Access to RTE’s Information System by software ... · 10.2 Installing your personal certificate 170 Creation of a PKCS#12 file readable by Notes 170 Installing the PKCS#12 file

Programmes & SI (PSI) TOUR MARCHAND 41 RUE BERTHELOT - 92411 COURBEVOIE CEDEX TEL : 01.78.66.50.00 - FAX : 01.78.66.50.64 www.rte-france.com/en/

05-09-00-LONG

Access to RTE’s Information System by software certificates under Microsoft Windows 8.1

PKI User guide

Version 3, 01/01/2017


PKI user guide

Page : 2/239

Copyright RTE. This document is the property of RTE. Any communication, reproduction, even partial publication is prohibited without the written consent of the Manager of RTE.

SUMMARY

A. Foreword 6

1. Introduction 7

1.1 Purpose of the document 7

1.2 Context 7

1.3 Warning regarding security practices 7

1.4 The actors 8

The client 8

Registration Authority (RA) 8

RTE Historical Certification Authority (CA) 8

RTE Root Certification Authority (CA) 8

RTE Client Certification Authority (CA) 8

B. Certificates management procedures 9

2. Certificates management process 10

2.1 Foreword 10

2.2 Software certificate request 10

Preliminary steps 10

General diagram 11

2.3 Certificates renewal 11

2.4 Certificates revocation 12

Case of revocation 12

Revocation request 12

C. Workstation configuration 13

3. Installation and configuration of the workstation 14

3.1 Network configuration 14

General configuration 14

Specificity of the VPN access 14

3.2 Software configuration 15

D. Web access to the RTE Information System 16

4. Microsoft Internet Explorer 17

4.1 Preliminary configuration 17

Configuration of the security settings 17

Adding trusted sites 18

4.2 Installing RTE’s CAs certificates 21

Download and install 21

Visualization and verification of RTE’s CA certificates 32

4.3 Installing your personal certificate 39


PKI user guide

Page : 3/239


Authentication on the retrieval interface 39

Downloading your certificate 41

Installation of your personal certificate 42

Visualization and verification of your software certificate 48

4.4 Using your certificate 51

Authentication and encryption 51

Example of access to an RTE web application 52

4.5 Additional operations 54

Export of your personal certificate 54

Deleting your personal certificate 59

4.6 Connecting to the SSL VPN 62

Foreword 62

Prerequisite 62

First connection 64

Using the SSL VPN 70

5. Mozilla Firefox 73

5.1 Preliminary configuration 73

5.2 Installing RTE’s CAs certificates 73

Download and install 73

Visualization and verification of RTE CAs certificates 89


Authentication on the retrieval interface 95

Download of your certificate 97

Installation of your personal certificate 99

Visualization and verification of your software certificate 101

5.4 Using your certificate 104

Authentication and encryption 104

Example of access to an RTE web application 105

5.5 Additional operations 106

Defining the master password for personal security 106

Export of your personal certificate 109

Deleting your personal certificate 112

5.6 Connecting to the SSL VPN 114

Foreword 114

Prerequisite 114

First connection 116

Using the SSL VPN 121

E. Email exchanges with RTE’s Information System 124

6. Using your certificate to exchange emails 125

6.1 Certificate usage principle 125

6.2 Decryption and signature verification of a received message 125


PKI user guide

Page : 4/239


6.3 Encryption and signing of a sent message 125

6.4 Steps to configure your email client 126

7. Microsoft Outlook 2013 127

7.1 Installing RTE Historical CA certificate 127

7.2 Installing RTE Root CA certificate 127

7.3 Installing RTE Client CA certificate 127


7.5 Email account configuration 128

7.6 Installing RTE’s application certificate 130

7.7 Using the certificate: sending a signed-encrypted email 133

8. Mozilla Thunderbird 134

8.1 Installing certificates of the 3 RTE’s CAs 134

RTE Historical Certification Authority 134

RTE Root Certification Authority 138

RTE Client Certification Authority 143

Visualization of RTE CAs certificates 147





8.6 Defining the master password for personal security 165

9. Lotus Notes 167

9.1 How to know which CA signed your personal certificate 167

Using Mozilla Firefox 167

Using Internet Explorer 168

9.2 Installation on Lotus Notes 168

10. Lotus Notes 8.5 170

10.1 Installing RTE Historical CA certificate 170


Creation of a PKCS#12 file readable by Notes 170

Installing the PKCS#12 file in Notes 171

Visualization of the certificate 178




11. Lotus Notes 9 185

11.1 Installing RTE’s applications certificates 185

11.2 Installing RTE CA’s certificates 185

Installing RTE Historical CA’s certificate 185

Installing RTE Root and RTE Client CAs certificates 191

11.3 Installing your personal certificate signed by RTE Historical CA 203



PKI user guide

Page : 5/239




11.4 Installing your personal certificate signed by the new PKI of RTE 213







F. Appendixes 229

12. Secure environment (PKI) 230

12.1 Concepts and objects managed by a PKI 230

What is a secure process? 230

The importance of dual-keys 231

The usage of keys to sign a message 232

Certificates 233

12.2 Documentation 235

13. Glossary 236

14. Incidents management and support 238

14.1 Support 238

14.2 Frequently Asked Questions (FAQ) 238

14.3 Error codes returned by email 238


PKI user guide

Page : 6/239


A. FOREWORD


PKI user guide

Page : 7/239


1. Introduction

1.1 Purpose of the document This document is intended for the end user who wants to access RTE’s Information System by using software certificates under Microsoft Windows 8.1. This document allows the holder to:

Understand the context and principles of a secure environment (authentication, confidentiality, integrity and non-repudiation) and the general operation of a Public Key management Infrastructure (PKI).

Learn how to install and use his software certificates in the following environments: o Microsoft Windows 8.1. o Browsers: Internet Explorer and Mozilla Firefox for secure accesses via the

HTTPS protocol. o Email Clients: Microsoft Outlook, IBM Lotus Notes, and Mozilla Thunderbird for

secure exchanges in S/MIME format (a standard for cryptography and digital signatures concerning emails encapsulated in MIME format).

NOTE

Throughout this document, the word "you" is the user of the certificate.

1.2 Context Under the law of February 10, 2000 (2000-108) and the implementing decree 2001-630 of 16 July 2001, the operator of the public transport network has an obligation to preserve the confidentiality of economic, commercial, industrial, financial or technical information of which the disclosure would be likely to undermine the rules of free and fair competition and non-discrimination required by law.

1.3 Warning regarding security practices Each software certificate holder has its own private key, all (certificate and associated private key) is generated by RTE and made available for download by the wearer as a password-protected file (PKCS # 12 file , extension "p12"). Then, each software certificate holder shall take all necessary precautions to prevent:

the violation of his private key,

the loss of his private key,

the divulgation of his private key,

the alteration of his certificate,

the misuse of his certificate. Each software private key and its associated certificate have to be stored on hard disk and protected by a password known only by the certificate holder.


PKI user guide

Page : 8/239


The 3 Certification Authorities (CA) of RTE (§1.4.3, §1.4.4, §1.4.5) take no responsibility for disputes related to misuse of private keys.

1.4 The actors The life cycle management of a certificate is based on three entities:

the client (i.e. your company),

the Registration Authority (RA),

the 3 Certification Authorities (CA): 1. RTE Historical CA 2. RTE Root CA 3. RTE Client CA

NOTE

To understand, one can draw a parallel with the allocation of official credentials: the applicant citizen of a credential is the Client; the town is the Registration Authority and the prefecture is the Certification Authority.

The client The client issues certificates requests for holders. It may also issue requests for revocation of the certificates (see Section B: certificate management procedures).

Registration Authority (RA) The Registration Authority (RTE’s manager of customer relations and the Operator) collects the certificates requests, affixes a date of validity for certificates and verifies the identity of their holders.

RTE Historical Certification Authority (CA) The Historical Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the old PKI’s operation. RTE Historical certification authority is called (CN: common name, O: Organization): CN = RTE Certification Authority , O = RESEAU DE TRANSPORT D'ELECTRICITE

RTE Root Certification Authority (CA) The Root Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI’s operation. It sets policy for the management and use of certificates. RTE Root certification authority is called (CN: common name, O: Organization): CN = RTE Root Certification Authority , O = RESEAU DE TRANSPORT D'ELECTRICITE

RTE Client Certification Authority (CA) The Client Certification Authority (RTE) is responsible and liable for certificates signed in its name and of the new PKI’s operation. RTE Client certification authority is called (CN: common name, O: Organization): CN = RTE Client Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE


PKI user guide

Page : 9/239


B. CERTIFICATES MANAGEMENT PROCEDURES


PKI user guide

Page : 10/239


2. Certificates management process

2.1 Foreword The main processes used to manage all the digital certificates issued to holders are:

Obtaining a certificate,

The renewal of a certificate (replacement by a new certificate for a new validity period and a new key pair)

The revocation of a certificate (end of certificate validity).

2.2 Software certificate request

Preliminary steps Beforehand, the following steps must be performed,

The company representative issues an access request : The company representative must have completed and signed the request forms “access to RTE IS services and applications" sent by his Customer Relations Manager, and then sent it back to him. In these forms, the company representative specifies in particular: o a “Contact email” who will receive all information necessary to retrieve the certificate (see

§2.2.2), o a “Certificate email”, o a “Chosen password”, necessary to the retrieval of the certificate by the holder

We have registered your request : Following receipt of the forms we have created your account(s) to access the applications.


PKI user guide

Page : 11/239


General diagram After the access request has been saved and validated by us (within 5 working days), a notification email is sent to the address "Contact Email" entered in the access request form (see § 2.2.1). This email is entitled "Access to RTE’s IS services" and contains:

a summary of the certificate’s removal procedure,

the "Certificate email" and "Retrieval Code" requested by the website while retrieving your certificate,

the “Password" protecting the PKCS # 12 file (a ".p12" extension) that you downloaded when you retrieved your certificate. Please remember that this password is different from the password used to retrieve the certificate.

In case of loss or non-receipt of this message, contact RTE’s Hotline (cf § 14.1).

Exchange scenarios The holder has to connect from his workstation on the certificate retrieval website and download his private key and the associated certificate to his workstation in the form of the PKCS#12 file (extension ".p12").

2.3 Certificates renewal The lifespan of the certificates is limited to 3 years, to ensure a high level of security. Forty days before the expiration date of a certificate, an electronic message is sent to the “Contact email” to inform the holder of the forthcoming expiry of his software certificate.

In case changes must be made concerning the holder’s information, then the company representative contacts RTE’s responsible for customer relations to inform him of the changes. Otherwise, an email is sent to the contact email with the information necessary for the retrieval of his new certificate.


PKI user guide

Page : 12/239


2.4 Certificates revocation

Case of revocation The company representative must issue a revocation request when any of the following occurs:

Change of the holder,

Loss, theft, compromise or suspected compromise (possible, probable or certain) of his private key or associated certificate,

Death or cessation of business of the certificate holder,

Loss of the activation data, defective or lost support.

Revocation request To revoke a certificate, the company representative should call RTE’s Hotline (cf § 14.1). When the certificate is revoked, an email is sent to the “Contact email” to notify the holder of the revocation of his certificate.


PKI user guide

Page : 13/239


C. WORKSTATION CONFIGURATION


PKI user guide

Page : 14/239


3. Installation and configuration of the workstation All operations of this chapter are to be performed only once by a computer specialist with Administrator privileges on your workstation, upon receipt of your "PKI Access Kit". Also note that only a few chapters of this manual concern you: the chapters corresponding to the software you use. All operations are done under the Windows Session of the certificate holder.

3.1 Network configuration

General configuration The web browser access uses - in a way that is transparent to the user - a software certificate authentication system for access to the RTE portal and encryption of data exchanged via the Internet (HTTPS protocol). Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol, S/MIME format).

Specificity of the VPN access The VPN allows from your workstation to establish a secure connection (based on the authentication to a dedicated site) to RTE’s IS via the Internet. Access to the SSL VPN requires that your workstation can resolve the address secure.iservices.rte-france.com.

To see if this you can resolve the address, open a web browser and go to the URL https://secure.iservices.rte-france.com. The following web page must appear:

IMPORTANT NOTE Messaging and antivirus gateways, firewalls and content analyzers should be configured not to alter or reject messages that are encrypted and signed S/MIME (application / x-pkcs7-mime, .p7s, .p7m) and not to prohibit the flow of HTTPS data (port 443).

The network administrator may be requested to perform these operations.

https://secure.iservices.rte-france.com/


PKI user guide

Page : 15/239


In addition to this test, you need to install on your workstation the module PSIS (Pulse Secure Installation Service) available on the RTE customer site. Refer to the section concerning the browser you are using for more details:

§ 4.6.2 if you are using Internet Explorer.

§ 5.6.2 if you are using Mozilla Firefox.

3.2 Software configuration The software configuration required for your workstation is as follows:

Operating Systems: Microsoft Windows 8.1 32 bit without Service Pack or with Service Pack

Microsoft Windows 8.1 64 bit without Service Pack or with Service Pack Web browser either:

Microsoft Internet Explorer 11

Mozilla Firefox > 45 ESR Email client either:

Microsoft Outlook 2013

Mozilla Thunderbird > 45 ESR

IBM Lotus Notes 8.5 or 9

NOTE In general, consulting messages on a webmail like interface does not allow to sign your messages.


PKI user guide

Page : 16/239


D. WEB ACCESS TO THE RTE INFORMATION SYSTEM

Please refer directly to the chapter associated with the browser you are using for your default Web exchanges with RTE:

Chapter 4 if you are using Microsoft Internet Explorer as web browser

Chapter 5 if you are using Mozilla Firefox as web browser


PKI user guide

Page : 17/239


4. Microsoft Internet Explorer

4.1 Preliminary configuration

Configuration of the security settings This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection (HTTPS protocol). In the browser, select the menu "Tools> Internet Options":


PKI user guide

Page : 18/239


Select the tab “Advanced”:

In the section “Security”, make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above.

Adding trusted sites In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites. The Trusted Sites zone allows the declaration of sites’ names you consider safe. In this section, you must be logged into the workstation with the Windows account that will use the software certificate. To do this: open Internet Explorer and click the menu "Tools> Internet Options".


PKI user guide

Page : 19/239


In the window that appears, click the "Security" tab. select the "Trusted Sites" icon and click the "Sites" button.


PKI user guide

Page : 20/239


The following window appears:

In the field “Add this website to the zone”, enter the URL corresponding to the PKI:

https://kregistration-user.certificat2.com

Then click “Add”. The site then appears in the list “Websites” as shown below.

Proceed in the same way to add the following websites: https://portail.iservices.rte-france.com: this is the internet portal

https://secure.iservices.rte-france.com: this is the SSL VPN connection portal



PKI user guide

Page : 21/239


The 3 websites shall now appear in the list “Websites”.

Click “Close”, then “OK”.

4.2 Installing RTE’s CAs certificates

Download and install

RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA’s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address:

IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the site’s address.

https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE/Certification_Autority_RTE_2048.cer

The download window appears:

Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" containing RTE Historical CA’s certificate.


PKI user guide

Page : 22/239


Once the download is completed, the following window appears:

Click "Open folder" to go to the directory where you saved the file. Right-click the "Certification_Autority_RTE_2048.cer" file you just downloaded and choose "Install Certificate".


PKI user guide

Page : 23/239


The installation wizard of the certificate is displayed:

Click “Next”.

Select "Place all certificates in the following store" and click "Browse".


PKI user guide

Page : 24/239


In the window that appears, select "Trusted Root Certification Authorities" and click "OK".

Once you have chosen the certificate store, you get the following window:

Click « Next ».


PKI user guide

Page : 25/239


Click "Finish”.

Click “OK”.

RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address:


https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE2/ACR_RTE_Root_CA_20160303.cer





PKI user guide

Page : 26/239


Click the "Save" button and choose a location to save the file "ACR_RTE_Root_CA_20160303.cer" containing RTE Root CA’s certificate. Once the download is completed, the following window appears:

Click "Open folder" to go to the directory where you saved the file. Right-click the "ACR_RTE_Root_CA_20160303.cer" file you just downloaded and choose "Install Certificate".


Click “Next”.


PKI user guide

Page : 27/239


Select "Place all certificates in the following store" and click "Browse".

In the window that appears, select "Trusted Root Certification Authorities" and click "OK".

Once you have chosen the certificate store, you get the following window:


PKI user guide

Page : 28/239


Click « Next ».

Click "Finish", and if the next window display a security Warning then click “Yes”:


PKI user guide

Page : 29/239


Click “OK”.

RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address:


https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE2/ACF_RTE_Client_CA_20160303.cer


Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_20160303.cer" containing RTE Client CA’s certificate.




PKI user guide

Page : 30/239


Once the download is completed, the following window appears:

Click "Open folder" to go to the directory where you saved the file. Right-click the "ACF_RTE_Client_CA_20160303.cer" file you just downloaded and choose "Install Certificate".


Click “Next”.


PKI user guide

Page : 31/239


Select "Automatically select the certificate store based on the type of certificate" and click "Next".

Click "Finish".


PKI user guide

Page : 32/239


Click “OK”.

Visualization and verification of RTE’s CA certificates

Visualization of installed RTE’s CA certificates The certificates of RTE’s CA you just import are stored in the Certification Authorities store of Internet Explorer. To view them, click the menu "Tools > Internet Options".

A window appears. Go to the "Content" tab and click the "Certificates" button.


PKI user guide

Page : 33/239



PKI user guide

Page : 34/239


In the window that appears, go to the tab "Trusted Root Certification Authorities". You can see RTE Historical CA’s certificate (§ 4.2.1.1) and RTE Root CA’s certificate (§ 4.2.1.2):

On the tab “Intermediate Certification Authorities” you can see RTE Client CA’s certificate (§ 4.2.1.3):


PKI user guide

Page : 35/239


Verification of RTE Certification Authority certificate

Select the certificate "RTE Certification Authority".

Click the button "View" then click the "Details" tab.


PKI user guide

Page : 36/239


To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Certification Authority" is identical to the one presented below.

Digital hash of the certificate “RTE Certification Authority” SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12

If this is not the case, delete the certificate and call RTE’s Hotline (cf § 14.1).

Verification of RTE Root Certification Authority certificate

Select the certificate "RTE Root Certification Authority".



PKI user guide

Page : 37/239


To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Root Certification Authority" is identical to the one presented below.

Digital hash of the certificate “RTE Root Certification Authority” SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff



PKI user guide

Page : 38/239


Verification of RTE Client Certification Authority certificate

In the tab “Intermediate Certification Authorities”, select the certificate "RTE Client Certification Authority".


To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" related to the certificate "RTE Client Certification Authority" is identical to the one presented below.


PKI user guide

Page : 39/239


Digital hash of the certificate “RTE Client Certification Authority” SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed


4.3 Installing your personal certificate

Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see § 2.2.2):

The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE’s IS (see § 2.2.1).

Certificate email, Retrieval code and Password for the PKCS#12 file included in the email “Access to RTE’s IS services” (see §2.2.2).

For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website:


https://kregistration-user.certificat2.com/RTE/RTE2/Logiciel_SHA2:I

Click the button “Retrieval of your personal certificate”.



PKI user guide

Page : 40/239


Fill the field «Certificate email» with the value indicated in the email “Access to RTE’s IS services” (see §2.2.2). Click “Submit”.

Fill the fields:

“Retrieval code” as indicated in the email “Access to RTE’s IS services” (see §2.2.2).

“Chosen password” which is the password you or your company representative chose and provided to RTE in the form to request access to RTE’s IS (see §2.2.1).

Finally click “Submit”.


PKI user guide

Page : 41/239


Downloading your certificate The following page appears.

Click “Download”.

In the window that appears, click “Save”.

Choose a directory to save your certificate, then click "Save." A window shows the progress of the download. Once the download is completed, click "Open Folder".

The folder containing your personal certificate appears.


PKI user guide

Page : 42/239


Installation of your personal certificate Go to the download folder of the file. Right-click the "certificate.p12" file and choose "Install PFX".

The Certificate Import Wizard opens:

Click “Next”.

IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick or an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (see §2.2.2) that contains the password.


PKI user guide

Page : 43/239


The name of the file containing your certificate is automatically filled, click “Next”.


PKI user guide

Page : 44/239


The window below appears:

In the field “Password”, enter the “Password” present in the email “Access to RTE’s IS

services” (see §2.2.2).

The case “Enable strong private key protection. […]” is optional. Tick it if you wish to define a password that will be asked before every use of your private key in Internet Explorer.

The case “Mark this key as exportable. […]” is optional. Tick it if you wish to be able to export you private key later (see chapter 4.5.1 to export).

Tick the case “Include all extended properties”. Click “Next”.


PKI user guide

Page : 45/239


Select "Automatically select the certificate store based on the type of certificate" and click "Next".

Finally, click “Finish”.


PKI user guide

Page : 46/239


If you previously ticked the case “Enable strong private key protection”, then the following window appears:

Click the button “Set security level…”.

Select the case “High” then click “Next”.


PKI user guide

Page : 47/239


Enter a name for the private key to protect and a password then click the "Finish" button. Warning: this password is required upon each use of the certificate.

Click “OK”. Finally, the following window appears:

Click “OK”.

Your certificate and your private key have been successfully imported in Internet Explorer.


PKI user guide

Page : 48/239


Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs. In the case of downloading with Internet Explorer, open the certificate store via the menu "Tools> Internet Options", "Content" tab, button "Certificates ..."

Select your certificate then click “View”.


PKI user guide

Page : 49/239


It is valid for 3 years from the date of withdrawal. The "Certification Path" tab allows checking the validity of your certificate. The "Certificate status" and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.


PKI user guide

Page : 50/239


The tab "Details" allows you to view the full name of the holder and the email address to which are attached the certificate.


PKI user guide

Page : 51/239


4.4 Using your certificate

Authentication and encryption Steps to follow

run Internet Explorer,

enter the URL to RTE’s application or to “RTE’s customer service portal”: https://portail.iservices.rte-france.com,

during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password,

if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button “Display certificate” to visualize its content).

Once authentication is completed, all data you send or receive will be encrypted.

https://portail.iservices.rte-france.com/


PKI user guide

Page : 52/239


Example of access to an RTE web application Enter the URL https://portail.iservices.rte-france.com in the Internet Explorer address bar then press Return. Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site.

The line “Click here to view certificate properties…” lets you view the content of the selected certificate. Click the “OK” button to access the application. The window below asks for the password that protects the private key associated with your certificate if it has been set.

The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):



PKI user guide

Page : 53/239



PKI user guide

Page : 54/239


4.5 Additional operations

Export of your personal certificate This section explains how to save the certificate with its private key and RTE’s trust chain. The procedure is to generate a file in PKCS#12 format (".pfx" extension), protected by a password. You can only export your certificate and private key if you checked "Mark this key as exportable" when Installing your personal certificate (see § 4.3.3). In Internet Explorer, click the menu "Tools> Internet Options..."

Then, click the "Content" tab and then the "Certificates" button.


PKI user guide

Page : 55/239



PKI user guide

Page : 56/239


Another window appears. Select your certificate, then click "Export...".

Click “Next”.


PKI user guide

Page : 57/239


Select "Yes, export the private key" and then click "Next".

Select the check box "Include all certificates in the certification path if possible" and then click "Next".


PKI user guide

Page : 58/239


Enter a password of your choice to protect the PKCS#12 file, and then click "Next".

Click “Browse…” and select the location of the PKCS#12 file, and then click "Next".


PKI user guide

Page : 59/239


Finally, click the "Finish" button.

Click "OK". You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE’s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer’s store.

Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Internet Explorer’s Certificate store.

IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to §4.5.1 to export your certificate and private key as a PKCS#12 file.


PKI user guide

Page : 60/239


In Internet Explorer, go to "Tools> Internet Options".

A window appears. Click the “Content” tab, then the “Certificates” button:


PKI user guide

Page : 61/239


Select the certificate to delete and click “Remove”.

Click “Yes”.


PKI user guide

Page : 62/239


The certificate is removed from the certificates list.

4.6 Connecting to the SSL VPN

Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 4.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM).

SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.

Prerequisite The website secure.iservices.rte-france.com must be declared as a trusted site (see § 4.1.2).

IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1).


PKI user guide

Page : 63/239


PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp

And decompress the compressed file:

The following window appears. Click « Yes ».

http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp


PKI user guide

Page : 64/239


It will be automatically activated at every operating system launch.

First connection This paragraph applies only to your first login to the SSL VPN with Internet Explorer.

IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application.

Before continuing, you need to disable ActiveX controls on Internet Explorer. To do so, press the "Alt" key on your keyboard. A menu bar at the top of the window. Then click the Tools button, and make sure "ActiveX Filtering" is not selected (see the following screenshot).

Launch your browser and go to the following website:




PKI user guide

Page : 65/239



Select your certificate then click “OK”.


PKI user guide

Page : 66/239


If necessary, this window will ask for the password that protects the private key associated to your certificate.

The browser displays a link to install SAM (if it’s not already installed on your computer):


PKI user guide

Page : 67/239


If no manual intervention is performed, the following installation pop-up appears:

If necessary, the following window appears:

Click “Yes”. The Pulse Secure client then installs and the installation of the SAM application starts:


PKI user guide

Page : 68/239


Wait during the installation.

If the following window appears, click “Yes”:

Once the installation is completed, the following page appears:

If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon appears in your taskbar:


PKI user guide

Page : 69/239


Click the "Sign out" button (top right of the page) to end the session:


PKI user guide

Page : 70/239


Using the SSL VPN

Establishing the connection Launch your browser and go to the following website:



Select your certificate then click “OK”. If necessary, a window will ask you the password that protects the private key associated with your certificate.

If necessary, the window below appears. Click “Yes”.



PKI user guide

Page : 71/239


The SAM application launches automatically and the following page appears:

If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon appears in your taskbar. Notes:

The certificate is only used to establish the connection to the SSL VPN.

To close the SSL VPN session, click the “Sign out” button (top right of the page).


PKI user guide

Page : 72/239


Use case to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client. Access to hosted mailboxes requires the SSL VPN connection to be established (see §4.6.4.1). The Email account configuration in your mail client is then to be made with the following parameters:

Mail server type : POP Server POP server address : pop.services.rte-france.com

SMTP server address : smtp.services.rte-france.com When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.

NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.


PKI user guide

Page : 73/239


5. Mozilla Firefox

5.1 Preliminary configuration The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS) is disabled by default in recent versions of Firefox. The supported versions of Firefox are specified in § 3.2. The standards supported by default are: TLS 1.0 to TLS 1.2. In case of problems, thank you to notify the issue to RTE’s Hotline (cf § 14.1).

5.2 Installing RTE’s CAs certificates

Download and install

RTE Historical Certification Authority This CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs. RTE Historical CA certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority. To do so, please go to the following address:



The following pop-up, in order to download the certificate, appears:

Select “Save file” then click “OK”. A location to save the file “Certification_Autority_RTE_2048.cer” will eventually be requested.


PKI user guide

Page : 74/239


Once the file is downloaded, click the menu “Tools” in the right corner of the window then click the icon “Options”:

A window appears. Choose the “Advanced” tab then the subcategory “Certificates”.


PKI user guide

Page : 75/239


Click the «View certificates» button.

Select the “Authorities” tab and click “Import…”.


PKI user guide

Page : 76/239


Select the previously saved file.

A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click “View” to check that the certificate you just install is RTE Historical CA’s certificate:


PKI user guide

Page : 77/239


To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1).


PKI user guide

Page : 78/239


If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:

By clicking on the "Close" button, you return to the initial window.

Click “OK”. RTE Historical CA certificate is now installed in the certificate store of Mozilla Firefox.


PKI user guide

Page : 79/239


RTE Root Certification Authority This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust. RTE Root CA certificate must now be installed in your browser. To do so, please go to the following address:




Select “Save file” then click “OK”. A location to save the file “ACR_RTE_Root_CA_20160303.cer” will eventually be requested.





PKI user guide

Page : 80/239





PKI user guide

Page : 81/239





PKI user guide

Page : 82/239


A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click “View” to check that the certificate you just install is RTE Root CA’s certificate:

To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


PKI user guide

Page : 83/239



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:


Click “OK”. RTE Root CA certificate is now installed in the certificate store of Mozilla Firefox.


PKI user guide

Page : 84/239


RTE Client Certification Authority This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates. RTE Client CA certificate must now be installed in your browser. To do so, please go to the following address:




Select “Save file” then click “OK”. A location to save the file “ACF_RTE_Client_CA_20160303.cer” will eventually be requested.





PKI user guide

Page : 85/239





PKI user guide

Page : 86/239





PKI user guide

Page : 87/239


A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click “View” to check that the certificate you just install is RTE Client CA’s certificate:

To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


PKI user guide

Page : 88/239



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:


Click “OK”. RTE Client CA certificate is now installed in the certificate store of Mozilla Firefox.


PKI user guide

Page : 89/239


Visualization and verification of RTE CAs certificates To see the certificates in Mozilla Firefox, click the menu “Tools” in the right corner of the window then click the icon “Options”:


Click the “View certificates” button.


PKI user guide

Page : 90/239


In “Authorities” tab, you can verify that the certificates you import are register with “RESEAU DE TRANSPORT D’ELECTRICITE” organization and are saved on your computer disk (“Software Security Device”). You can see the content of each certificate by clicking on the certificate and then clicking on “View”.

Select “RTE Certification Authority” and click “View”:


PKI user guide

Page : 91/239




If this is not the case: click “Close” to go back to the precedent window and call RTE’s Hotline (cf § 14.1). If, after verification, the hash of RTE Historical CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:



PKI user guide

Page : 92/239


Select “RTE Root Certification Authority” and click “View”:



If this is not the case: click “Close” to go back to the precedent window and call RTE’s Hotline (cf § 14.1).


PKI user guide

Page : 93/239


If, after verification, the hash of RTE Root CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:



PKI user guide

Page : 94/239


Select “RTE Client Certification Authority” and click “View”:





PKI user guide

Page : 95/239


If, after verification, the hash of RTE Client CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:



Authentication on the retrieval interface The software certificate request must have been completed in accordance with the procedure of chapter 2.2. To proceed to the retrieval you need the following information (see § 2.2.2):

The chosen password you or your administrator have chosen and supplied to RTE in the form to request access to RTE’s IS (see § 2.2.1).

Certificate email, Retrieval code and Password for the PKCS#12 file included in the email “Access to RTE’s IS services” (see §2.2.2).

For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end. To create your certificate and the associated private key, log on the certificate retrieval website:


PKI user guide

Page : 96/239




Click the button “Retrieval of your personal certificate”.

Fill the field “Certificate email” with the value indicated in the email “Access to RTE’s IS services” (see §2.2.2). Click “Submit”.


PKI user guide

Page : 97/239


Fill the fields:

“Retrieval code” as indicated in the email “Access to RTE’s IS services” (see §2.2.2).

“Chosen password” which is the password you or your company representative chose and provided to RTE in the form to request access to RTE’s IS (see § 2.2.1). Finally, click “Submit”.

Download of your certificate The following page appears.

Click “Download”.


PKI user guide

Page : 98/239


In the window that appears, click “Save” then “OK”.

Choose a directory to save your certificate, then click "Save".

IMPORTANT NOTE Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick, an external hard drive), that you have to put into a safe in order to protect access to it. Also keep the mail "Access to RTE's IS services" (see §2.2.2) that contains the password.


PKI user guide

Page : 99/239


Installation of your personal certificate In Firefox, go to the menu "Tools" on the top right of the window and click the "Options" icon:

A window appears. Choose the tab “Advanced” then the subcategory “Certificates”.

Click “View Certificates”.


PKI user guide

Page : 100/239


Click “Import…”.

Go to the folder you saved your certificate in, select your certificate “name_certificate.p12” and click “Open”.


PKI user guide

Page : 101/239


If necessary, the window below will ask you the access password to the Mozilla Firefox certificate store (see §5.5.1 to set this password):

Enter it and click “OK”. The window below appears.

Enter the “Password” present in the email “Access to RTE’s IS services” (see §2.2.2), then click “OK”.

Your certificate and its associated private key have been successfully imported in Mozilla Firefox’s certificate store.

Visualization and verification of your software certificate Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs.


PKI user guide

Page : 102/239


In the case of Mozilla Firefox, go to the “Tools” menu (top-right corner of the window) then click the “Options” icon:

A window appears. Choose the “Advanced” tab then the “Certificates” subcategory.

Then click the “View Certificates” button.


PKI user guide

Page : 103/239


Select the tab “Your Certificates”. The certificate is a software certificate: indeed, the "Software Security Dev…" indication appears at the right of its name. You can view it by selecting it and clicking "View…”. The first tab “General” displays the following message “This certificate has been verified for the following uses”. It is valid for 3 years from the date of withdrawal.


PKI user guide

Page : 104/239


The second tab “Details” displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met.

5.4 Using your certificate

Authentication and encryption Steps to follow

run Mozilla Firefox,

enter the URL to RTE’s application or to “RTE’s customer service portal”: https://portail.iservices.rte-france.com,

during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password,

if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button “Display certificate” to visualize its content).

Once authentication is completed, all data you send or receive will be encrypted.



PKI user guide

Page : 105/239


Example of access to an RTE web application When you access the https://portail.iservices.rte-france.com homepage, you will be asked to choose your certificate.

Select your certificate from the drop down list entitled “Choose a certificate to present as identification” then click “OK”. The following window will ask you the access password to the Mozilla Firefox certificate store if it was defined.



PKI user guide

Page : 106/239


The home page is then securely displayed, (appearance of the closed padlock near to the URL entry field):

5.5 Additional operations

Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password.


PKI user guide

Page : 107/239


To do this, click the “Tools” menu on the top right of the window and click on the “Options” icon:

A window appears. Choose the “Security” tab.

If “Use a master password” is already checked, it means you already have a personal security password, and you have nothing to do.


PKI user guide

Page : 108/239


Otherwise, check the “Use a master password” case. The following window appears:

Enter your new master password in both fields and click “OK”.

Your personal security password is now defined. You can change your personal security password at any time by going to the menu “Tools” on the top right of the window and clicking the “Options” icon.


PKI user guide

Page : 109/239


A window appears. Choose the “Security” tab and click “Change Master Password…”.

Export of your personal certificate This section explains how to save the certificate with its private key and trust chain. The procedure is to generate a file in PKCS#12 format (".p12"), protected by a password. Go the “Tools” menu at the top-right corner of the window then click the “Options” icon:


PKI user guide

Page : 110/239



Then click “View Certificates…”.

Select your certificate and click “Backup…”: Choose a folder and a name for the output file in PKCS#12 format (extension «.p12»):


PKI user guide

Page : 111/239


Click “Save”. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store:

Then the following window appears:

Enter a password of your choice to protect access to the PKCS#12 file and click “OK”.


PKI user guide

Page : 112/239


Your certificate, your private key and the trust chain are exported in the PKCS#12 generated file (extension “.p12”).

Deleting your personal certificate This section details the procedure to remove a certificate and its private key from Mozilla Firefox’s Certificate store.

IMPORTANT NOTE Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to § 5.5.2 to export your certificate and private key as a PKCS#12 file.

Go to the “Tools” menu at the top-right corner of the window then click the ”Options” icon:


PKI user guide

Page : 113/239



Then click “View Certificates...”.

Select your certificate and click “Delete…”.


PKI user guide

Page : 114/239


Validate by clicking “OK”. The certificate is then removed from the list of certificates.

5.6 Connecting to the SSL VPN

Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section § 5.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM).

SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.

Prerequisite In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) 1.5.07 or higher needs to be installed on your workstation. If this is not the case, you can download the latest version on Oracle’s website:


PKI user guide

Page : 115/239


http://java.com/fr/download/index.jsp

PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link: http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp

And decompress the compressed file:

IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1).

http://java.com/fr/download/index.jsp

http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp


PKI user guide

Page : 116/239


Once the file is executed, the following window appears. Click « Yes ».

This enables the service installation to start.

It will be automatically activated at every operating system launch.

First connection This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox.

IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application.

Launch your browser and go to the following website:




PKI user guide

Page : 117/239



Select your certificate from the dropdown list entitled “Choose a certificate to present as identification” and click “OK”. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store.

If a window asking you permission to execute a script from “Pulse Secure, LLC.” appears, click “Yes”.

If the following red icon appears, click it in the address bar. Then in the dropdown menu of the message, select “Activate all plugins” and then choose "Allow and remember”.


PKI user guide

Page : 118/239


The following window appears, click “Run”:

If necessary, the following window appears:


PKI user guide

Page : 119/239


If the window below appears, click “Yes”.

The installation of the SAM application starts:

If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then the window below appears:

Then, the icon appears in your taskbar which means you are now connected to the SSL VPN.


PKI user guide

Page : 120/239


Click the "Sign out" button (top right of the page) to end the session:


PKI user guide

Page : 121/239


Using the SSL VPN

Establishing the connection Run your browser and access the following website:

https://secure.iservices.rte-france.com/ The following window appears:

Select your certificate from the dropdown list entitled “Choose a certificate to present as identification” and click “OK”. If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store.

If a window appears asking you permission to execute a script from “Pulse Secure, LLC.”: click “Yes ”:



PKI user guide

Page : 122/239


If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then the window below appears:

Then, the icon appears in your taskbar which means you are now connected to the SSL VPN. Notes:

The certificate is only used to establish the connection to the SSL VPN.

To close the SSL VPN session, click on the “Sign out” button (top right of the page).

Use to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client. Access to hosted mailboxes requires the SSL VPN connection to be established (see § 5.6.4.1). The Email account configuration in your mail client is then to be made with the following parameters:

Mail server type : POP Server POP server address : pop.services.rte-france.com

SMTP server address : smtp.services.rte-france.com When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.


PKI user guide

Page : 123/239


NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.


PKI user guide

Page : 124/239


E. EMAIL EXCHANGES WITH RTE’S INFORMATION SYSTEM

This section only applies if you need to exchange signed-encrypted email with RTE applications. After reading the chapter 6 (overview), directly refer to the chapter associated with the email client that you use for your mail exchanges with RTE:

Chapter 7 if you use Microsoft Outlook 2013 as email client.

Chapter 8 if you use Mozilla Thunderbird as email client.

Chapter 9 if you use Lotus Notes as email client.


PKI user guide

Page : 125/239


6. Using your certificate to exchange emails

6.1 Certificate usage principle Using your personal certificate, its associated private key, RTE CAs certificates and RTE’s application certificate, you can:

decrypt and verify the signature of emails you receive from RTE applications,

encrypt and sign emails you send to RTE applications.

6.2 Decryption and signature verification of a received message Decryption and verification of the signature of a message are disjoint processes. When you receive an encrypted-signed message:

you decrypt the message with the private key associated to your personal certificate,

you verify the message signature with the certificate of the sender (that of the RTE application) contained in the message, and with the certificate you own of the issuing CA that you trust.

These two processes are done automatically when you open a signed-encrypted email with a properly configured email client that supports the secure email format S/MIME.

IMPORTANT NOTE

To verify the signature of a message you need to own the right certificate and trust the CA that issued the certificate of the sender.

6.3 Encryption and signing of a sent message Encrypting and signing message are two disjoint processes. When you send an encrypted-signed message:

you sign the message with the private key associated to your personal certificate,

you encrypt the message with the recipient’s certificate (RTE’s application certificate). The certificate of the recipient can be obtained in several ways. RTE applications transmit to you their certificate by sending a signed message: that is the way you will get their certificate. In doing so, when you receive a signed message, use "Add sender to contacts" to save at the same time its certificate, which you can use to send encrypted messages to him.

IMPORTANT NOTE

Encrypting a message requires to possess a valid certificate corresponding to the recipient's email address.


PKI user guide

Page : 126/239


6.4 Steps to configure your email client In order to be able to exchange signed-encrypted emails with RTE, the steps are as follows:

Install the certificate of the 3 RTE’s CAs (Historical, Root, and Client), so that your mail client trusts RTE’s applications certificates and is able to verify the signature of signed-encrypted emails you receive from them.

Install your personal certificate, so your mail client can decrypt the messages from RTE and sign messages to RTE.

Configure the email account you will use to exchange with RTE so that your email client always encrypts and signs messages to the RTE applications using the standard S/MIME.

Install RTE’s application certificate, so that your email client can encrypt emails you send to RTE applications.

To perform these steps, please refer directly to one of the following chapters: the one concerning the email client that you use for your mail exchanges with RTE.


PKI user guide

Page : 127/239


7. Microsoft Outlook 2013

7.1 Installing RTE Historical CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Historical CA in Internet Explorer by following the procedure described in chapter 4.2.1.1 if not already done.

7.2 Installing RTE Root CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Root CA in Internet Explorer by following the procedure described in chapter 4.2.1.2 if not already done.

7.3 Installing RTE Client CA certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install the certificate of RTE Client CA in Internet Explorer by following the procedure described in chapter 4.2.1.3 if not already done.

7.4 Installing your personal certificate Outlook 2013 uses the same certificate store as Internet Explorer. Install your personal certificate in Internet Explorer by following the procedure described in chapter 4.3.3 if not already done.


PKI user guide

Page : 128/239


7.5 Email account configuration Start Outlook 2013 and click the menu “File > Options > Trust Center” then click “Trust Center Settings…”.

In the left column, click “E-mail security”, then click the “Settings…” button.


PKI user guide

Page : 129/239


Click the two ”Choose…” buttons in order to select your personal certificate for signing and encryption. A list of selectable certificates is presented to you (you can also display a certificate from the list to view its contents and make sure you choose the right one).


PKI user guide

Page : 130/239


Make sure the settings are similar to the ones above (S/MIME, check boxes, certificates, algorithms); if the field “Security Settings Name” is empty, enter a label such as “RTE Certification”. Finally click “OK”. Check the boxes “Encrypt contents and attachments for outgoing messages” and “Add digital signature to outgoing messages”, then click “OK”.

All your emails sent to RTE applications using the default account will now be encrypted and signed.

7.6 Installing RTE’s application certificate After receiving the first encrypted and signed message from an application, you must install the certificate of the issuing application. For this, you need to add the email address of the application to your address book by clicking the sender of the email received with the right mouse button and then “Add to Outlook contacts”:


PKI user guide

Page : 131/239


Click “General”:


PKI user guide

Page : 132/239


Click “Certificates”:

Click “Save & Close” to save. All your encrypted emails sent to this application will be encrypted automatically with the application’s certificate.


PKI user guide

Page : 133/239


7.7 Using the certificate: sending a signed-encrypted email To encrypt and sign a message: first create a new message by clicking “New”.

To sign and encrypt your message, verify that both icons below are activated or click on them to activate.


PKI user guide

Page : 134/239


8. Mozilla Thunderbird

8.1 Installing certificates of the 3 RTE’s CAs The certificates of the 3 RTE’s CAs (Historical, Root and Client) must first be installed for Thunderbird to be able to verify the signature of emails sent by RTE.

RTE Historical Certification Authority With your web browser go to the address below to download the file “Certification_Autority_RTE_2048.cer” containing RTE Historical CA certificate:


With Internet Explorer:

Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" With Mozilla Firefox:


IMPORTANT NOTE It is imperative to respect the case (upper / lower case) of the following websites’ addresses.


PKI user guide

Page : 135/239


The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click “Options”:


Click the button “View Certificates”.


PKI user guide

Page : 136/239



Select the previously saved file “Certification_Autority_RTE_2048.cer” and click “Open”.


PKI user guide

Page : 137/239


A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Historical CA:



PKI user guide

Page : 138/239



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If this is the case, click “Close” to return to the initial window: "Downloading certificate":

Click the "OK" button: RTE Historical CA's certificate is then installed.

RTE Root Certification Authority With your web browser go to the address below to download the file “ACR_RTE_Root_CA_20160303.cer” containing RTE Root CA certificate:






PKI user guide

Page : 139/239



Select “Save file” then click “OK”. A location to save the file “ACR_RTE_Root_CA_20160303.cer” will eventually be requested.

The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click “Options”:



PKI user guide

Page : 140/239





PKI user guide

Page : 141/239


Select the previously saved file “ACR_RTE_Root_CA_20160303.cer” and click “Open”.

A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Root CA:


PKI user guide

Page : 142/239






PKI user guide

Page : 143/239


Click the "OK" button: RTE Root CA's certificate is then installed.

RTE Client Certification Authority With your web browser go to the address below to download the file “ACF_RTE_Client_CA_20160303.cer” containing RTE Client CA certificate:



Click the "Save" button and choose a location to save the file "ACF_RTE_Client_CA_20160303.cer" With Mozilla Firefox:




PKI user guide

Page : 144/239


Select “Save file” then click “OK”. A location to save the file “ACF_RTE_Client_CA_20160303.cer” will eventually be requested. The certificate you just downloaded must be installed in Thunderbird certificate store. In the menu "Tools" on the top right of the window click “Options”:




PKI user guide

Page : 145/239



Select the previously saved file “ACF_RTE_Client_CA_20160303.cer” and click “Open”.


PKI user guide

Page : 146/239


A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA. Click the "View" button to verify that the certificate that you are going to trust is the certificate of RTE Client CA.


PKI user guide

Page : 147/239





Click the "OK" button: RTE Client CA's certificate is then installed.

Visualization of RTE CAs certificates To view the CAs certificates later in Mozilla Thunderbird, go to the "Tools" menu on the top right of the window then click the "Options" icon:


PKI user guide

Page : 148/239


A window appears. Select the “Advanced” tab then the subcategory “Certificates”.

Click the “View Certificates” button.


PKI user guide

Page : 149/239


In “Authorities” tab, you can verify that the certificates “RTE Certification Authority”, “RTE Root Certification Authority”, “RTE Client Certification Authority” you import are registered in Thunderbird (“Software Security Device”). You can see the content of each certificate by clicking on the certificate and then clicking on “View”. Select “RTE Certification Authority” and click “View”:





PKI user guide

Page : 150/239





PKI user guide

Page : 151/239


Select “RTE Root Certification Authority” and click “View”:





PKI user guide

Page : 152/239





PKI user guide

Page : 153/239


Select “RTE Client Certification Authority” and click “View”:





PKI user guide

Page : 154/239




8.2 Installing your personal certificate To be able to import your certificate in Mozilla Thunderbird, you must have the file “name_certificate.p12” downloaded with your browser when retrieving your certificate (see §4.3.2 for Internet Explorer, §5.3.2 for Mozilla Firefox). Start Mozilla Thunderbird, go to the menu "Tools" on the top right of the window and click the "Options" icon:


PKI user guide

Page : 155/239



Click “View Certificates”.


PKI user guide

Page : 156/239


In the “Your certificates” tab, click “Import”. In the drop-down menu “File type” select “PKCS12 Files (*.p12;*.pfx)”:

Go to the folder you saved your certificate in, select your certificate “certificate.p12” and click “Open”.


PKI user guide

Page : 157/239


If necessary, the window below will ask you the access password to the Mozilla Thunderbird certificate store (see §8.6 to set this password):

Click “OK”.

N.B.: if there is no master password, Thunderbird will ask you to define one.

Enter the password protecting the PKCS#12 file and click ”OK”.

Your certificate and its associated private key have been successfully imported in Mozilla Thunderbird’s certificate store.


PKI user guide

Page : 158/239


Verify this is the right certificate by clicking on “View…”.

The second tab “Details” displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met.


PKI user guide

Page : 159/239



PKI user guide

Page : 160/239


8.3 Email account configuration To sign and encrypt with your certificate, it must be associated with the email account corresponding to the email address specified in the Certificate subject. For this, start Mozilla Thunderbird, press the “Alt” key on your keyboard, a menu bar appears at the top of the window. Click “Tools” then “Account Settings”.


PKI user guide

Page : 161/239


A window appears. Select the “Security” item of the email account you use to exchange with RTE:

Click “Select…” to open the following window:

Select your certificate in the drop-down list and click “OK”. The following message appears:

Click “Yes” to automatically define the same certificate to decrypt received emails.


PKI user guide

Page : 162/239


NOTE Although for encryption, the text indicates that your certificate will be used to “encrypt and decrypt messages sent”, it will not actually be used to decrypt messages received.

All your emails sent to RTE applications using this account will now be encrypted and signed.

8.4 Installing RTE’s application certificate After receiving the first encrypted and signed message from an application, the application certificate installs automatically. However you can add the application’s email address to your address book by right-clicking the sender of the received email and then clicking “Add to Address Book”:

The contact has been added to the address book. To verify that the application certificate is correctly installed, go to the menu “Tools” (top-right corner of the window) and click ”Options”:


PKI user guide

Page : 163/239


A window appears. Choose the “Advanced” tab then the “Certificates” subcategory. Then click “View Certificates”.

A window appears. Click the “People” tab.


PKI user guide

Page : 164/239


Every time an encrypted email is sent to this application, the application’s certificate will be used automatically to encrypt it.


PKI user guide

Page : 165/239


8.5 Using the certificate: sending a signed-encrypted email To encrypt and sign a message, first create a new message by clicking “Write”. Click the “Security” tab to verify the options: “Encrypt this message” and ”Digitally sign this message”. These options should be checked by default, if not: check them.

8.6 Defining the master password for personal security To protect the private key associated with your certificate it is strongly recommended to set a personal security password. To do this, click the “Tools” menu on the top right of the window and click on the “Options” icon:


PKI user guide

Page : 166/239


A window appears. Choose the “Security” tab and then click on the “Passwords” tab.

If “Use a master password” is already checked, it means you already have a personal security password, and you have nothing to do. Otherwise, check the “Use a master password” case. The following window appears:

Enter your new master password in both fields and click “OK”. Your personal security password is now defined. You can modify your personal security password by following the same steps.


PKI user guide

Page : 167/239


9. Lotus Notes

9.1 How to know which CA signed your personal certificate If you follow previously in this document §5.2 with Mozilla Firefox please follow the section 9.1.1. If you follow previously in this document §4.2 with Internet Explorer please follow the section 9.1.2. The RTE Root CA and RTE Client CA certificates need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store.

Using Mozilla Firefox In Mozilla Firefox certificate store, select your personnal certificate and click on “View”:

Select the “Details” tab:

A certificate signed by RTE Historical CA. A certificate signed by RTE’s new PKI.

The trust chain has only one level. Only the certificate “RTE Certification Authority” of RTE Historical CA can be seen.

The trust chain has two levels. The certificate “RTE Root Certification Authority” of RTE Root CA and the certificate “RTE Client Certification Authority” of RTE Client CA are present.


PKI user guide

Page : 168/239


Using Internet Explorer In Internet Explorer certificate store, select your personnal certificate and click on “View”:

Select the “Certification Path” tab:

A certificate signed by RTE Historical CA. A certificate signed by RTE’s new PKI.

The trust chain has only one level. Only the certificate “RTE Certification Authority” of RTE Historical CA can be seen.

The trust chain has two levels. The certificate “RTE Root Certification Authority” of RTE Root CA and the certificate “RTE Client Certification Authority” of RTE Client CA are present.

9.2 Installation on Lotus Notes After you read the chapter 9.1 who explains the how to know which Ca signed your personal certificate, please refer to the chapter who deals with the version of lotus Notes you use and with the compatibility with the certificate RTE gives you:


PKI user guide

Page : 169/239


If you use Lotus Notes 8.5 If you use Lotus Notes 9

If your personal certificate is signed by RTE Historical CA

Please go to chapter 10 Lotus Notes 8.5

Please go to chapter 11 Lotus Notes 9

If your personal certificate is signed by RTE New PKI

Please contact RTE’s Hotline (cf § 14.1).

Please go to chapter 11 Lotus Notes 9


PKI user guide

Page : 170/239


10. Lotus Notes 8.5

Don’t follow this section if your personal certificate is not signed by RTE new PKI (see 9.1).

10.1 Installing RTE Historical CA certificate RTE’s certificates will be installed by “Cross certification” when you received your first signed-encrypted email from the application (see §10.4). Note: The “Cross certification” is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that “Cross certification”.


Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains RTE Historical CA. This is not the case for the file “name_certificate.p12” you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE Historical CA and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below.

With Microsoft Internet Explorer : o Install RTE Historical CA certificate, see § 4.2.1.1. o Install your personal certificate making sure to check the case “Mark this key as

exportable.” see §4.3.3. o Export your certificate in a PKCS#12 file making sure to check the case “Include

all certificates in the certification path if possible”, see §4.5.1.

With Mozilla Firefox : o Install RTE Historical CA certificate, see § 5.2.1.1. o Install your personal certificate, see §5.3.3. o Export your certificate to a PKCS#12 file, see §5.5.2 (RTE Historical CA will

automatically be included).


PKI user guide

Page : 171/239


Installing the PKCS#12 file in Notes Start Lotus Notes and access to “File > Security > User Security…”:

If requested, enter your Notes password:


PKI user guide

Page : 172/239



Click “Your Identity” then “Your Certificates”:


PKI user guide

Page : 173/239


Select “Your Internet Certificates” in the drop-down list to display the Internet certificates already imported. Click the “Get Certificates…” button and select “Import Internet Certificates…”:

A window appears asking you to select a PKCS#12 file (extension ”.pfx” or “.p12”). Select the file you generated at §10.2.1 containing your personal certificate, its private key and RTE Historical CA’s certificate:


PKI user guide

Page : 174/239


Click “Open” and in the window below choose the format: PKCS 12:

Click “Continue”. The PKCS12 file’s password is requested:

Click “OK” and the window below is displayed:


PKI user guide

Page : 175/239


Your personal certificate you want to import, and the RTE Historical CA’s certificate, are listed. If you click “Advanced Details…” the content of the selected certificate (yours) appears in the window:

Click “Cancel” to go back to the previous window.


PKI user guide

Page : 176/239


To see the content of RTE Historical CA’s certificate, you must select it:

And click “Advanced Details…”:



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If this is the case, click “Close” to return to the initial window: "Import Internet Certificate”.


PKI user guide

Page : 177/239


Click “Close” to go back to the main screen:

Click “Accept All”.

Enter your Notes password and click “OK”.

Click “OK”, the window below appears:


PKI user guide

Page : 178/239


The certificate, now visible here, has successfully been imported. Click “OK” to end the import.

Visualization of the certificate To view your certificate, in Lotus Notes access the menu “File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “Your Internet Certificates” in the drop-down list.

Select your personal certificate and click the “Advanced Details…” button. The certificate’s details are then presented in the window below:


PKI user guide

Page : 179/239


To view RTE Historical CA's certificate, in Lotus Notes access the menu “File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “All Internet Certificates” in the drop-down list.


PKI user guide

Page : 180/239


To see the content of RTE Historical CA’s certificate, you must select it, and click “Advanced Details…”:




10.3 Email account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu “File > Security > User Security…”, then click “Your Identity” and “Your Certificates”:


PKI user guide

Page : 181/239


Select “Your Internet Certificates” in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the “Advanced Details” button.

If you only have one certificate, the case “Use this certificate as your default signing certificate” will be grey and checked. If not, check it, as above, and click “OK”.

10.4 Installing RTE’s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer:


PKI user guide

Page : 182/239


For this, you must click on the “Cross certify” button. Then, when you display this signed received message, you will need to choose the “Add Sender to Contacts…” in the menu by right-clicking on the email, which will add the issuer and its certificate to your book Address.



PKI user guide

Page : 183/239


Only verify that the case “Include X.509 certificates when encountered” is checked and click “OK”. Whenever an encrypted email will be sent to this application, its installed certificate will now automatically be selected to perform the encryption.

10.5 Using the certificate: sending a signed-encrypted email When composing a message, you can sign and encrypt it if you own your signature certificate (see §10.4) and that of your correspondent. For that, when you write a new message, you must click the “Delivery Options” button.


PKI user guide

Page : 184/239


Check the “Sign” and “Encrypt” cases as shown below:

Click “OK”. The rest of the mailing process has no more particularity, Notes then automatically signs and encrypts your message transparently.


PKI user guide

Page : 185/239


11. Lotus Notes 9

11.1 Installing RTE’s applications certificates RTE’s applications certificates will be installed by “Cross certification” when you received your first signed-encrypted email from the application (see §11.6). Note: The “Cross certification” is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that “Cross certification”.

11.2 Installing RTE CA’s certificates

Installing RTE Historical CA’s certificate With your web browser go to the address below to download the file “Certification_Autority_RTE_2048.cer” containing RTE Historical CA’s certificate:






PKI user guide

Page : 186/239


Start Lotus Notes and access to “File > Security > User Security…”:

If requested, enter your Notes password.


PKI user guide

Page : 187/239



Click ”Your Identity” then “Your Certificates”:

Select “Your Internet Certificates” in the drop-down list to display the Internet certificates already imported.


PKI user guide

Page : 188/239


Click the “Get Certificates…” button and select “Import Internet Certificates…”:

A window appears asking you to select file. Choose to see all the extensions. Select the certificate of RTE Historical AC “Certification_Authority_RTE_2048.cer” previously downloaded:


PKI user guide

Page : 189/239


Click “Open” and in the window below chose the format “Base 64 encoded X.509”:

Click “Continue” and the window below is displayed:

RTE Historical CA’s certificate is listed. If you click “Advanced Details…” the content of the selected certificate appears in the following window:


PKI user guide

Page : 190/239




If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If this is the case, click “Close” to return to the initial window: "Import Internet Certificate”.


PKI user guide

Page : 191/239



Click “OK”, the certificate has successfully been imported.

Installing RTE Root and RTE Client CAs certificates In order to import the trust chain made by RTE Root CA and RTE Client CA, it requires to create a PKCS#7 file that contains the 2 certificates of these 2 CAs. To manage to create the file you must follow one of the 2 sections 11.2.2.1 or 11.2.2.2 which depend on the process you follow before in this document: §5.2 with Mozilla Firefox or §4.2 with Internet Explorer. To succeed in the file creation, the certificates of RTE Root and RTE Client CAs need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store.

Creating P7c file containing RTE Root CA/RTE Client CA trust chain with Mozilla Firefox

In the certificate store of Mozilla Firefox, select the RTE Client CA’s certificate “RTE Client Certification Authority“ and click on “Export…”:

Choose where to save the file, choose the file type “X.509 Certificate with chain (PKCS#7) (*.p7c)“:


PKI user guide

Page : 192/239


Click on “Save”. Pass to the step §11.2.2.3 to import the trust chain on Lotus Notes 9.

Creating P7b file containing RTE Root CA/RTE Client CA trust chain with Internet Explorer

In Internet Explorer certificate store, select the RTE Client CA’s certificate “RTE Client Certification Authority” and click on “Export…”:


PKI user guide

Page : 193/239


The Certificate Export wizard opens, click on “Next”:


PKI user guide

Page : 194/239


Choose “Cryptographic Message Syntax Standart – PKCS #7 Certificates (.P7B)” option and check “Include all certificates in the certification path if possible”.Clik on “Next>”.


PKI user guide

Page : 195/239


Click on “Browse…”. Choose a place ta save your .p7b file and click on “Save”:

Clik on “Next>”.


PKI user guide

Page : 196/239


Clik on “Finish”.


PKI user guide

Page : 197/239


Clik on “OK”.

Pass to the next step §11.2.2.3 to import the trust chain on Lotus Notes 9.


PKI user guide

Page : 198/239


Importing PKCS7 file in Lotus Notes 9 Start Lotus Notes and access to “File > Security > User Security…”:



PKI user guide

Page : 199/239






PKI user guide

Page : 200/239



A window appears asking you to select a file, choose PKCS#7 type of file (extension “.p7b” or “.p7c”).

If you followed the process on Mozilla Firefox § 11.2.2.1

If you followed the process on Internet Explorer § 11.2.2.2

Select the .p7c file you create on § 11.2.2.1 containing the trust chain RTE Root CA / RTE Client CA.

Select the .p7b file you create on § 11.2.2.2 containing the trust chain RTE Root CA / RTE Client CA.


PKI user guide

Page : 201/239


Click “Open” and the window below is displayed:

To see the content of the RTE Root CA’s certificate, you must select it. If you click on “Advanced Details…”, a window show you the details of the selected certificate:

To ensure that you import the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


PKI user guide

Page : 202/239



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). Click “Close” to return to the initial window: "Import Internet Certificates"

To see the content of the RTE Client CA’s certificate, you must select it. If you click on “Advanced Details…”, a window show you the details of the selected certificate:

To ensure that you import the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If this is the case, click “Close” to return to the initial window: “Import Internet Certificates ".


PKI user guide

Page : 203/239



Click “OK”, the certificates have successfully been imported.

11.3 Installing your personal certificate signed by RTE Historical CA

Follow the steps below only if your personal certificate is signed by RTE Historical CA (see §9.1).

Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains the trust chain (RTE Historical CA / personal certificate). This is not the case for the file “name_certificate.p12” you downloaded when you retrieved your certificate.


PKI user guide

Page : 204/239


To generate a file accepted by Lotus Notes, install RTE CA’s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below.

With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see §4.2. o Install your personal certificate making sure to check the case “Mark this key as

exportable.” see §4.3. o Export your certificate in a PKCS#12 file making sure to check the case «Include

all certificates in the certification path if possible» see §4.5.1.

With Mozilla Firefox : o Install the three certificate of RTE CAs, see §5.2. o Install your personal certificate, see §5.3. o Export your certificate to a PKCS#12 file, see §5.5.2 (The trust chain will





PKI user guide

Page : 205/239






PKI user guide

Page : 206/239



A window appears asking you to select a PKCS#12 file (extension “.pfx” or “.p12”). Select the file you generated at §11.3.1 containing your personal certificate, its private key and RTE Historical CA certificate:


PKI user guide

Page : 207/239


Click “Open” and in the window below chose the format PKCS 12:



Your certificate, you want to import, and the certificate of RTE Historical CA, are listed. If you click “Advanced Details…” the content of the selected certificate (yours) appears in the window:


PKI user guide

Page : 208/239


Click “Close” to go back to the previous window. To see the content of RTE Historical CA’s certificate, you must select it:

And click “Advanced Details…”:


PKI user guide

Page : 209/239


To ensure that you are installing the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.


If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). Click “Close” to go back to the main screen:

Click “Accept All”. If necessary, enter your Notes password and click “OK”.


PKI user guide

Page : 210/239





PKI user guide

Page : 211/239


Visualization of the certificate To view your certificate, in Lotus Notes access the menu ”File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “Your Internet Certificates” in the drop-down list.


To view RTE Historical CA’s certificate, in Lotus Notes access the menu “File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “All Internet Certificates” in the drop-down list.


PKI user guide

Page : 212/239


To see the content of RTE Historical CA’s certificate, you must select it, and click “Advanced Details…”:





PKI user guide

Page : 213/239


11.4 Installing your personal certificate signed by the new PKI of RTE

Follow the steps below only if your personal certificate is signed by RTE’s new PKI (see §9.1).

Creation of a PKCS#12 file readable by Notes Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains the trust chain (RTE Root CA / RTE Client CA / personal certificate). This is not the case for the file “name_certificate.p12” you downloaded when you retrieved your certificate. To generate a file accepted by Lotus Notes, install RTE CA’s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below.

With Microsoft Internet Explorer : o Install the three certificate of RTE CAs, see §4.2. o Install your personal certificate making sure to check the case “Mark this key as

exportable.” see §4.3.3. o Export your certificate in a PKCS#12 file making sure to check the case «Include

all certificates in the certification path if possible» see §4.5.1.

With Mozilla Firefox : o Install the three certificate of RTE CAs, see §5.2. o Install your personal certificate, see §5.3. o Export your certificate to a PKCS#12 file, see §5.5.2 (The trust chain will



PKI user guide

Page : 214/239





PKI user guide

Page : 215/239






PKI user guide

Page : 216/239



A window appears asking you to select a PKCS#12 file (extension “.pfx” or “.p12”). Select the file you generated at §11.4.1 containing your personal certificate, its private key and RTE Root CA and RTE Client CA certificates:


PKI user guide

Page : 217/239


Click “Open” and in the window below chose the format PKCS 12:



Your certificate, you want to import, and the trust chain, are listed. If you click “Advanced Details…” the content of the selected certificate (yours) appears in the window:


PKI user guide

Page : 218/239


Click “Close” to go back to the previous window.

To see the content of the RTE Root CA’s certificate, you must select it.


PKI user guide

Page : 219/239


If you click on “Advanced Details…”, a window show you the details of the selected certificate:



If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). Click “Close” to return to the initial window: "Import Internet Certificates" To see the content of the RTE Client CA’s certificate, you must select it. If you click on “Advanced Details…”, a window show you the details of the selected certificate:


PKI user guide

Page : 220/239




If this is not the case: click “Close” to go back to the precedent window and click “Cancel” then call RTE’s Hotline (cf § 14.1). If this is the case, click “Close” to return to the initial window: “Import Internet Certificates ":

Click “Accept All”. If necessary, enter your Notes password and click “OK”.


PKI user guide

Page : 221/239





PKI user guide

Page : 222/239


Visualization of the certificate To view your certificate, in Lotus Notes access the menu ”File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “Your Internet Certificates” in the drop-down list.


To view RTE Root CA and RTE Client CA’s certificates, in Lotus Notes access the menu “File > Security > User Security…”, then click the item “Your Identity” and “Your Certificates”. Select “All Internet Certificates” in the drop-down list.


PKI user guide

Page : 223/239


To see the content of the RTE Root CA’s certificate, you must select it. If you click on “Advanced Details…”, a window show you the details of the selected certificate:



PKI user guide

Page : 224/239



If this is not the case: click “Close” to go back to the precedent window and call RTE’s Hotline (cf § 14.1). Click “Close” to return to the initial window.

To see the content of the RTE Client CA’s certificate, you must select it. If you click on “Advanced Details…”, a window show you the details of the selected certificate:



If this is not the case: click “Close” to go back to the precedent window and call RTE’s Hotline (cf § 14.1). Click “Close” to return to the initial window.

11.5 Email account configuration If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE. In Lotus Notes, open the menu “File > Security > User Security…”, then click ”Your Identity” and “Your Certificates”:


PKI user guide

Page : 225/239


Select “Your Internet Certificates” in the drop-down list to display your Internet certificates that are already imported. Select your certificate and click the “Advanced Details” button.

If you only have one certificate, the case “Use this certificate as your default signing certificate” will be grey and checked. If not, check it, as above, and click “OK”.


PKI user guide

Page : 226/239


11.6 Installing RTE’s application certificate When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer:

For this, you must click on the “Cross certify” button. Then, when you display this signed received message, you will need to choose the “Add Sender to Contacts…” feature, which will add the issuer and its certificate to your book Address.


PKI user guide

Page : 227/239



Only verify that the case “Include X.509 certificates when encountered” is checked and click “OK”.

Whenever an encrypted email will be sent to this application, its installed certificate will now automatically be selected to perform the encryption.

11.7 Using the certificate: sending a signed-encrypted email When composing a message, you can sign and encrypt it if you have your own and correspondent certificate (see the import procedure for your certificate above).

For that, when you write a new message, you must click the “Delivery Options” button and check the “Sign” and “Encrypt” cases as shown below:


PKI user guide

Page : 228/239


Click “OK”. That is all, Notes then automatically signs and encrypts your message.


PKI user guide

Page : 229/239


F. APPENDIXES


PKI user guide

Page : 230/239


12. Secure environment (PKI) This appendix describes the secure environment in which the PKI is operated. It describes in particular:

the concepts of secure environment and the corresponding data objects handled by the PKI,

the role of the various entities involved in the operation process of a PKI.

12.1 Concepts and objects managed by a PKI This appendix presents the key concepts for understanding the role of objects managed by a PKI:

presentation of the principles structuring a safe process,

the role of dual-keys,

certificates.

What is a secure process?

Definition of a PKI With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known only by his owner, and a public key - linked by a complex mathematical relationship, making it virtually impossible to determine the private key from the only knowledge of the public key. This means that the probability of determining the private key from the public key in a reasonable time is very low. Data encrypted with a key (typically, the public key) can only be decrypted with the other (typically the private key). It is on the basis of this principle that is particularly assured the confidentiality of messages exchanged. This process is commonly called "asymmetric cryptography" as opposed to "symmetric cryptography" that uses a common key for both encryption and decryption.

The four pillars of information exchange security This electronic identity card aims at establishing an environment of trust whose four pillars are:

authentication identifies parties in a sure and reliable way,

confidentiality prevents non-recipients to read the data,

integrity ensures that data has not been altered,

non-repudiation makes it impossible for a party to refute the transmitted information.

The cryptographic solution Because of the technology used (protocols, architectures, etc.), the information circulating on the Internet is not confidential. The technologies also do not allow to meet the other three security requirements set out above. To preserve the confidentiality of exchanges via the Internet, the data must be rendered incomprehensible to all, except for the recipients. Encryption is the right solution.


PKI user guide

Page : 231/239


Data encryption naturally accompanies system’s users’ authentication. While some data are confidential, it is necessary for issuers and recipients of this information to authenticate safely and unequivocally, to conduct secure exchanges. Authentication is based on the possession of a certificate. This element is issued by a Certification Authority that stakeholders of a transaction trust (in our case, the Certification Authority is RTE). Thus, the carriers can have confidence in the information provided to them and RTE knows that only authorized holders access the information.

NOTE In a similar process, in daily life, it is necessary to provide a piece of identification issued by an authority to access certain privileges reserved for citizens of the country (expensive purchases, voting, etc.).

The importance of dual-keys Each holder has a public key and an associated private key.

The private key is a key that the holder must keep confidential. He is the only one to possess and with the ability to use it. He does not necessarily know it himself (for example: it may be in a smart card of which it cannot come out, but access to the card is protected by a PIN code known only to its owner)

The public key, as its name suggests, is public and can be communicated to all. The public keys of holders are used only to encrypt messages intended for them. If an encrypted message was intercepted, it would be without consequence on its confidentiality as it cannot be decrypted (in a reasonable time) by a person not having the associated private key.

The private key enables its owner to sign a message he sends and to decrypt an encrypted message he receives. In contrast, the public key of a person is used to encrypt a message sent to him and to verify the signature of a message he receives.

Encryption and decryption of a message Each message is encrypted by the recipient's public key that will decrypt it with his private key. When RTE sends a message to the client A:

1. RTE has the public key of client A (via the public part of the certificate). 2. RTE automatically encrypts the message using the public key of client A and sends it

via RTE’s email system. 3. Client A receives the message and automatically decrypts it with his private key.


PKI user guide

Page : 232/239


Encryption and decryption with dual-keys.

The usage of keys to sign a message Each message is signed by the private key of the issuer. The origin (the signature) of a message can be controlled by the public key of the issuer, freely accessible via its certificate. To prove to client A that the received message is actually from RTE, RTE automatically signs the message with its (RTE’s) private key before sending to the client A.

Signing and signature verification with dual-keys.

When the client A receives the message from RTE, it automatically verifies the signature of the received message with the public key of RTE.


PKI user guide

Page : 233/239


Certificates

Objectives of digital certificates Since public keys are used to verify electronic signatures and encrypt messages, it is essential for any carrier to be certain of the identity of the owner of a public key: it is the role of the certificate.

Characteristics of a certificate A certificate is a digital ID:

that guarantees the identity of the holder from a remote site,

that includes data facilitating the identification,

that is resistant to counterfeit and issued by a trusted third party: the Certification Authority.

A Certification Authority is an entity that creates and manages certificates. It defines the rules for registration in the various holders’ PKI.

Structure of a certificate A digital certificate contains:

the public key of its holder,

the name of the holder and any other identification information (email address of the person if the certificate is used to sign emails),

the certificate’s period of validity,

the name of the certification authority that issued the certificate,

a unique serial number, the signature of the certification authority.


PKI user guide

Page : 234/239


Examples of certificates

A digital certificate on Internet Explorer


PKI user guide

Page : 235/239


A digital certificate on Mozilla Firefox

12.2 Documentation Reference documentation:

Subscription contract to RTE’s secure Information System.

Websites: http://www.legifrance.gouv.fr/

Law of 13th March 2000 on the adaptation of law of evidence to information technologies and on electronic signature: http://www.assemblee-nat.fr/

Directive 1999/93/CE of 13th december 1999 on a Community framework for electronic signatures : http://europa.eu/

Draft decree on electronic signatures : http://www.internet.gouv.fr/

OpenTrust (formerly Keynectis) : https://www.opentrust.com/


PKI user guide

Page : 236/239


13. Glossary When the holder will get in touch with his new secure environment, he will be faced with a specific terminology, the terms of which are described in this section:

Authentication Checking the validity of the claimed identity of a user, a device or other entity in an information or communication system.

Certificate A digital certificate plays the role of electronic identity (e-passport). It guarantees the identity of its owner in electronic transactions and contains all the information enabling the identification (name, possibly company, address, etc.). A digital certificate is composed of a public key and personal information about the holder, all signed by a Certification Authority.

Certificate store Secure hardware or software container for storing a user's private and its associated key certificates, website certificates, other users’ certificates and CA certificates. This container is usually protected by a password or PIN that will eventually have to be entered at each use of a private key based on the expected level of safety.

Certification Authority A Certification Authority (CA) is an entity that issues digital certificates, electronic equivalents of identity documents, to a population. By distributing digital certificates, the Certification Authority or Trust Authority, serves as moral support by committing to the identity of a person through the certificate it issues him. According to the credit of the Certification Authority, the certificate will have a field of more or less extensive applications limited to a company’s internal trade (as a company badge) or be used in relations with other organizations and administrations (such as a national identity card or passport).

Confidentiality Property of data or information that are not disclosed or made available to unauthorized persons.

Cryptography Discipline including the principles, means and methods of data processing in order to hide their semantic content, establish their authenticity, prevent that their modification goes unnoticed, prevent repudiation and prevent their unauthorized use.

Electronic signature The electronic signature of a document is the signing with the private key of a digital summary of this document (obtained by applying a hash function), which cannot then be modified without this being visible. Like a handwritten signature, the signatory is liable for it.

Encryption / Decryption Data transformation using cryptography to make them unintelligible in order to ensure confidentiality / inverse transformation.

HTTPS HTTPS is a secure version (S secured to) the HTTP protocol used in all web browsers to exchange information over the Internet.


PKI user guide

Page : 237/239


Integrity Ensuring that data or information have not been modified or altered in an unauthorized manner.

Non-repudiation Property obtained with cryptographic methods to prevent a person from denying having performed a particular action on the data (for example: non-repudiation of origin, certification requirement, intent or commitment, establishment of property).

PKCS#12 File format used to store a private key and its associated certificate protecting a password. The file extension is usually ".p12" or ".pfx".

Private key Secret digital quantity attached to a person, allowing him to decrypt encrypted messages received with the corresponding public key or to affix a signature to messages sent.

Public key Digital quantity attached to a person who passes it out to others people in order to make them able to send him encrypted data or to verify his signature.

Revocation The revocation is the process that deletes the surety made by the Certification Authority concerning a certificate, made at the request of the subscriber or any other authorized person. The request may be the result of different types of events such as compromise or destruction of the private key, the change of information contained in the certificate, failure to comply with the certificate usage rules.

Root Certification Authority The certification authority with the highest level of trust in the company is qualified root. This authority is able to certify other certification authorities, which are then qualified as intermediaries. This is the main part of an infrastructure based on security certificates.

S/MIME (Secure / Multipurpose Internet Mail Extensions) S / MIME is a standard of encryption and digital signature of emails. It provides integrity, authentication, non-repudiation and confidentiality of data.

Trusted site Determines the security settings applied by a browser when accessing a site. If a site is declared as a "trusted site", the browser will apply for example a lower level of security that a site belonging to the "Internet" zone potentially carrying threats.

Virtual Private Network (VPN) A VPN (Virtual Private Network) allows an interconnection of local, remote networks via a tunnel technique. The tunnel is a secure communication channel through the internet and wherein data travels in an encrypted manner.


PKI user guide

Page : 238/239


14. Incidents management and support In case of incident, the company manager contacts the hotline (see §13.1) that will diagnose the problem and forward it to the concerned technical correspondent. The hotline will provide the solution to the company manager and if necessary assist in the steps indicated to regain access to the RTE’s Information System.

14.1 Support For any inquiries, customers can contact the RTE Hotline at:

00 800 80 50 50 50

Or from France at:

08 10 80 50 50

14.2 Frequently Asked Questions (FAQ) A Frequently asked Questions section is available on the certificates retrieval website at the address: https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE/faq_utilisateur_fr.html

14.3 Error codes returned by email In an exchange of emails between the user and an application, when the certificate was generated and installed using the procedures described in this document, it is possible that


PKI user guide

Page : 239/239


functionality error appears. In this case, the element (a server or a gateway) in question returns an error code by email. The object of error messages returned by RTE’s cryptographic gateway is as follows:

<ERR:nnn!!<Intitulé-FR>!!<Title-EN>> <Subject-of-the-original-message>

Nnn Description Possible cause

001 The email sent by the client was not signed nor encrypted

You did not check the boxes "signed" and "encrypted" in your email program when sending email

002 The email sent by the client was only encrypted

You did not check the "signed" box in your email software

003 The email sent by the client was only signed

You did not check the "encrypted" box in your email software

004 The email sent by the client was only signed and the signature used is incorrect

You did not check the "encrypted" box in your email software and the certificate used to sign is invalid or unknown

005 The email sent by the client was signed and encrypted, but the signature used is incorrect

The signing certificate that you used is invalid or unknown

006 The email sent by the client cannot be decrypted by RTE

The certificate that you used to encrypt the email is invalid

007 The email sent by RTE failed to be delivered to the client because of a security issue

RTE internal problem

<Intitulé-FR> Error title in French.

<Title-EN> Error title in English.

<Subject-of-the-original-message>

Subject of the original message that provoked the error.

END OF DOCUMENT

Documents

Access to RTE’s Information System by software ... · 10.2 Installing your personal certificate 170 Creation of a PKCS#12 file readable by Notes 170 Installing the PKCS#12 file