logorte

Welcome to the help site for the use of PKI certificates



Subject of the site

This site is intended for the end user who wishes to access RTE's IS by software certificates under Microsoft Windows. This site allows the holder to:

  • Understand the context and principles of a secure environment (authentication, confidentiality, integrity and non-repudiation), as well as the general operation of a public key management (PKI) infrastructure.
  • Know how to install and use software certificates in the following environments:

    • Microsoft Windows.
    • Browsers: Internet Explorer and Mozilla Firefox for secure access with the HTTPS protocol.
    • Email clients: Microsoft Outlook, IBM Lotus Notes, Mozilla Thunderbird for secure exchanges in S / MIME format (a cryptographic and digital signature standard for MIME encapsulated email).
NOTE

Throughout this site, the pronoun "you" represents the user of the certificate.

Context

In the framework of the law of February 10, 2000 (2000-108) and the decree of application 2001-630 of July 16, 2001, the manager of the public transport network has the obligation to preserve the confidentiality of the information of economic order , commercial, industrial, financial or technical, the disclosure of which would be likely to undermine the rules of free and fair competition and non-discrimination imposed by law.

Security practices warning

Each software certificate holder has its own private key, the set (certificate and associated private key) is generated by RTE and made available to the holder for download as a password-protected file (PKCS file # 12 , extension ".p12"). Then, each software certificate holder takes all the necessary precautions to prevent:

Each private key and its associated certificate must be stored on hard disk and protected by a password only known to the bearer. The certification authorities (CA) RTE (below) disclaim all liability for disputes relating to misuse of private keys.

The actors

The lifecycle management of a certificate is organized around three entities:

NOTE
To better understand, we can draw the parallel with the attribution of official credentials: the citizen requesting a credential corresponds to the client entity, the town hall is the registration authority and the prefecture is the certification authority.


The user

Any natural person or representative of a legal entity making certificate requests for its holders. It may also issue revocation requests for these certificates (see next section : Certificate Management Procedures).


The Registration Authority (RA)

The Registration Authority (the RTE Customer Relationship Manager and the Operator Team) collects the certificate request, affix a date of validity of the certificates and verify the identity of their holders.


The Certification Authority (CA) RTE History

The Historical Certification Authority (RTE) is responsible for and guarantees the certificates signed on its behalf and the operation of the old PKI.
The RTE Historical Certificate Authority is named (CN: Common Name, O: Organization):
CN = RTE Certification Authority, O = ELECTRICITY TRANSPORT NETWORK


Certification Authority (AC) RTE Root

The Root Certification Authority (RTE) is responsible for and guarantees the certificates signed on its behalf and the operation of the new PKI. It defines the policy for the management and use of certificates.
The Root RTE Certification Authority is named (CN: Common Name, O: Organization):
CN = RTE Root Certification Authority, O = ELECTRICITY TRANSPORT NETWORK


The Certification Authority (CA) RTE Client

The Client Certification Authority (RTE) is responsible for and guarantees the certificates signed on its behalf and the operation of the new PKI.
The RTE Client Certification Authority is named (CN: Common Name, O: Organization):
CN = RTE Client Certification Authority, O = ELECTRICITY TRANSPORT NETWORK


Foreword

The main processes used to manage all the digital certificates issued to holders are:

  • Obtaining a certificate,
  • The renewal of a certificate (replacement by a new certificate for a new validity period and a new key pair)
  • The revocation of a certificate (end of certificate validity).

Software certificate request

Preliminary steps

The following steps must be performed beforehand.

  1. The user issues an access request:
  2. The user must complete the request form “Request a PKI certificate (access to RTE IS)”.

    In this form, the user specifies:

    • A “Contact email” who will receive all information necessary to retrieve the certificate (here),
    • A “Certificate email”,
    • A “Chosen password”, necessary for the retrieval of the certificate by the holder
  3. We register your request:
  4. Following receipt of the form we have created your account(s) to access the applications.


General diagram

After the access request has been saved and validated by us (within 24 hours), a notification email is sent to the address "Contact Email" entered in the access request form (here). This email is entitled "Access to RTE’s IS services" and contains:

In case of loss or non-receipt of this message, contact RTE’s Hotline (here).

Cinématique des échanges

Exchange scenarios

The holder has to connect from his workstation on the certificate retrieval website and download his private key and the associated certificate to his workstation in the form of the PKCS#12 file.

Certificates renewal

The lifespan of the certificates is limited to 3 years, to ensure a high level of security.

Forty days before the expiration date of a certificate, an electronic message is sent to the “Contact email” to inform the holder of the forthcoming expiry of his software certificate.

In case changes must be made concerning the holder’s information, then the user contacts RTE’s responsible for customer relations to inform him of the changes.

Otherwise, an email is sent to the contact email with the information necessary for the retrieval of his new certificate.

Certificates revocation

Case of revocation

The user must issue a revocation request when any of the following occurs:

Revocation request

To revoke a certificate, the user should call RTE’s Hotline (here).

When the certificate is revoked, an email is sent to the “Contact email” to notify the holder of the revocation of his certificate.


All operations of this chapter are to be performed only once by a computer specialist with Administrator privileges on your workstation, upon receipt of your "PKI Access Kit".

Also note that only a few chapters of this manual concern you: the chapters corresponding to the software you use.

All operations are done under the Windows Session of the certificate holder.

General configuration

The web browser access uses - in a way that is transparent to the user - a software certificate authentication system for access to the RTE portal and encryption of data exchanged via the Internet (HTTPS protocol).

Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol, S/MIME format).

IMPORTANT NOTE

Messaging and antivirus gateways, firewalls and content analyzers should be configured not to alter or reject messages that are encrypted and signed S/MIME (application / x-pkcs7-mime, .p7s, .p7m) and not to prohibit the flow of HTTPS data (port 443).

The network administrator may be requested to perform these operations.

Software configuration

The software configuration required for your workstation is as follows:

Operating Systems:



Web browser either:

Email client either:
NOTE

In general, consulting messages on a webmail-like interface does not allow the user to sign his messages.

Please choose the type of certificate you have:

Secure environment (PKI)

This appendix describes the secure environment in which the PKI is operated. It describes in particular:
  • The concepts of secure environment and the corresponding data objects handled by the PKI,
  • The role of the various entities involved in the operation process of a PKI.

Concepts and objects managed by a PKI

This appendix presents the key concepts for understanding the role of objects managed by a PKI:
  • Presentation of the principles structuring a safe process,
  • The role of dual-keys,
  • Certificates.

What is a secure process ?

Definition of a PKI

With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known only by his owner, and a public key - linked by a complex mathematical relationship, making it virtually impossible to determine the private key from the only knowledge of the public key. This means that the probability of determining the private key from the public key in a reasonable time is very low.
Data encrypted with a key (typically, the public key) can only be decrypted with the other (typically the private key). The confidentiality of all exchanged messages is based on this principle. This process is commonly called "asymmetric cryptography" as opposed to "symmetric cryptography" that uses a common key for both encryption and decryption.


The four pillars of information exchange security

This electronic identity card aims at establishing an environment of trust to which the four pillars are:
  • Authentication identifies parties in a sure and reliable way,
  • Confidentiality prevents non-recipients to read the data,
  • Integrity ensures that data has not been altered,
  • Non-repudiation makes it impossible for a party to refute the transmitted information.

The cryptographic solution

Because of the technology used (protocols, architectures, etc.), the information circulating on the Internet is not confidential. The technologies also do not allow to meet the other three security requirements set out above.

To preserve the confidentiality of exchanges via the Internet, the data must be rendered incomprehensible to all, except for the recipients. Encryption is the right solution.

Data encryption naturally accompanies system’s users’ authentication. While some data are confidential, it is necessary for issuers and recipients of this information to authenticate safely and unequivocally, to conduct secure exchanges.

Authentication is based on the possession of a certificate. This element is issued by a Certification Authority that stakeholders of a transaction trust (in our case, the Certification Authority is RTE). Thus, the carriers can have confidence in the information provided to them and RTE knows that only authorized holders access the information.
NOTE

In a similar process, in daily life, it is necessary to provide a piece of identification issued by an authority to access certain privileges reserved for citizens of the country (expensive purchases, voting, etc.).

The importance of dual-keys

Each holder has a public key and an associated private key:
  • The private key is a key that the holder must keep confidential. He is the only one to possess and with the ability to use it. He does not necessarily know it himself (for example: it may be in a smart card of which it cannot come out, but access to the card is protected by a PIN code known only to its owner)
  • The public key, as its name suggests, is public and can be communicated to all. The public keys of holders are used only to encrypt messages intended for them. If an encrypted message was intercepted, it would be without consequence on its confidentiality as it cannot be decrypted (in a reasonable time) by a person not having the associated private key.
The private key enables its owner to sign a message he sends and to decrypt an encrypted message he receives. In contrast, the public key of a person is used to encrypt a message sent to him and to verify the signature of a message he receives.


Encryption and decryption of a message

Each message is encrypted by the recipient's public key that will decrypt it with his private key.

When RTE sends a message to the client A:
  1. RTE has the public key of client A (via the public part of the certificate).
  2. RTE automatically encrypts the message using the public key of client A and sends it via RTE’s email system.
  3. Client A receives the message and automatically decrypts it with his private key.
1.1.2.1 - 1
Encryption and decryption with dual-keys.


The usage of keys to sign a message

Each message is signed by the private key of the issuer. The origin (the signature) of a message can be controlled by the public key of the issuer, freely accessible via its certificate.

To prove to client A that the received message is actually from RTE, RTE automatically signs the message with its (RTE’s) private key before sending to the client A.
1.1.2.1 - 2
Signing and signature verification with dual-keys.

When the client A receives the message from RTE, it automatically verifies the signature of the received message with the public key of RTE.


Certificates

Objectives of digital certificates

Since public keys are used to verify electronic signatures and encrypt messages, it is essential for any carrier to be certain of the identity of the owner of a public key: it is the role of certificates.

Characteristics of a certificate

A certificate is a digital ID:
  • That guarantees the identity of the holder from a remote site,
  • That includes data facilitating the identification,
  • That is resistant to counterfeit and issued by a trusted third party: the Certification Authority.

A Certification Authority is an entity that creates and manages certificates. It defines the rules for registration in the various holders’ PKI.

Structure of a certificate

A digital certificate contains:
  • the public key of its holder,
  • the name of the holder and any other identification information (email address of the person if the certificate is used to sign emails),
  • the certificate’s period of validity,
  • the name of the certification authority that issued the certificate,
  • a unique serial number,
  • the signature of the certification authority.

Examples of certificates

1.1.3.4 - 1
A digital certificate on Internet Explorer




1.1.3.4 - 2
A digital certificate on Mozilla Firefox


Documentation

Reference documentation:
  • Subscription contract to RTE’s secure Information System.
Websites:

Glossary

When the holder will get in touch with his new secure environment, he will be faced with a specific terminology, the terms of which are described in this section:
  • Authentication
Checking the validity of the claimed identity of a user, a device or other entity in an information or communication system.
  • Certificate
A digital certificate plays the role of electronic identity (e-passport). It guarantees the identity of its owner in electronic transactions and contains all the information enabling the identification (name, possibly company, address, etc.). A digital certificate is composed of a public key and personal information about the holder, all signed by a Certification Authority.
  • Certificate store
Secure hardware or software container for storing a user's private and its associated key certificates, website certificates, other users’ certificates and CA certificates. This container is usually protected by a password or PIN that will eventually have to be entered at each use of a private key based on the expected level of safety.
  • Certification Authority
A Certification Authority (CA) is an entity that issues digital certificates, electronic equivalents of identity documents, to a population. By distributing digital certificates, the Certification Authority or Trust Authority, serves as moral support by committing to the identity of a person through the certificate it issues him. According to the credit of the Certification Authority, the certificate will have a field of more or less extensive applications limited to a company’s internal trade (as a company badge) or be used in relations with other organizations and administrations (such as a national identity card or passport).
  • Confidentiality
Property of data or information that are not disclosed or made available to unauthorized persons.
  • Cryptography
Discipline including the principles, means and methods of data processing in order to hide their semantic content, establish their authenticity, prevent that their modification goes unnoticed, prevent repudiation and prevent their unauthorized use.
  • Private key
Secret digital quantity attached to a person, allowing him to decrypt encrypted messages received with the corresponding public key or to affix a signature to messages sent.
  • Public key
Digital quantity attached to a person who passes it out to others people in order to make them able to send him encrypted data or to verify his signature.
  • Encryption / Decryption
Data transformation using cryptography to make them unintelligible in order to ensure confidentiality / inverse transformation.
  • HTTPS
HTTPS is a secure version (S secured to) the HTTP protocol used in all web browsers to exchange information over the Internet.
  • Integrity
Ensuring that data or information have not been modified or altered in an unauthorized manner.
  • Non-repudiation
Property obtained with cryptographic methods to prevent a person from denying having performed a particular action on the data (for example: non-repudiation of origin, certification requirement, intent or commitment, establishment of property).
  • PKCS#12
File format used to store a private key and its associated certificate protecting a password. The file extension is usually ".p12" or ".pfx".
  • Virtual Private Network (VPN)
A VPN (Virtual Private Network) allows an interconnection of local, remote networks via a tunnel technique. The tunnel is a secure communication channel through the internet and wherein data travels in an encrypted manner.
  • Revocation
The revocation is the process that deletes the surety made by the Certification Authority concerning a certificate, made at the request of the subscriber or any other authorized person. The request may be the result of different types of events such as compromise or destruction of the private key, the change of information contained in the certificate, failure to comply with the certificate usage rules.
  • S/MIME (Secure / Multipurpose Internet Mail Extensions)
S/MIME is a standard of encryption and digital signature of emails. It provides integrity, authentication, non-repudiation and confidentiality of data.
  • Electronic signature
The electronic signature of a document containing a signatory with a private key a numerical summary of this document (Obtained by applying a hash function), which can not be modified without being visible. Like the handwritten signature, it engages the responsibility of the signatory.
  • Trusted site
Determines the security settings applied by a browser when accessing a site. If a site is declared as a "trusted site", the browser will apply for example a lower level of security that a site belonging to the "Internet" zone potentially carrying threats.

Contact us

For any inquiries, the user can contact the RTE Hotline at: 00 800 80 50 50 50

Or from France at : 08 10 80 50 50

Frequently Asked Questions (FAQ)

A Frequently asked Questions section is available on the certificates retrieval website at the address:

https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE/faq_utilisateur_fr.html