A data security specialist by Swiss Post

Main section

2.1. A brief guide to setting up Managed PKI

This guide describes the individual steps required to set up your recently acquired MPKI. These introductory steps are suitable for CMC interface users as well as MPKI customers who use our web interface.

Make sure you have the login details

Make sure that you have access to the passwords we sent. You will have received them in a one-way encrypted email from the service IncaMail.

Logging into the account

  1. Open the page https://swisssign.net. You should find the following login options:
  1. Enter the username for the account created by SwissSign. You can find the account name and password in the email we sent you.
  2. Click on the ‘Register’ button. You should be able to see the following:

You should be able to see the account name in the areas that are green.

Download and install the access certificate

When you’re logged into your account, you can now search for and download your access certificate.

  1. As only the access certificates are stored in your account during the setup, you can click on ‘Search’ without selecting any other settings. This search process takes a few seconds. All access certificates should then be displayed.
  2. For your certificate, click on ‘Download/Attribute’ to the left. You will be able to download the access certificate on the following page, using the sections below to help you:

The downloaded access certificate now needs to be installed.

  1.  Open your download folder and look for the certificate you just downloaded. Install the certificate in the certificate manager with your own certificates (standard storage location).

Logging in with the certificate

You now have access to your MPKI with the installed access certificate.

  1. Open the website https://ra.swisssign.net/. Unless you have special settings, the website should ask for permission to access your stored certificate as a login. It looks like this:

Your stored certificate will be shown in green. If this is not case, the certificate is not stored in the correct place. If the window for the certificate request does not appear at all, something is stopping the process from working (firewall, personal settings, etc.).

If the certificate is displayed, select it and confirm the selection. You should now be successfully logged into the MPKI with the access certificate. You can see whether this has worked by looking at the left-hand side where more menu items are displayed and your name or your company’s name is shown below ‘Login with certificate’.

Valid domains

As a final step, the related domains still have to be validated before you can issue certificates. The aim of this process is to prove that you are the owner of those domains.

It should be noted that email and SSL validations have to be carried out separately. Select the RA and continue by clicking ‘Next’.

An automatic domain check can be started here for your Managed PKI domains. Please enter the domain in the respective field and click "Start".

The system will generate a random value for each domain that, for the domain to be checked, should be inserted in a TXT entry for the domain’s DNS record: swisssign-check=<random value>.

The system automatically checks the entry. This check must be successfully completed within 30 days. After a successful check has been carried out, the domain is added to your Managed PKI and you can use the domain as soon as it appears in the list under ‘Domains’.

Please enter the new random value as described above. Depending on your TTL (Time to Live), the domain validation can be done with just one click.

We ask that you store the newly generated random value as described above. Depending on your TTL (time to live), the domain is validated at the click of a button.

If this is not the case, make sure that: 

  1. The random value was stored correctly.
  2. No redirecting is active.
  3. There is no CAA entry that inhibits SwissSign certificates.
  4. Several attempts can be made to check a domain again once the selected TTL has expired.

You can also use a DNS checker to manually check whether the stored entry is visible in advance.

If the domain has been successfully validated (status: success), your MPKI has now been set up successfully.

Customers who use a CMC interface can now store the downloaded access certificate with the password in the appliance.

Customers who use our web interface can now create a certificate via ‘New’.

More about this in our guide: