Trusted certificates 24/7
With the SwissSign Managed PKI service you issue, approve, manage and withdraw certificate requests yourself for your employees, customers and partners within a matter of minutes whatever the time of day. You manage your certificates independently via our web interface or on an automated basis via one of our partner solutions with a standardised interface. We validate only once your organization and there will be no need for single validation of certificate requests in the future – even for SSL EV certificates.
Everything speaks in favour of SwissSign Managed PKI service:
- Flexible issuance: Any time, any place and everything immediately.
- Everything from a single source: Every S/MIME or SSL certificate – including SSL EV Gold.
- Transparent and fair prices: You pay for your chosen order volume and use our certificates on several servers at no extra cost. You also benefit from attractive volume discounts. In case of E-Mail certificates you can save even additionally 40%. Just sign your contract for a first contract period of three years or five years. Afterwards you can resign on a yearly base.
- SwissSign goes the extra mile: SwissSign is a Swiss company and we work to ensure reliability in everything we do – right down to the last detail. Our local Support team will support you in German, French and English. SwissSign certificates are integrated in European partner solutions for secure and trusted e-business.
Order and contract
To order the Managed PKI Service, please fill out, sign and return to us the following two documents:
Description
High efficiency and low costs
- Automated use: Thanks to the CMC and RFC 2797 interface standards, you can perform the entire auto-enrolment process using our partner products.
- Tested with the most popular gateways on the market: Take advantage of a high level of efficiency in the management and distribution of certificates with the most popular gateways on the market. SwissSign's partner
- High level of flexibility and scalability: You can scale your certificate quantities and types in a flexible manner at any time.
- Lower costs: You spare yourself cost-intensive development and operational work associated with maintaining your own PKI. We have a price model with rapidly rising volume discounts.
- Trustworthiness: All popular browsers and operating systems trust our certificates.
Payment – flexible management and billing
- Billing takes place once a year prior to the acquisition period based on the chosen order volume.
- Upon adding to your number of certificate licenses, the volume discount allows you to benefit from your existing certificate inventory.
- You can always obtain certificates for the agreed order volume. It is not necessary to order those certificate types which were originally mentioned in the order as far as the sum of all your certificate licenses does not exceed the order volume. In case you will exceed the order volume we will contact you for an upgrade of your contract.
- You are free to decrease your certificate order volume for the next yearly contract period.
- A certificate revocation followed by the re-issuing of a new certificate constitutes the acquisition of a single certificate. This means that an exchange of a server or a new replacing employee can use the same certificate license.
- We calculate the certificate usage based on days. That means if you use your certificate only an half year we will count your certificate number as 0.5 for this certificate.
- Certificates can be issued for the signature, for encryption or for authentication. Provided these are always for the same subject (person, e-mail address, computer, etc.), they only have to be paid for once in the case of Managed PKI.
Are you unsure whether you'd be better off operating your own PKI or whether you would like to procure this from SwissSign? The matrix supports you in deciding whether a "Managed PKI" of SwissSign or an "inhouse PKI" will offer you the greatest benefits.
Do you currently obtain your certificates via Managed PKI services provided by our competitors? And would you like to switch to SwissSign Managed PKI certificate services?
Benefit from attractive conditions for the exchange and contact us with the details of the certificates and quantities to be exchanged.
Usage
Using a Managed PKI (public key infrastructure), you can apply for and acquire certificates for your organisation. The identity and the authorisations of your organisation are checked once prior to the setting up of the Managed PKI. Subsequently, you can immediately acquire certificates around the clock without the need for an individual check by SwissSign.
SwissSign delights hundreds of customers with its flexible Managed PKI services. As a reference depicting the kind of service we provide to our other customers, a description of the SwissSign solution provided to Mobiliar can be found here:
Setup
We configure your Managed PKI on the basis of your order. You can retrieve your Managed PKI via a certificate based encrypted connection. The necessary access or operator certificate for this encrypted connection will be supplied in your account at our certificate management platform swisssign.net.
As soon as you have received an e-mail with the access data for your account, call up www.swisssign.net in the browser.
Select the "Account - Login" menu item and log in using the username and password provided for this purpose.
Please initially replace the existing password for your own password not known by SwissSign via the "Change password" menu item.
You also still have the option to amend the saved account data via the "Edit" menu item. Please read the details in this regard in the Managed PKI Services User Guide (PDF, 1,3 MB).
To download the access certificates required to gain access, select the "Search/manage" menu item. In the "Search/manage" window, leave all of the standard settings and press the "Search" button.
Your certificates will now be displayed:
All access certificates are shown in the table. You can download and install each individual certificate via the "Download/attributes" button. For the installation, you will have received the password for the private key to the access certificate from our Fulfilment Centre with a seperate secure e-mail.
As soon as you have access to your Managed PKI, you will have seven days to test the system and report any errors. After this time, the system will be deemed to have been accepted.
Please report any errors which come to light at a later point to our Help Desk which will add these to our ticketing and workflow system. You can contact the Help Desk by phone on+41 848 77 66 55 or alternatively via e-mail at info@swisssign.com.
The two set-up options are described below:
1. Web-controlled management
In the case of web-controlled management (web interface), you now have to install this certificate on your operating system. You can then log in using the certificate login under www.swisssign.net.
2. Acquisition of certificate via partner application
If you acquire the certificate via a SwissSign partner application (e.g. a mail gateway), you will receive a special access certificate for this mail gateway. You must install the downloaded access certificate in your partner application. To do so, please follow the instructions of the application manufacturer.
The connection is based on the CMC interface. For the configuration of this interface you will need the name of the product:
- ‹Company name›-‹certificate type›, e.g. abc-gold-pers-1y
- ‹Company name› is generally the same name that was also used for your account.
Contract modifications and termination
You can withdraw, adjust or add to your certificates or change the parameters for certificate issuance. The different options are described below.
Subsequent change to the order volume
You can add additional certificates to your Managed PKI service at any time and in doing so take advantage of an increased volume discount. Up to the next annual bill, you shall be charged the difference between your current inventory and the new order on a pro rata basis for the months for which payment is due. As of the new billing date, the new order volume will then be charged.
Please complete the order form or Managed PKI offer tool (interactive PDF) to amend your order.
Subsequent change to the publication status of your certificates
SwissSign maintains a general public directory of all issued certificates (LDAP) on www.swisssign.net. If you would no longer like your certificates to be listed in the directory in future, you can subsequently amend this setting subject to a fee. However, the setting will not be applied retroactively to previously issued certificate.
- Change order (PDF, 787 KB)
Subsequent entry of an access manager/operator
You can subsequently enter additional access managers / operators subject (one-time alteration fee per time). They will also receive an access certificate. Please complete the authorisation for the operator to be added. Please also inform us of any access managers who no longer have authorisation and revoke their access certificates.
- Change order (PDF, 787 KB)
- Authorisation (PDF)
Change to the company name
If you need to change your current company name, this company must be authorised and checked once again subject to an alteration fee. To this end, the Managed PKI Set-up Agreement must also be completed by this company and the already known or new access managers must be granted authorisation. We will need an additional proof of organization.
We will again require a copy of the identification documents / passports for all new signatories. This prevents the accidental issuing of certificates to third-party companies. When selecting the e-mail addresses, last names, first names and sub-domains, you are free to enter these in the certificate provided this is allowed by the respective certificate type.
- Change order (PDF, 787 KB)
- Declaration of Consent to the Delegation of Registration Authority Activity
Please note: After changing the organization name or any address elements contained in the certificates, new certificates must be issued and the old certificates must be revoked within five days. This applies to SSL Gold EV, SSL Gold and Email ID Gold.
The following certificate attributes might be affected:
- Country
- State
- Locality
- Organization
- EV-specific attributes (Street, PostalCode, & jurisdictionOfIncorporation-attributes)
Order for other companies
If you would in future like to request certificates for additional organizations in your Managed PKI we need the authorization and acceptance of this organization. The change will be done based on a change fee. The new organization has to sign the "Declaration of Consent to the Delegation of Registration Authority Activity" with your access responsible in order to be admitted in your Managed PKI. By this the new organization accepts all terms of the Managed PKI and authorizes the access managers of the current Managed PKI also for the request of certificates for this new organization.
For all new signatures we need again a copy of the ID/passport. This prevents the misuse of certificate issuance. We need also a current proof of organization (trade registry excerpt or similar) for the new organization. The declaration must be signed by the authorized signatory of this organization as stated in the proof of organization.
Identity
After you have sent the "Order and Contract for Managed PKI Services" document to us electronically, the following documents must be submitted by post or via e-mail with a qualified electronic signature:
- Declaration of Consent to the delegation of the Registration Authority Activity: By this document you accept the obligations of an own registration authority, and give the necessary authorizations for the issuance of certificates. The document must be counter-signed by the access managers and your organisation's management figures pursuant to the proof provided of the organisation's existence (e.g. commercial register excerpt). Please note that the vetting process can be very fast if those responsible persons signed the Managed PKI Setup Agreement who are mentioned in the registry for this organization. Otherwise we need a phone call to your human resource department for the confirmation of authority of the signee for digital identities in your organisation. In case a third organization operates the Registration Authority please authorize the access responsible of this third organization in your declaration. Declaration of Consent to the delegation of the Registration Authority Activity (PDF)
- Copies of identification documents/passports: To accelerate the identification process, we advise to enclose copies of the identification documents – Switzerland, Liechtenstein and EU – or passports of all signatories. The signature and photograph must be clearly visible. Alternatively, we will call all persons who signed the document to verify the identity. We will accept digital documents with qualified signatures without further verification.
- Proof of organisation's existence: Shoud we not find your organisation in a public register, we will call you for further proof of organisation's existence.
Postal and e-mail address
SwissSign AG
Sales & Partner Management
Sägereistrasse 25
CH-8152 Glattbrugg
E-mail: contracts@swisssign.com
Order confirmation
After receiving and carefully checking your documents, we will send you an order confirmation. You will then receive the access certificates. Details in this regard can be found under "Setup".
Order process
Account specification swisssign.net
You only have to specify the account name on swisssign.net, if you are already a customer of SwissSign and e.g. you want to increase the number of certificates in your existing Managed PKI. The account of the Managed PKI platform swisssign.net is completely independent from the web shop swisssign.com. Therefore different account names and passwords have to be used.
Electronic order submission
The submission of the "Contract and Order for Managed PKI Services" document shall be deemed to represent a binding order for a service which is subject to a fee. The annual invoicing period begins at the end of the month after starting date of the contract, unless otherwise agreed.
The order can be submitted digitally via e-mail without a qualified electronic signature. You will receive a copy of your order in our electronic order confirmation. This constitutes the legal conclusion of the contract. A hand-written or qualified electronic signature from all signatories is only required for the Managed PKI Set-up Agreement.
Discount
The discount increases continually with the order volume and is stated precisely in the order sum calculation.
General e-mail address
If partner applications are connected to the SwissSign managed PKI platform in order to retrieve automatically certificates via the CMC or RFC 2797 interface, these applications will get a non-personal access certificate. In this case there must be an e-mail address which can receive messages concerning the necessary renewal of the certificate at the end of the lifetime. We suggest to use a non-personal, common e-mail address of your IT-department since the lifetime of these certificates is relatively long (3 or 5 years).
Multi-year Managed PKI contract
The service period of a Managed PKI is always one year. The contract will be prolonged if the contract has not been abandoned before. But it is possible to order certificates with validity periods of multiple years in your Managed PKI. In case you want to abandon the contract you have to revoke them beforehand.
Transfer of certificates
If you already purchased some certificates in the web shop we are able to transfer these certificates to your new Managed PKI account. Please enter a short hint in the notice field you can find on the end of the order form of the Managed PKI.
Domain information
Domain information
There is no correlation between the domain names and the certificate types you ordered. It is possible to issue any ordered SSL certificate for any specified domain. The same with e-mail certificates.
Domain access authorisation
You prove your access authorisation by publishing a random value (secret) (on the DNS or as a TXT file on the web server), which you obtain via MPKI access. Details of this process can be found in chapter 9 of the Managed PKI user manual.
Terms and revocation
Technical terms and contract terms
A certificate includes a specific period of validity (technical term). For the Managed PKI service, this is independent of the commercial contract term (performance period). During the performance period, certificates can thus be issued with a validity which goes well beyond the end of the performance period. The contract is unlimited in duration and may be terminated subject to a notice period of three months to the end of the one-year service period.
Revocation and re-issue
A certificate revocation (withdrawal) followed by a subsequent re-issue (e.g. employee change) only constitutes the acquisition of a single certificate.
Revocation – contract termination
At the end of the contract, those certificates which are still valid are withdrawn – either by you yourself or our Support team. Please contact us in this regard by sending an e-mail to contracts@swisssign.com or calling +41 848 77 66 55.
Publication of certificates
SwissSign maintains a general directory of all issued certificates (LDAP) on www.swisssign.net. This directory is public and comparable to a phone book. For encrypted e-mail communication, in particular, this makes sense as it allows for your communication partner to encrypt the messages it sends to you using the public key contained within the certificate.
The public directory can also be directly integrated into the e-mail programmes through the entry of parameters, making it possible to perform the encryption within the e-mail programmes through the automated retrieval of certificates.
If you would not like your certificates to be listed in the directory, select the "I do not want to publish my certificates" button. You can also subsequently change this setting subject to a fee of CHF/EURO/USD 250. However, the setting will not be applied retroactively to previously issued certificates.
Levels of trust in the Managed PKI contract
Silver certificate
Silver-level certificates are shown as domain-validated certificates. The certificate shows the domain (SSL) or the e-mail-address (personal). An organisation entry is optional on personal certificates only. The Silver cerftificate allows encryption and signature, but no authentication.
Gold certificate
Gold-level certificates are shown as organisation-validated or person-validated. The certificate contains an organisation entry and, in the case of e-mail (S/MIME) certificates, a person entry. This means that encryption, signature and authentication are possible for e-mail certificates.
SSL Gold EV certificate
Issues of SSL Gold EV certificates for you company is simply possible within the framework of the Managed PKI. These are organisation-validated and are indicated by a green bar in the browser.
Entry of independent subsidiaries
You can also issue certificates for affiliated subsidiaries, for example. For Gold certificates with an organisation entry, please note that authorisation for the use of the organisation name in the certificate must have been granted. Furthermore, all organisations must complete and sign the Declaration of Consent and Terms of Certificate Use (each with the same access managers).
For how long is the RA operator certificate valid?
The operator certificate is valid for three years.