Managed PKI Service

High efficiency and low costs

• Automated use: Thanks to the CMC and RFC 2797 interface standards, you can perform the entire auto-enrolment process using our partner products.
• Tested with the most popular gateways on the market: Take advantage of a high level of efficiency in the management and distribution of certificates with the most popular gateways on the market. SwissSign's partner
• High level of flexibility and scalability: You can scale your certificate quantities and types in a flexible manner at any time.
• Lower costs: You spare yourself cost-intensive development and operational work associated with maintaining your own PKI. We have a price model with rapidly rising volume discounts.
• Trustworthiness: All popular browsers and operating systems trust our certificates.

Payment – flexible management and billing

• Billing takes place once a year prior to the acquisition period based on the chosen order volume.
• Upon adding to your number of certificate licenses, the volume discount allows you to benefit from your existing certificate inventory.
• You can always obtain certificates for the agreed order volume. It is not necessary to order those certificate types which were originally mentioned in the order as far as the sum of all your certificate licenses does not exceed the order volume. In case you will exceed the order volume we will contact you for an upgrade of your contract.
• You are free to decrease your certificate order volume for the next yearly contract period.
• A certificate revocation followed by the re-issuing of a new certificate constitutes the acquisition of a single certificate. This means that an exchange of a server or a new replacing employee can use the same certificate license.
• We calculate the certificate usage based on days. That means if you use your certificate only an half year we will count your certificate number as 0.5 for this certificate.
• Certificates can be issued for the signature, for encryption or for authentication. Provided these are always for the same subject (person, e-mail address, computer, etc.), they only have to be paid for once in the case of Managed PKI.

Are you unsure whether you'd be better off operating your own PKI or whether you would like to procure this from SwissSign? The matrix supports you in deciding whether a "Managed PKI" of SwissSign or an "inhouse PKI" will offer you the greatest benefits.

Do you currently obtain your certificates via Managed PKI services provided by our competitors? And would you like to switch to SwissSign Managed PKI certificate services?

Benefit from attractive conditions for the exchange and contact us with the details of the certificates and quantities to be exchanged.

Using a Managed PKI (public key infrastructure), you can apply for and acquire certificates for your organisation. The identity and the authorisations of your organisation are checked once prior to the setting up of the Managed PKI. Subsequently, you can immediately acquire certificates around the clock without the need for an individual check by SwissSign.

SwissSign delights hundreds of customers with its flexible Managed PKI services. As a reference depicting the kind of service we provide to our other customers, a description of the SwissSign solution provided to Mobiliar can be found here:

We configure your Managed PKI on the basis of your order. You can retrieve your Managed PKI via a certificate based encrypted connection. The necessary access or operator certificate for this encrypted connection will be supplied in your account at our certificate management platform swisssign.net.

As soon as you have received an e-mail with the access data for your account, call up www.swisssign.net in the browser.

Select the "Account - Login" menu item and log in using the username and password provided for this purpose.

Please initially replace the existing password for your own password not known by SwissSign via the "Change password" menu item.

You also still have the option to amend the saved account data via the "Edit" menu item. Please read the details in this regard in the Managed PKI Services User Guide (PDF, 1,3 MB).

To download the access certificates required to gain access, select the "Search/manage" menu item. In the "Search/manage" window, leave all of the standard settings and press the "Search" button.

Your certificates will now be displayed:

All access certificates are shown in the table. You can download and install each individual certificate via the "Download/attributes" button. For the installation, you will have received the password for the private key to the access certificate from our Fulfilment Centre with a seperate secure e-mail.

As soon as you have access to your Managed PKI, you will have seven days to test the system and report any errors. After this time, the system will be deemed to have been accepted.

Please report any errors which come to light at a later point to our Help Desk which will add these to our ticketing and workflow system. You can contact the Help Desk by phone on+41 848 77 66 55 or alternatively via e-mail at info@swisssign.com.

The two set-up options are described below:

1. Web-controlled management

In the case of web-controlled management (web interface), you now have to install this certificate on your operating system. You can then log in using the certificate login under www.swisssign.net.

2. Acquisition of certificate via partner application

If you acquire the certificate via a SwissSign partner application (e.g. a mail gateway), you will receive a special access certificate for this mail gateway. You must install the downloaded access certificate in your partner application. To do so, please follow the instructions of the application manufacturer.

The connection is based on the CMC interface. For the configuration of this interface you will need the name of the product:

• ‹Company name›-‹certificate type›, e.g. abc-gold-pers-1y
• ‹Company name› is generally the same name that was also used for your account.

You can withdraw, adjust or add to your certificates or change the parameters for certificate issuance. The different options are described below.
 

Subsequent change to the order volume

You can add additional certificates to your Managed PKI service at any time and in doing so take advantage of an increased volume discount. Up to the next annual bill, you shall be charged the difference between your current inventory and the new order on a pro rata basis for the months for which payment is due. As of the new billing date, the new order volume will then be charged.

Please complete the order form or Managed PKI offer tool (interactive PDF) to amend your order.

Subsequent change to the publication status of your certificates

SwissSign maintains a general public directory of all issued certificates (LDAP) on www.swisssign.net. If you would no longer like your certificates to be listed in the directory in future, you can subsequently amend this setting subject to a fee. However, the setting will not be applied retroactively to previously issued certificate.

• Change order (PDF, 787 KB)

Subsequent entry of an access manager/operator

You can subsequently enter additional access managers / operators subject (one-time alteration fee per time). They will also receive an access certificate. Please complete the authorisation for the operator to be added. Please also inform us of any access managers who no longer have authorisation and revoke their access certificates.

• Change order (PDF, 787 KB)
• Authorisation (PDF)

Change to the company name

If you need to change your current company name, this company must be authorised and checked once again subject to an alteration fee. To this end, the Managed PKI Set-up Agreement must also be completed by this company and the already known or new access managers must be granted authorisation. We will need an additional proof of organization.

We will again require a copy of the identification documents / passports for all new signatories. This prevents the accidental issuing of certificates to third-party companies. When selecting the e-mail addresses, last names, first names and sub-domains, you are free to enter these in the certificate provided this is allowed by the respective certificate type.

• Change order (PDF, 787 KB)
• Declaration of Consent to the Delegation of Registration Authority Activity

Please note: After changing the organization name or any address elements contained in the certificates, new certificates must be issued and the old certificates must be revoked within five days. This applies to SSL Gold EV, SSL Gold and Email ID Gold.
The following certificate attributes might be affected: 

• Country
• State
• Locality
• Organization
• EV-specific attributes (Street, PostalCode, & jurisdictionOfIncorporation-attributes)

Order for other companies

If you would in future like to request certificates for additional organizations in your Managed PKI we need the authorization and acceptance of this organization. The change will be done based on a change fee. The new organization has to sign the "Declaration of Consent to the Delegation of Registration Authority Activity" with your access responsible in order to be admitted in your Managed PKI. By this the new organization accepts all terms of the Managed PKI and authorizes the access managers of the current Managed PKI also for the request of certificates for this new organization.

For all new signatures we need again a copy of the ID/passport. This prevents the misuse of certificate issuance. We need also a current proof of organization (trade registry excerpt or similar) for the new organization. The declaration must be signed by the authorized signatory of this organization as stated in the proof of organization.

• Change order (PDF, 787 KB)
• Declaration of Consent to the Delegation of Registration Authority Activity

After you have sent the "Order and Contract for Managed PKI Services" document to us electronically, the following documents must be submitted by post or via e-mail with a qualified electronic signature:

• Declaration of Consent to the delegation of the Registration Authority Activity: By this document you accept the obligations of an own registration authority, and give the necessary authorizations for the issuance of certificates. The document must be counter-signed by the access managers and your organisation's management figures pursuant to the proof provided of the organisation's existence (e.g. commercial register excerpt). Please note that the vetting process can be very fast if those responsible persons signed the Managed PKI Setup Agreement who are mentioned in the registry for this organization. Otherwise we need a phone call to your human resource department for the confirmation of authority of the signee for digital identities in your organisation. In case a third organization operates the Registration Authority please authorize the access responsible of this third organization in your declaration. Declaration of Consent to the delegation of the Registration Authority Activity (PDF)
• Copies of identification documents/passports: To accelerate the identification process, we advise to enclose copies of the identification documents – Switzerland, Liechtenstein and EU – or passports of all signatories. The signature and photograph must be clearly visible. Alternatively, we will call all persons who signed the document to verify the identity. We will accept digital documents with qualified signatures without further verification.
• Proof of organisation's existence: Shoud we not find your organisation in a public register, we will call you for further proof of organisation's existence.

Postal and e-mail address

SwissSign AG
Sales & Partner Management
Sägereistrasse 25
CH-8152 Glattbrugg
E-mail: contracts@swisssign.com

 

Order confirmation

After receiving and carefully checking your documents, we will send you an order confirmation. You will then receive the access certificates. Details in this regard can be found under "Setup".

Account specification swisssign.net

You only have to specify the account name on swisssign.net, if you are already a customer of SwissSign and e.g. you want to increase the number of certificates in your existing Managed PKI. The account of the Managed PKI platform swisssign.net is completely independent from the web shop swisssign.com. Therefore different account names and passwords have to be used.

Electronic order submission

The submission of the "Contract and Order for Managed PKI Services" document shall be deemed to represent a binding order for a service which is subject to a fee. The annual invoicing period begins at the end of the month after starting date of the contract, unless otherwise agreed.

The order can be submitted digitally via e-mail without a qualified electronic signature. You will receive a copy of your order in our electronic order confirmation. This constitutes the legal conclusion of the contract. A hand-written or qualified electronic signature from all signatories is only required for the Managed PKI Set-up Agreement.

Discount

The discount increases continually with the order volume and is stated precisely in the order sum calculation.

General e-mail address

If partner applications are connected to the SwissSign managed PKI platform in order to retrieve automatically certificates via the CMC or RFC 2797 interface, these applications will get a non-personal access certificate. In this case there must be an e-mail address which can receive messages concerning the necessary renewal of the certificate at the end of the lifetime. We suggest to use a non-personal, common e-mail address of your IT-department since the lifetime of these certificates is relatively long (3 or 5 years).

Multi-year Managed PKI contract

The service period of a Managed PKI is always one year. The contract will be prolonged if the contract has not been abandoned before. But it is possible to order certificates with validity periods of multiple years in your Managed PKI. In case you want to abandon the contract you have to revoke them beforehand.

Transfer of certificates

If you already purchased some certificates in the web shop we are able to transfer these certificates to your new Managed PKI account. Please enter a short hint in the notice field you can find on the end of the order form of the Managed PKI.

Domain information

There is no correlation between the domain names and the certificate types you ordered. It is possible to issue any ordered SSL certificate for any specified domain. The same with e-mail certificates.

Domain access authorisation

You prove your access authorisation by publishing a random value (secret) (on the DNS or as a TXT file on the web server), which you obtain via MPKI access. Details of this process can be found in chapter 9 of the Managed PKI user manual. 

Technical terms and contract terms

A certificate includes a specific period of validity (technical term). For the Managed PKI service, this is independent of the commercial contract term (performance period). During the performance period, certificates can thus be issued with a validity which goes well beyond the end of the performance period. The contract is unlimited in duration and may be terminated subject to a notice period of three months to the end of the one-year service period.

Revocation and re-issue

A certificate revocation (withdrawal) followed by a subsequent re-issue (e.g. employee change) only constitutes the acquisition of a single certificate.

Revocation – contract termination

At the end of the contract, those certificates which are still valid are withdrawn – either by you yourself or our Support team. Please contact us in this regard by sending an e-mail to contracts@swisssign.com or calling +41 848 77 66 55.

SwissSign maintains a general directory of all issued certificates (LDAP) on www.swisssign.net. This directory is public and comparable to a phone book. For encrypted e-mail communication, in particular, this makes sense as it allows for your communication partner to encrypt the messages it sends to you using the public key contained within the certificate.

The public directory can also be directly integrated into the e-mail programmes through the entry of parameters, making it possible to perform the encryption within the e-mail programmes through the automated retrieval of certificates.

If you would not like your certificates to be listed in the directory, select the "I do not want to publish my certificates" button. You can also subsequently change this setting subject to a fee of CHF/EURO/USD 250. However, the setting will not be applied retroactively to previously issued certificates.

Silver certificate

Silver-level certificates are shown as domain-validated certificates. The certificate shows the domain (SSL) or the e-mail-address (personal). An organisation entry is optional on personal certificates only. The Silver cerftificate allows encryption and signature, but no authentication.

Gold certificate

Gold-level certificates are shown as organisation-validated or person-validated. The certificate contains an organisation entry and, in the case of e-mail (S/MIME) certificates, a person entry. This means that encryption, signature and authentication are possible for e-mail certificates. 

SSL Gold EV certificate

Issues of SSL Gold EV certificates for you company is simply possible within the framework of the Managed PKI. These are organisation-validated and are indicated by a green bar in the browser.

Entry of independent subsidiaries

You can also issue certificates for affiliated subsidiaries, for example. For Gold certificates with an organisation entry, please note that authorisation for the use of the organisation name in the certificate must have been granted. Furthermore, all organisations must complete and sign the Declaration of Consent and Terms of Certificate Use (each with the same access managers).

The operator certificate is valid for three years.