ESG Appendix C: Digital Certificates
“ESG is not able to accept VeriSign/Symantec certificates that have been issues after December 20, 2012. Symantec has changed the way they issue certificates on this date rendering them unusable with ESG. If you have a VeriSign certificate that was obtained before 12/20/2012 it will continue to work. We recommend that you obtain a certificate from another vendor if you are a new user or an existing user trying to renew your VeriSign certificate”
What is a digital certificate
Using the certification
Where to obtain a certificate
How to export a digital certficate Public Key
How to export a digitat certificate Private Key
How to update an existing Electronic Submissions Gateway Account's digital certificate
A digital certificate is an electronic document which conforms to the International Telecommunications Union’s X.509 specification. It is a document which typically contains the owner’s name and public key, the expiration date of the public key, the serial number of the certificate, and the name and digital signature of the organization which issued the certificate. The digital certificate binds together the owner’s name and a pair of electronic keys (a public key and a private key) that can be used to encrypt and sign documents.
Encrypting and digitally signing documents using certificates provides the following assurances about document transmissions:
- Only the addressee (and no unauthorized users) can read the message. Encryption provides this assurance.
- The message cannot be tampered with. That is, data cannot be changed, added, or deleted without the sender’s knowledge. A document’s digital signature provides this assurance.
- Parties sending documents are genuinely who they claim to be. Likewise, when those parties receive documents signed by the sender, they can be confident about the source of the documents. A document’s digital signature provides this assurance.
- The parties who send documents cannot readily claim they did not send them. This is referred to as non-repudiation of origin. A document’s digital signature provides this assurance.
- Parties who are sent documents cannot readily claim they did not receive them. This is referred to as non-repudiation of receipt. The signed document acknowledgment provides this assurance.
The public key in the FDA’s certificate is used to encrypt a document for transmission. The FDA ESG uses the public key to verify the digital signature of a document received from a specified source.
Before encrypted and signed documents (sent submissions) are exchanged with the FDA ESG, there must be a certificate exchange to obtain the other’s certificate and public key. Each party obtains a certificate with a public-private key pair, either by generating a self-signed certificate or by obtaining a certificate from a Certificate Authority. The private half of the key pair always remains on the party’s computer. The public half is provided to the FDA ESG during the registration process and includes the certificate and public key, or the certificate alone.
Certificates not accepted by the registration module
There are situations when a valid certificate is not accepted by the registration module and is identified as invalid. If this occurs, zip the certificate file and email it to the FDA ESG administrator at email@example.com. Once received, FDA will assess the certificate and send a response.
The FDA ESG cannot accept certificates with blank data elements in the Issuer or Subject fields. These certificates will cause the FDA ESG to fail due to a defect in the Gateway software. The certificates provided should be valid for at least one year and no more than three years. Note, this requirement applies to both Pre-production (Test) and Production ESG systems.
NOTE: DO NOT SUBMIT CERTIFICATES WITH BLANK DATA FIELDS IN THE ISSUER AND SUBJECT FIELDS
The FDA ESG supports Public Key Infrastructure (PKI) to securely trade submissions over the Internet. PKI is a system of components that use digital certificates and public key cryptography to secure transactions and communications.
PKI uses certificates issued by certificate authorities (CAs) to provide authentication, confidentiality, integrity and non-repudiation of data.
There are two PKI options supported – in-house and outsourced. The option chosen can depend on a number of factors, such as cost, human and system resources, and the degree or sophistication of security desired. PKI establishes digital identities that can be trusted. The CA is the party in a PKI that is responsible for certifying identities. In addition to generating a certificate, this entails verifying the identity of a subscriber according to established policies and procedures. This is the case for in-house and outsourced PKIs.
In an organization that generates and uses its own self-signed certificates, the trading parties must verify the certificates and establish a direct trust. Once established that an identity or issuer of an identity can be trusted, the trust anchor’s certificate is stored in a local trust list. The FDA ESG has a local trust list for storing and managing established trust relationships. The application maintains a list of common public CA certificates similar to those kept in web browsers. Although convenient, this predetermination of trust might not complement every organization’s security policy. The decision of who to trust rests with the individual organization.
An in-house PKI makes it possible to achieve complete control of security policies and procedures. It also carries the burden of management and cost to set up and maintain the system.
FDA recommends using certificates with 3 years validity.
Third-party certificate authorities can be leveraged to purchase X.509 certificates for general use. The CA manages the security policies and details such as certificate revocation. The level of outsourcing can range from purchasing a public key certificate that is valid for 1 year to 3 years from a commercial CA, to outsourcing all of the PKI services that an organization requires.
If you plan to use an outsourced certificate, the following are just a few of the many companies that sell the X.509 certificates (Displayed in alphabetical order). FDA recommends using certificates with three years validity. Please note that some vendors do not offer a three year certificate on their website, but you may call them directly to purchase a three year certificate. Telephone contact information is available on each vendor’s website.
Note: References to commercial products are for illustrative purposes only and does not constitute an official FDA endorsement. If you are a CA and would like to list your URL here, please send the URL linking to your Class 1 Personal Identification certificate (i.e. Secure Email certificate) page to firstname.lastname@example.org.
- Comodo: https://secure.instantssl.com/products/frontpage?area=SecureEmailCertificate
- GeoTrust: http://www.geotrust.com/signing-products/secure-email/index.html
- GlobalSign: http://www.globalsign.com/digital_certificate/personalsign/index.htm#2
- TrustCenter: http://www.trustcenter.de/en/products/tc_personal_id.htm
The minimum requirement for a digital certificate for use with the FDA Electronic Submissions Gateway is a Class 1 Personal Identification certificate (i.e. Secure Email certificate). The list of digital certificates identified above has been proven to meet the FDA Electronic Submissions Gateway requirements. This list does not represent all digital certificates accepted for use with the FDA Electronic Submissions Gateway, and various other certificates with additional functions are accepted as well, but these additional functions, which are outside the FDA ESG requirements, are not necessary
CA will send you an email with PIN number and a link to a website where you can import/install the certificate. Accept all defaults and say "yes” to all pop-ups, your certificate will be installed in your browser. Note, if you are using WebTrader, you do not have to install the certificate on the same machine that you will be using. Once the certificate is installed in the browser you can export the public and private keys out and use them where ever you want. AS2 users will need to install the certificates in their system. Configuring the certificates may defer from sponsor to sponsor depending on what gateway software being used.
- From Internet Explorer go to Tools Internet Options Content tab Certificates
- Select your certificate in the Personal tab.
- Click on the Export button to create public and private keys, which can be used for the Gateway.
- To export public key (.cer or .p7b) select Next on the next screen
- Select ¤ No, do not export the private key option and click on the Next button.
- Select the options as shown on the screen below. Click on the Next button. Or if you want to export the certificate with .P7B extension/format or to export .CER extension/format follow the next step.
- Select ¤ Cryptographic Message syntax Standard – PKCS #7 Certificates (.P7B), check R Include all certificate in the certification path if possible.
- Select ¤DER encoded binary X.509 (.CER) and click on the Next button.
- Give a file name and select the location where you want to save the file. Click on the Next button. Then click on Finish.
You public key is ready. This is the key that you should use when registering.
To export private key (.PFX or .P12)
- Select the certificate and click on Export, Click on next on the next screen
- Select ¤ Yes, export the private key and click on the Next button.
- Select the options as shown below and click on the Next button.
- Create a password for your private key. Confirm the password and click on the Next button. If you forget the password you can export the private key again and create a password.
- Create a file name and select the location where you want to save the file and click on the Next button. On the next screen, click on Finish and then click on OK.
Your private key is ready. Ths is the key that you should use when sending submissions.
- Obtain a new digital certificate from your CA.
- Follow steps from “Exporting a Public Key” and “Exporting a Private Key”.
- Email the public key (.cer) to email@example.com, providing the following information:
- Primary account holder name
- Electronic Submissions Gateway Account name
- Primary account holder name
- A confirmation email from firstname.lastname@example.org will be received, notifying the account holder that the new public key has been uploaded. The user may know send submissions via the Electronic Submissions Gateway using the newly exported private key (.pfx).