Table of Contents
1. INTRODUCTION ... 3
2. INSTALLING A NEW CERTIFICATE AUTHORITY ... 4
3. ENROLLING THE NEW CSDC... 10
4. CONFIRMING AND EXPORTING THE CSDC ... 14
5. REMOVING THE PREVIOUS CSDC ... 20
6. RENEWING A CSDC ... 22
7. APPENDIX 1 - TROUBLESHOOTING ... 23
7.1. INABILITY TO INSTALL AND RUN THE ACTIVEXCOMPONENT ... 23
7.1.1. Installing the ActiveX Component ... 23
7.1.2. Adding https://pki.verisign.com.au to Trusted Sites in Internet Explorer ... 23
1.
Introduction
A Client Side Digital Certificate (CSDC) is required to authenticate customers who access a range of ASX systems.
To successfully enrol a new CSDC, the following process should be followed in the specified order: 1. Install a new Certificate Authority (CA)
2. Enrol the new CSDC 3. Confirm the CSDC Enrolment 4. Remove Previous CSDC.
When a CSDC is about to expire (one year from its enrolment), users will be sent an email 30 days prior requesting that the CSDC be renewed.
If any difficulties are encountered during the process of enrolling a CSDC, see Appendix 1 - Troubleshooting.
For any other questions regarding the enrolment of a CSDC, contact
2.
Installing a New Certificate Authority
Before a new CSDC can be enrolled, a new CA needs to be installed. If the CA is not installed prior to enrolling, an error occurs (duplicate digital ID) and a new CSDC will need to be reissued. To install a new CA:
1. Select:
2. Click INSTALL CA to install the CA.
This opens the Certificate window at the General tab. If a red cross appears in the Certificate Information frame it indicates that the CSDC is not trusted. Later in this procedure the opportunity is provided to place the CSDC in the Trusted Root Certification Authorities store.
3. Click Install Certificate.
5. Click Place all certificates in the following store.
6. Click Browse.
7. Navigate to and select Trusted Root Certification Authorities, and click OK.
The Certificate Import Wizard window is displayed.
8. Click Next.
9. Click Finish.
Once Finish is clicked, a security warning appears.
10. Click Yes.
When Yes has been clicked, a message appears indicating that the installation was successful.
11. Click OK.
Once OK has been clicked the new CA is installed.
The installation of the CA however should be checked to ensure that it has been saved in the correct location.
13. Select Content and click Certificates. This opens the Certificates window.
14. Select Trusted Root Certification Authorities.
Check that the installed CA is listed in the Trusted Root Certification Authorities frame.
15. Click Close.
If the installed CA is listed, click Close.
3.
Enrolling the New CSDC
Once the CA has been successfully installed, the new CSDC can be enrolled. To enrol the new CSDC:
1. Click
https://pki.verisign.com.au/services/ASXOperationsPtyLtdASXCAG2/digitalidCenter.htm. This opens the Digital ID Center window.
2. Select Enroll.
3. Enter enrolment details in the specified fields.
Enter the First Name, Last Name, E-mail Address and Passcode that was provided by the ASX Password Administrator.
Note:
All fields are case sensitive except the Passcode.
4. Enter a challenge phrase in the Enter Challenge Phrase field.
The challenge phrase should be recorded and kept in a safe location and not shared with anyone. This phrase should be a unique phrase to ensure that it provides protection against unauthorised action on the CSDC.
Warning:
5. Click Submit.
Once Submit has been clicked, a message dialog box is displayed. Check that the email address is correct.
Note:
The Enter Comments field does not require any information to be entered.
6. Click OK if the email address is correct.
If the email address is incorrect, click Cancel and re-enter the email address in the
Your E-mail Address field, and click Submit again.
Once OK has been clicked, the Web Access Confirmation dialog box opens.
7. Click Yes.
8. Click Yes.
In the Internet Explorer dialog box, click Yes to allow the interaction.
9. Click Yes twice.
The Web Access Confirmation dialog box appears twice. Click Yes in both windows.
4.
Confirming and Exporting the CSDC
Once the CSDC is enrolled it needs to be confirmed that it was enrolled correctly. If the CSDC has been correctly enrolled it should be exported to a local drive as a backup copy.
To confirm and export the enrolled CSDC:
1. Select Tools > Internet Options from the Internet Explorer browser. This opens the Internet Options window.
2. Select Content and click Certificates.
3. Check the expiration date for the CSDC ensuring that it expires a year from the date it was installed.
4. Click Export.
Once the CSDC has been enrolled, a backup copy needs to be exported to a local drive. Clicking Export opens the Certificate Export Wizard window.
5. Click Next.
6. Click Yes, export the private key, and click Next.
Clicking Yes, Export the private key opens the Export File Format frame.
7. Click Personal Information Exchange – PKCS # 12 (.PFX), Include all certificates in
the certificate path if possible and Export all extended properties, and click Next.
8. Enter a password in the Password field, and confirm the password.
9. Click Next.
12. Click Next.
Once Next has been clicked, confirmation that the export was successful is displayed. Ensure that the settings displayed in the frame are correct. If not, select Back and re-enter the required settings.
13. Click Finish.
14. Click OK.
15. Click Close.
5.
Removing the Previous CSDC
The previous CSDC needs to be removed now that the CSDC is enrolled. To remove the previous CSDC:
1. Open Internet Explorer and select Tools > Internet Options. This opens the Internet Options window.
2. Click Content and then click Certificates. This opens the Certificates window.
3. Click Personal and select the previous CSDC in the list.
Warning:
4. Click Remove.
6.
Renewing a CSDC
Thirty days prior to a CSDC expiring, users are sent an email notifying them that the certificate is about to expire. Users are required to renew the certificate before it expires.
To renew a CSDC: 1. Click
https://pki.verisign.com.au/services/ASXOperationsPtyLtdASXCAG2/digitalidCenter.htm. This opens the Digital ID Center window.
2. Click Renew. 3. Click Submit.
Once Submit has been clicked, a dialog box appears. 4. Select the current CSDC from the list and click OK. 5. Click Yes.
7.
Appendix 1 - Troubleshooting
Occasionally when enrolling a new CSDC, users may experience difficulty. This is usually as a result of the end users’ desktop computer configuration.
The common difficulties that may be encountered include the inability to install and run ActiveX components, and the users Internet Explorer configuration being not compatible for enrolling the CSDC.
7.1.
Inability to Install and Run the ActiveX Component
An ActiveX component called Personal Trust Agent (PTA) is required for successful enrolment or renewal. The user attempting the enrolment/renewal must have privileged (admin) rights to install the required ActiveX. Where this is not possible due to security policies, the required ActiveX components can be installed by the system administrators using the OnSite.MSI package provided by Symantec (Verisign).
For details on installing the OnSite.MSI package and configuring ActiveX and Trusted Sites, refer to Chapter 12 in the PDF document below. Double-click the icon to open the document.
To run the OnSite.MSI software, double-click on the OnSite.MSI icon below.
VeriSign Managed PKI - Installation and Conf
7.1.1. Installing the ActiveX Component
An ActiveX component called Personal Trust Agent (PTA) is required for successful enrolling of a CSDC. The user attempting enrolment must have privileged (Admin) rights to install the required ActiveX. Where this is not possible due to security policies, the required ActiveX components can be installed by the System Administrators using the OnSite.MSI package provided by Symantec (VeriSign).
7.1.2. Adding https://pki.verisign.com.au to Trusted Sites in Internet Explorer
To ensure that the required ActiveX component is activated properly, https://pki.verisign.com.au needs to be added to the list of trusted sites in Internet Explorer. The security settings need to be changed to allow the CSDC to be enrolled.
3. Click Security, and click Trusted sites (green tick). This displays the Trusted sites frame.
4. Click Sites.
This opens the Trusted sites window enabling trusted sites to be added to the list.
5. Enter https://pki.verisign.com.au in the Add this website to the zone: field.
6. Click Add and then Close.
7. Move the slider in the Security level for this zone frame to the base of the slider so that it is Low, and click OK.
If the slider is not visible, click Default level and it should be displayed.
8. Close all Internet Explorer windows.
Once all of the Internet Explorer windows have been closed, continue to enrol the CSDC.
7.2.
Internet Explorer (9 or later) – Specific Settings
If Internet Explorer 9 or later is used, additional steps are required before a CSDC can be enrolled. To enable Internet Explorer 9 or later to be compatible for enrolling:
4. Click Close.
Once all of the Internet Explorer windows have been closed, continue to enrol the CSDC.
Disclaimer
This document provides general information only and may be subject to change at any time without notice. ASX Limited (ABN 98 008 624 691) and its related bodies corporate (“ASX”) makes no representation or warranty with respect to the accuracy, reliability or completeness of this information. To the extent permitted by law, ASX and its employees, officers and contractors shall not be liable for any loss or damage arising in any way, including by way of negligence, from or in connection with any information provided or omitted, or from anyone acting or refraining to act in reliance on this information. The information in this document is not a substitute for any relevant operating rules, and in the event of any inconsistency between this document and the operating rules, the operating rules prevail to the extent of the inconsistency.
ASX Trademarks
The trademarks listed below are trademarks of ASX. Where a mark is indicated as registered it is registered in Australia and may also be registered in other countries. Nothing contained in this document should be construed as being any licence or right to use of any trademark contained within the document.
