ESG Appendix C: Digital Certificates

ESG User Guide - Table of Contents

ESG system now requires certificates with a key length of 1024 or 2048 or 3072. Certificates with other key lengths (512 or 4096) are not accepted.

• What is a digital certificate
• Using the certification
• Unacceptable certificates
• Where to obtain a certificate
• How to export a digital certificate Public Key
• How to export a digital certificate Private Key
• How to update an existing Electronic Submissions Gateway Account's digital certificate

What is a Digital Certificate

A digital certificate is an electronic document which conforms to the International Telecommunications Union’s X.509 specification. It is a document which typically contains the owner’s name and public key, the expiration date of the public key, the serial number of the certificate, and the name and digital signature of the organization which issued the certificate. The digital certificate binds together the owner’s name and a pair of electronic keys (a public key and a private key) that can be used to encrypt and sign documents.

Encrypting and digitally signing documents using certificates provides the following assurances about document transmissions:

• Only the addressee (and no unauthorized users) can read the message. Encryption provides this assurance.
• The message cannot be tampered with. That is, data cannot be changed, added, or deleted without the sender’s knowledge. A document’s digital signature provides this assurance.
• Parties sending documents are genuinely who they claim to be. Likewise, when those parties receive documents signed by the sender, they can be confident about the source of the documents. A document’s digital signature provides this assurance.
• The parties who send documents cannot readily claim they did not send them. This is referred to as non-repudiation of origin. A document’s digital signature provides this assurance.
• Parties who are sent documents cannot readily claim they did not receive them. This is referred to as non-repudiation of receipt. The signed document acknowledgment provides this assurance.
• A certificate must be issued to the owner of the ESG account. The certificate must contain the full name or correct email address used in the registration of the ESG account. To view your certificate’s credentials, double click on the certificate file and validate the Issues to field:
   

Using the certification

The public key in the FDA’s certificate is used to encrypt a document for transmission. The FDA ESG uses the public key to verify the digital signature of a document received from a specified source.

Before encrypted and signed documents (sent submissions) are exchanged with the FDA ESG, there must be a certificate exchange to obtain the other’s certificate and public key. Each party obtains a certificate with a public-private key pair, either by generating a self-signed certificate or by obtaining a certificate from a Certificate Authority. The private half of the key pair always remains on the party’s computer. The public half is provided to the FDA ESG during the registration process and includes the certificate and public key, or the certificate alone.

Certificates not accepted by the registration module

There are situations when a valid certificate is not accepted by the registration module and is identified as invalid. If this occurs, zip the certificate file and email it to the FDA ESG administrator at ESGHelpDesk@fda.hhs.gov. Once received, FDA will assess the certificate and send a response.

Certificates not accepted by the FDA ESG

The FDA ESG cannot accept certificates with blank data elements in the Issuer or Subject fields.  These certificates will cause the FDA ESG to fail due to a defect in the Gateway software.  The certificates provided should be valid for at least one year and no more than three years.  Note, this requirement applies to both Pre-production (Test) and Production ESG systems.

NOTE: DO NOT SUBMIT CERTIFICATES WITH BLANK DATA FIELDS IN THE ISSUER AND SUBJECT FIELDS

Where to obtain a certificate

The FDA ESG supports Public Key Infrastructure (PKI) to securely trade submissions over the Internet. PKI is a system of components that use digital certificates and public key cryptography to secure transactions and communications.

PKI uses certificates issued by certificate authorities (CAs) to provide authentication, confidentiality, integrity and non-repudiation of data.

PKI Options

There are two PKI options supported – in-house and outsourced. The option chosen can depend on a number of factors, such as cost, human and system resources, and the degree or sophistication of security desired. PKI establishes digital identities that can be trusted. The CA is the party in a PKI that is responsible for certifying identities. In addition to generating a certificate, this entails verifying the identity of a subscriber according to established policies and procedures. This is the case for in-house and outsourced PKIs.

In an organization that generates and uses its own self-signed certificates, the trading parties must verify the certificates and establish a direct trust. Once established that an identity or issuer of an identity can be trusted, the trust anchor’s certificate is stored in a local trust list. The FDA ESG has a local trust list for storing and managing established trust relationships. The application maintains a list of common public CA certificates similar to those kept in web browsers. Although convenient, this predetermination of trust might not complement every organization’s security policy. The decision of who to trust rests with the individual organization.

In-House

An in-house PKI makes it possible to achieve complete control of security policies and procedures. It also carries the burden of management and cost to set up and maintain the system.

FDA recommends using certificates with 3 years validity.

Outsourced

Third-party certificate authorities can be leveraged to purchase X.509 certificates for general use. The CA manages the security policies and details such as certificate revocation. The level of outsourcing can range from purchasing a public key certificate that is valid for 1 year to 3 years from a commercial CA, to outsourcing all of the PKI services that an organization requires.

If you plan to use an outsourced certificate, the following are just a few of the many companies that sell the X.509 certificates (Displayed in alphabetical order). FDA recommends using certificates with three years validity. Please note that some vendors do not offer a three year certificate on their website, but you may call them directly to purchase a three year certificate. Telephone contact information is available on each vendor’s website.

Note:  References to commercial products are for illustrative purposes only and does not constitute an official FDA endorsement. If you are a CA and would like to list your URL here, please send the URL linking to your Class 1 Personal Identification certificate (i.e. Secure Email certificate) page to ESGHelpDesk@fda.hhs.gov.

• Comodo: https://secure.instantssl.com/products/frontpage?area=SecureEmailCertificate
• GlobalSign: http://www.globalsign.com/digital_certificate/personalsign/index.htm#2
• Exostar: http://www.myexostar.com/Digital-Certificate-Service-Overview

The minimum requirement for a digital certificate for use with the FDA Electronic Submissions Gateway is a Class 1 Personal Identification certificate (i.e. Secure Email certificate). The list of digital certificates identified above has been proven to meet the FDA Electronic Submissions Gateway requirements. This list does not represent all digital certificates accepted for use with the FDA Electronic Submissions Gateway, and various other certificates with additional functions are accepted as well, but these additional functions, which are outside the FDA ESG requirements, are not necessary

CA will send you an email with PIN number and a link to a website where you can import/install the certificate. Accept all defaults and say "yes” to all pop-ups, your certificate will be installed in your browser. Note, if you are using WebTrader, you do not have to install the certificate on the same machine that you will be using. Once the certificate is installed in the browser you can export the public and private keys out and use them where ever you want. AS2 users will need to install the certificates in their system. Configuring the certificates may defer from sponsor to sponsor depending on what gateway software being used.
 

Exporting a public key (.cer)

1. From Internet Explorer go to Tools >>> Internet Options >>> Content tab >>>Certificates.
2. Select your certificate in the Personal tab.
3. Click on the Export button to create public and private keys, which can be used for the Gateway.

    

4. To export public key (.cer or .p7b) select Next on the next screen
5. Select ¤ No, do not export the private key option and click on the Next button.

    

6. Select the options as shown on the screen below and click on the Next button. 

      

7. Give a file name and select the location where you want to save the file. Click on the Next button.  Then click on Finish.

You public key is ready. This is the key that you should use when registering.

Exporting a private key (.pfx)

To export private key (.PFX or .P12)

1. Select the certificate and click on Export, Click on next on the next screen

    

2. Select ¤ Yes, export the private key and click on the Next button.

    

3. Select the options as shown below and click on the Next button.

    

4. Create a password for your private key. Confirm the password and click on the Next button.  If you forget the password you can export the private key again and create a password.

    

5. Create a file name and select the location where you want to save the file and click on the Next button. On the next screen, click on Finish and then click on OK.

Your private key is ready. This is the key that you should use when sending submissions.

Updating a digital certificate to an existing Electronic Submissions Gateway Account

1. Obtain a new digital certificate from your CA.
2. Follow steps from “Exporting a Public Key” and “Exporting a Private Key”.
3. Email the public key (.cer) to ESGHelpDesk@fda.hhs.gov, providing the following information:
   
   • Primary account holder name
      
   • Electronic Submissions Gateway Account name
      
4. A confirmation email from ESGHelpDesk@fda.hhs.gov will be received, notifying the account holder that the new public key has been uploaded. The user may know send submissions via the Electronic Submissions Gateway using the newly exported private key (.pfx).