKI user guide
12. Glossary
When the holder will get in touch with his new secure environment, he will be faced with a
specific terminology, the terms of which are described in this section:

Authentication
Checking the validity of the claimed identity of a user, a device or other entity in an
information or communication system.

Certificate
A digital certificate plays the role of electronic identity (e-passport). It guarantees the identity
of its owner in electronic transactions and contains all the information enabling the
identification (name, possibly company, address, etc.). A digital certificate is composed of a
public key and personal information about the holder, all signed by a Certification Authority.

Certificate store
Secure hardware or software container for storing a user's private and its associated key
certificates, website certificates, other users’ certificates and CA certificates. This container is
usually protected by a password or PIN that will eventually have to be entered at each use of
a private key based on the expected level of safety.

Certification Authority
A Certification Authority (CA) is an entity that issues digital certificates, electronic equivalents
of identity documents, to a population. By distributing digital certificates, the Certification
Authority or Trust Authority, serves as moral support by committing to the identity of a person
through the certificate it issues him. According to the credit of the Certification Authority, the
certificate will have a field of more or less extensive applications limited to a company’s
internal trade (as a company badge) or be used in relations with other organizations and
administrations (such as a national identity card or passport).

Confidentiality
Property of data or information that are not disclosed or made available to unauthorized
persons.

Cryptography
Discipline including the principles, means and methods of data processing in order to hide
their semantic content, establish their authenticity, prevent that their modification goes
unnoticed, prevent repudiation and prevent their unauthorized use.

Electronic signature
The electronic signature of a document is the signing with the private key of a digital
summary of this document (obtained by applying a hash function), which cannot then be
modified without this being visible. Like a handwritten signature, the signatory is liable for it.

Encryption / Decryption
Data transformation using cryptography to make them unintelligible in order to ensure
confidentiality / inverse transformation.
Page : 174/177
PKI user guide

HTTPS
HTTPS is a secure version (S secured to) the HTTP protocol used in all web browsers to
exchange information over the Internet.

Integrity
Ensuring that data or information have not been modified or altered in an unauthorized
manner.

Non-repudiation
Property obtained with cryptographic methods to prevent a person from denying having
performed a particular action on the data (for example: non-repudiation of origin, certification
requirement, intent or commitment, establishment of property).

PKCS#12
File format used to store a private key and its associated certificate protecting a password.
The file extension is usually ".p12" or ".pfx".

Private key
Secret digital quantity attached to a person, allowing him to decrypt encrypted messages
received with the corresponding public key or to affix a signature to messages sent.

Public key
Digital quantity attached to a person who passes it out to others people in order to make
them able to send him encrypted data or to verify his signature.

Revocation
The revocation is the process that deletes the surety made by the Certification Authority
concerning a certificate, made at the request of the subscriber or any other authorized
person. The request may be the result of different types of events such as compromise or
destruction of the private key, the change of information contained in the certificate, failure to
comply with the certificate usage rules.

Root Certification Authority
The certification authority with the highest level of trust in the company is qualified root. This
authority is able to certify other certification authorities, which are then qualified as
intermediaries. This is the main part of an infrastructure based on security certificates.

S/MIME (Secure / Multipurpose Internet Mail Extensions)
S / MIME is a standard of encryption and digital signature of emails. It provides integrity,
authentication, non-repudiation and confidentiality of data.

Trusted site
Determines the security settings applied by a browser when accessing a site. If a site is
declared as a "trusted site", the browser will apply for example a lower level of security that a
site belonging to the "Internet" zone potentially carrying threats.
Page : 175/177
PKI user guide

Virtual Private Network (VPN)
A VPN (Virtual Private Network) allows an interconnection of local, remote networks via a
tunnel technique. The tunnel is a secure communication channel through the internet and
wherein data travels in an encrypted manner.
Page : 176/177
PKI user guide
13. Incidents management and support
In case of incident, the company manager contacts the hotline (see §13.1) that will diagnose
the problem and forward it to the concerned technical correspondent. The hotline will provide
the solution to the company manager and if necessary assist in the steps indicated to regain
access to the RTE’s Information System.
13.1 Support
For any inquiries, customers can contact the RTE Hotline at:
00 800 80 50 50 50
Or from France at:
08 10 80 50 50
13.2 Frequently Asked Questions (FAQ)
A Frequently asked Questions section is available on the certificates retrieval website at the
address:
https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE/faq_utilisateur_fr.html
Page : 177/177
PKI user guide
13.3 Error codes returned by email
In an exchange of emails between the user and an application, when the certificate was
generated and installed using the procedures described in this document, it is possible that
functionality error appears. In this case, the element (a server or a gateway) in question
returns an error code by email.
The object of error messages returned by RTE’s cryptographic gateway is as follows:
<ERR:nnn!!<Intitulé-FR>!!<Title-EN>> <Subject-of-the-original-message>
Nnn Description
Possible cause
001 The email sent by the client was not You did not check the boxes "signed" and
signed nor encrypted
"encrypted" in your email program when
sending email
002 The email sent by the client was only You did not check the "signed" box in your
encrypted
email software
003 The email sent by the client was only You did not check the "encrypted" box in your
signed
email software
The
email
sent
by
the
client
was
only
You did not check the "encrypted" box in your
004
signed and the signature used is email software and the certificate used to sign
incorrect
is invalid or unknown
005 The email sent by the client was The signing certificate that you used is invalid
signed and encrypted, but the or unknown
signature used is incorrect
006 The email sent by the client cannot be The certificate that you used to encrypt the
decrypted by RTE
email is invalid
007 The email sent by RTE failed to be RTE internal problem
delivered to the client because of a
security issue
<Intitulé-FR>
Error title in French.
<Title-EN>
Error title in English.
<Subject-of-the-originalmessage>
Subject of the original message that provoked the error.
END OF DOCUMENT

Access to RTE`s Information System by software certificates under

Transcription

Documents pareils

rte, france - Smart Grids

Autorisation par Carte de crédit

i-Composites - Microwave Curing to Increase Rate

Compréhension de texte d`Harlan Coben, Just

www.cncpi.fr

AL4 automatic transmission

View sample form

banque / fondation win-win situation

Rapport de l`entreprise

06 determining conductor cross sectional areas