Page History

Decide the following:

• How to deal with the OTP tokens
• End user impact
• Information to end users
• How to deal with logs and how/who to archive (admin logs for certificates)

Note that the TSP/Bank is responsible for handling the end user certificates through the whole process, including revoke of old certificates.

TSP or Bank

• The TSP/Bank describes the change
• Send email to Andreas.Havsberg@bits.no and to Torgeir.Sorvik@bits.no for approval

3) Formal order to BankID

The respective TSP or Bank have to create and send a formal order to BankID as an electronically signed document, signed by TSP or Bank.

This order should contain:

New RA:

• Detailed information about the CA
• Approval from BITS (from step 2)

Move or merger of RA:

• The purpose of the move or merger of the mentioned RA
• Detailed move or merger from and to what CA
• Approval from BITS (from step 2)

Sign it electronically and send it by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.nocreate a ticket here with the signed document attached.

The respective TSP or Bank have to fill out required order forms and send it to BankID signed before or during the RA ceremony.

A copy must be sent before the RA ceremony.

• TSP/Bank fills out the required order form.
• Send a copy before the RA ceremony by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.nocreating a ticket here.

Order form templates can be found here: Misc forms for BankID Support

Primary CAO token "Dongle" is normally stored in a safe at the respective TSP (CA responsible).

The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony.

• Create an RA XML request on the TSP system, for example through HAT tool.
• Make sure that the USB stick is new and unused
• Make sure that the Key Custodian have approved identification such as a passport or driver license (if the Key Custodian is a non-Norwegian citizen, they must bring their passport)

BankID will ensure that everything is in place and coordinate the ceremony and switchover with all stakeholders.

Check that the following is in place:

•  BITS approval - If not provided by the TSP or Bank, contact BITS and verify
•  Formal order received
•  Signed order forms
  •  Signed - Naming of RA (Required)
  •  Signed - Revoke RA XML Request (Optional)
•  TSPs Primary CAO token
•  TSPs/Bank RA XML Request

If all is in place, all stakeholders align and agree on date and time for the following:

•  1. RA ceremony
•  2. Activation of New RA XML Sign Certificate
•  3. Switchover 
•  4. Revoke RA XML (Optional)

Normally step 2, 3 and 4 happens within the same 24h.

BankID will send out a meeting invite for the ceremony and the switchover.

Create and send out the invitation to all stakeholders.

The invitation should contain, but not limited to:

• Purpose and description
• Date
• Time
• Duration
• Virtual Meeting Link or Address
• Attendees and contact points
• Information on what to bring

TSP/Bank need to send a request to BankID

• Write a request for activation of New RA XML Sign certificate(s) in BankID COI.
• The request needs to contain the following:
  • Time for the activation
  • Which originator(s) to activate
  • Which CA it concerns
• Send it by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.noCreate a ticket here

BankID will coordinate with the required resources.

If not already set, agree on the date and time for:

•  1. Activation of New RA XML Sign Certificate
•  2. Switchover 
•  3. Revoke RA XML (Optional)

Normally happens within the same 24h.

BankID is to activate the new certificates.

This is normally done during the same day as the Switchover.

Activate the new RA XML Sign certificate(s) in BankID COI.

Performed by AO with PKI involved.

TSP/Bank needs to check that the new activated certificate is working towards ODS. 

Check that the new certificate have access to display the existing certificates on the old CA.

Plan and implement the switchover and revoke.

1. TSP/Bank: Write a request for switchover issuing CA in BankID COI from old to New CA. Include the time wanted for this. Send by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.noCreate a ticket here
2. BankID:
   1. Do the switchover
   2. Those who perform the switchover will inform the TSP/Bank by phone when it has been done
3. TSP/Bank: Run test case sets to verify
   1. TSP/Bank: If successful, move to the next step
   2. BankID: If unsuccessful, investigate and resolve then move to next step
   3. BankID: if unsuccessful, not possible to fix, do a rollback
      • Bank/TSP: When rollback is done, run test case sets to verify
4. (optional. If not done, the certificate will be active on the old CA until it expires) Bank/TSP: Send an order for revoke of old RA XML Sign certificate in BankID COI by email to marita.gustavsen@bidbax.no with cc lise.aas@bidbax.no and lam.van.ngo@bidbax.noby creating a ticket here
5. (optional) BankID: Revoke the old certificate

Order form templates can be found here: Misc forms for BankID Support

Renewals of end users, merchants etc.

As decided in step 1.

1. Bank renew end user BankID certificates
2. Bank asks merchants to renew merchant BankID's using HAT
3. Possible change of OTP Service by adding a new and then removing the old

This is best done outside of peak hours to reduce the risk of latencies.