Microsoft Internet Explorer
Preliminary configuration
Configuration of the security settings
This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection
(HTTPS protocol).
In the browser, select the menu " Tools > Internet Options ":
Select the tab " Advanced ":
In the section " Security ", make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above.
Adding trusted sites
In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites.
The Trusted Sites zone allows the declaration of sites’ names you consider safe.
In this section, you must be logged into the workstation with the Windows account that will use the software certificate.
To do this: open Internet Explorer and click the menu " Tools > Internet Options ".
In the window that appears, click the " Security " tab. select the " Trusted Sites " icon and click the " Sites " button.
The following window appears:
In the field " Add this website to the zone ", enter the URL corresponding to the PKI:
Then click
" Add ".
The site then appears in the list
" Websites " as shown below.
Proceed in the same way to add the following websites:
https://portail.iservices.rte-france.com: this is the internet portal
https://secure.iservices.rte-france.com: this is the SSL VPN connection portal
The 3 websites shall now appear in the list " Websites ".
Click " Close ", then " OK ".
Installing RTE’s CAs certificates
Download and install
RTE Certification Authority
This CA is the Historical CA of RTE, dealing with 2048 bit keys.
This CA is necessary to ensure the cohabitation between the former and the latter PKIs.
RTE Historical CA’s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority.
IMPORTANT NOTE
It is imperative to respect the case (upper / lower case) of the site’s address.
The download window appears:
Click the " Save " button and choose a location to save the file " Certification_Autority_RTE_2048.cer " containing RTE Historical CA’s certificate.
Click " Open folder " to go to the directory where you saved the file.
Right-click the " Certification_Autority_RTE_2048.cer " file you just downloaded and choose " Install Certificate ".
The installation wizard of the certificate is displayed:
Click " Next ".
Select " Place all certificates in the following store " and click " Browse ".
In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".
Once you have chosen the certificate store, you get the following window:
Click " Next ".
Click " Finish ".
Click " Ok ".
RTE Root Certification Authority
This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust.
RTE Root CA certificate must now be installed in your browser.
To do so, please go to the following address:
IMPORTANT NOTE
It is imperative to respect the case (upper / lower case) of the site’s address.
The download window appears:
Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:
Click " Open folder " to go to the directory where you saved the file.
Right-click the " ACR_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".
The installation wizard of the certificate is displayed:
Click " Next ".
Select " Place all certificates in the following store " and click " Browse ".
In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".
Once you have chosen the certificate store, you get the following window:
Click " Next ".
Click " Finish ", and if the next window display a security Warning then click " Yes ":
Click " OK ".
RTE Client Certification Authority
This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates.
RTE Client CA certificate must now be installed in your browser.
To do so, please go to the following address:
IMPORTANT NOTE
It is imperative to respect the case (upper / lower case) of the site’s address.
The download window appears:
Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:
Click " Open folder " to go to the directory where you saved the file.
Right-click the " ACF_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".
The installation wizard of the certificate is displayed:
Click " Next ".
Select " Automatically select the certificate store based on the type of certificate " and click " Next ".
Click " Finish ".
Click " Ok ".
Visualization and verification of RTE’s CA certificates
Visualization of installed RTE’s CA certificates
The certificates of RTE’s CA you just import are stored in the Certification Authorities store of Internet Explorer.
To view them, click the menu " Tools > Internet Options ".
A window appears. Go to the " Content " tab and click the " Certificates " button.
In the window that appears, go to the tab " Trusted Root Certification Authorities".
You can see RTE Historical CA’s certificate (here)
and RTE Root CA’s certificate (here):
On the tab " Intermediate Certification Authorities" you can see RTE Client CA’s certificate (here):
Verification of RTE Certification Authority certificate
Select the certificate " RTE Certification Authority ".
Click the button " View ", then click the " Details " tab.
To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.
Digital hash of the certificate " RTE Certification Authority " SHA1
SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case, delete the certificate and call RTE’s Hotline
(
here).
Verification of RTE Root Certification Authority certificate
Select the certificate " RTE Root Certification Authority ".
Click the button
" View " then click the
" Details " tab.
To ensure the authenticity of this certificate, carefully check that the thumbprint
" SHA1 " related to the certificate
" RTE Certification Authority " is identical to the one presented below.
Digital hash of the certificate " RTE Certification Authority " SHA1
SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case, delete the certificate and call RTE’s Hotline
(
click).
Verification of RTE Client Certification Authority certificate
In the tab " Intermediate Certification Authorities ", select the certificate " RTE Client Certification Authority ".
Click the button
" View " then click the
" Details " tab.
To ensure the authenticity of this certificate, carefully check that the thumbprint
" SHA1 " related to the certificate
" RTE Certification Authority " is identical to the one presented below.
Digital hash of the certificate " RTE Certification Authority " SHA1
SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed
If this is not the case, delete the certificate and call RTE’s Hotline
(
here).
Installing your personal certificate
Authentication on the retrieval interface
The software certificate request must have been completed in accordance with the procedure of software certificate request.
To proceed to the retrieval you need the following information (here):
- The chosen password you have chosen and supplied to RTE in the form to request access to RTE’s IS (here).
- Certificate email, Retrieval code and Password for the PKCS#12 file included in the email " Access to RTE’s IS services ".
(here).
For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end.
To create your certificate and the associated private key, log on the certificate retrieval website:
IMPORTANT NOTE
It is imperative to respect the case (upper / lower case) of the site’s address.
Click the button "
Retrait de votre certificat personnel ".
Fill the field "
Certificate email " with the value indicated in the email "
Access to RTE’s IS services ".
Click "
Submit ".
Fill the fields:
- " Retrieval code " as indicated in the email " Access to RTE’s IS services " (here).
- " Chosen password " which is the password you chose and provided to RTE in the form to request access to RTE’s IS (here).
Finally click "
Submit ".
Downloading your certificate
The following page appears.
Click "
Download ".
In the window that appears, click "
Save ".
Choose a directory to save your certificate, then click "
Save ".
A window shows the progress of the download. Once the download is completed, click "
Open folder ".
The folder containing your personal certificate appears.
IMPORTANT NOTE
Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick or an external hard drive), that you have to put into a safe in order to protect access to it.
Also keep the mail " Access to RTE's IS services " that contains the password.
Installation of your personal certificate
Go to the download folder of the file.
Right-click the "
certificate.p12 " file and choose "
Install PFX ".
Click "
Next ".
The name of the file containing your certificate is automatically filled, click "
Next ".
The window below appears:
- In the field " Password ", enter the " Password " present in the email " Access to RTE’s IS services " (here).
- The case " Enable strong private key protection. […] " is optional. Tick it if you wish to define a password that will be asked before every use of your private key in Internet Explorer.
- The case " Mark this key as exportable. […] " is optional. Tick it if you wish to be able to export you private key later
(here).
- Tick the case " Include all extended properties".
Click "
Next ".
Select "
Automatically select the certificate store based on the type of certificate ", and click "
Next "
Finally, click "
Finish ".
If you previously ticked the case
" Enable strong private key protection ", then the following window appears:
Click the button "
Set security level… ".
Select the case "
High ", then click "
Next ".
Enter a name for the private key to protect and a password then click the "
Finish " button.
Warning: this password is required upon each use of the certificate.
Click "
OK ".
Finally, the following window appears:
Click "
OK ".
Your certificate and your private key have been successfully imported in Internet Explorer.
Visualization and verification of your software certificate
Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs. In the case of downloading with Internet Explorer, open the certificate store via the menu "
Tools> Internet Options ","
Content " tap, button "
Certificates… ":
Select your certificate then click "
View ".
It is valid for 3 years from the date of withdrawal.
The "
Certification Path " tab allows checking the validity of your certificate. The "
Certificate status " and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.
The tab "
Details " allows you to view the full name of the holder and the email address to which are attached the certificate.
Using your certificate
Authentication and encryption
Steps to follow:
- Run Internet Explorer,
- Enter the URL to RTE’s application or to " RTE’s customer service portal ":
- During the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password,
- If multiple certificates are presented, choose the one supplied for the application you wish to access (use the button "Display certificate" to visualize its content).
Once authentication is completed, all data you send or receive will be encrypted.
Example of access to an RTE web application
Enter the URL
https://portail.iservices.rte-france.com in the Internet Explorer address bar then press Return.
Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site.
The ligne "
Click here to view certificate properties… " lets you view the content of the selected certificate.
Click the "
OK " button to access the application.
The window below asks for the password that protects the private key associated with your certificate if it has been set.
The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):
Additional operations
Export of your personal certificate
This section explains how to save the certificate with its private key and RTE’s trust chain. The procedure is to generate a file in PKCS#12 format ("
.pfx" extension), protected by a password.
You can only export your certificate and private key if you checked
"
Mark this key as exportable " when Installing your personal certificate
(
here).
In Internet Explorer, click the menu "
Tools > Internet Options "
Then, click the "
Content ", tab and then the "
Certificates " button.
Another window appears. Select your certificate, then click "
Export… ".
Click "
Next "
Select "
Yes, export the private key ", and then click "
Next ".
Select the check box "
Include all certificates in the certification path if possible ", and then click "
Next ".
Enter a password of your choice to protect the PKCS#12 file, and then click "
Next ".
Click "
Browse… " and select the location of the PKCS#12 file, and then click "
Next ".
Finally, click the "
Finish " button.
Click "
OK ".
You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE’s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer’s store.
Deleting your personal certificate
This section details the procedure to remove a certificate and its private key from Internet Explorer’s Certificate store.
IMPORTANT NOTE
Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to
here to export your certificate and private key as a PKCS#12 file.
sous forme de fichier PKCS#12.
In Internet Explorer, go to "
Tools > Internet Options ".
A window appears. Click the
" Content " tab, then the
" Certificates " button:
Select the certificate to delete and click "
Remove ".
Click "
Yes ".
The certificate is removed from the certificates list.
Connecting to the SSL VPN
Foreword
The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (
here). Once the channel is established all communications with the requested RTE service will be encrypted.
The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called
Secure Application Manager (SAM).
SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.
Prerequisite
The website
secure.iservices.rte-france.com must be declared as a trusted site (
here)
IMPORTANT NOTE
Before your first connection, you must verify that your workstation can resolve the address
secure.iservices.rte-france.com
(
see Workstation Configuration).
PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine.
To do so, download the executable under the link:
http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp
And decompress the compressed file:
The following window appears. Click "
Yes ".
It will be automatically activated at every operating system launch.
First connection
This paragraph applies only to your first login to the SSL VPN with Internet Explorer.
IMPORTANT NOTE
The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application.
Before continuing, you need to
disable ActiveX controls on Internet Explorer. To do so, press the "
Alt " key on the keyboard.
A menu bar at the top of the window. Then click the
Tools button, and make sure "
ActiveX Filtering " is
not selective (see the following screenshot).
Launch your browser and go to the following website:
The following window appears:
Select your certificate then click "
OK ".
If necessary, this window will ask for the password that protects the private key associated to your certificate.
The browser displays a link to install SAM (if it’s not already installed on your computer):
If no manual intervention is performed, the following installation pop-up appears:
If necessary, the following window appears:
Click "
Yes ".
The Pulse Secure client then installs and the installation of the SAM application starts:
Wait during the installation.
If the following window appears, click
" Yes ".
Once the installation is completed, the following page appears:
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.
Then, the icon
appears in your task-bar:
Click the "
Sign out " button (top right of the page) to end the session:
Using the SSL VPN
Establishing the connection
Launch your browser and go to the following website:
The following window appears:
Select your certificate then click "
OK ".
If necessary, a window will ask you the password that protects the private key associated with your certificate.
If necessary, the window below appears. Click "
Yes ".
The SAM application launches automatically and the following page appears:
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.
Then, the icon
appears in your taskbar.
Notes:
- The certificate is only used to establish the connection to the SSL VPN.
- To close the SSL VPN session, click the " Sign out " button (top right of the page).
Use case to access hosted mailboxes
The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client.
Access to hosted mailboxes requires the SSL VPN connection to be established (
here).
The Email account configuration in your mail client is then to be made with the following parameters:
- Incoming Mail server :
- Type of server : POP3
- Address (server hostname) : pop.services.rte-france.com
- Port : 110
- Cipher SSL : None
- Authentication : Password
- Outgoing Mail server :
- Type of server : SMTP
- Address (server hostname) : smtp.services.rte-france.com
- Port : 25
- Cipher SSL : None
- Authentication : None
When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.
IMPORTANT NOTE
Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.