How to confirm SWITCHpki Grid User Certificate Requests

This guide is intended for RA operators only and describes the procedure in place to confirm a SWITCHpki Grid User Certificate request.

Note: Please notice that Requesters should be made aware of the Short-Lived Certificate Service as well, for which more information can be found here SLCS

In this sense you should make sure that those Requesters who still want to obtain a long lived grid user certificate contact us beforehand at grid@switch.ch to explain their use case.

User identity vetting requirements

Users must go through face to face registration: this means that they will have to appear in person to you with their (still valid) photo ID document. You will also have to make sure that they belong to the Organizations you serve as an RA.

As an alternative Requesters can also use the Yellow Identification service (provided by the Swiss post and whose cost is of 20 CHF) which allows them to send to you a validated copy of the identity document (see above).

Notice that face to face registration is only required at the time of the first certificate request and must be redone every three years (independently of the number of certificate requests) from the last face to face vetting.

Certificate application submission

  1. Carry out the identity vetting of the Requester i.e.

    1. check the ID document

    2. check the organization affiliation e.g. organization membership card, employment contract or official letter. The following organizations participate in the SWITCHpki.

    3. make sure that the Requester has a valid e-mail address of the home organization

    4. make copies of the ID and organization affiliation documents

    NOTICE: You must keep copies of all the documents presented by the Requesters!

  2. Fill in the following Request Form with the Requester's details, making sure to enter the Requester's first name(s) and last name exactly as they appear on the (still valid) photo ID document (passport, ID card). All given names should be included, paying attention to replace ä by a, é by e etc., and only capitalize the first letter (i.e. "John Doe", not "John DOE" or similar). You must then sign the Request Form.

  3. Ask the Requester to sign the Request Form.

    In case the the Yellow Identification service was used, send to the Requester the Request Form via normal post/fax or as a scanned document in an e-mail to the Requester's home organization e-mail: the Requester must then sign it and send it back to you via normal mail/fax or as a scanned document in an e-mail.

    NOTICE: You must keep copies of all the completed Request Forms (duly signed by you and the Requester) at your home organization.

  4. Send a copy of the completed Request Form together with a copy of the Requester's photo ID document (passport or ID card - for the latter, both front and back, as the expiration date is only printed on the back) to the SWITCHpki RA. The documents can be sent either via normal post/fax or via a signed e-mail (with a certificate issued by the "SWITCH Personal CA" or the "QV Schweiz ICA") to the following address:

    SWITCH

    SWITCHpki RA

    P.O. Box

    CH-8021 Zürich

    Phone +41 44 268 15 15

    Fax +41 44 268 15 09

    E-Mail pki@switch.ch

The SWITCHpki RA will further instruct the Requester on how to proceed.

Certificate renewal/replacement/revocation

As mentioned above you must carry out the Requester's identity vetting every three years. At any other time a certificate request can be submitted directly by the Requester without your intervention/involvement.

Should the Requester contact you e.g. in the event of the Requester's private key having being compromised please
  1. contact the SWITCHpki RA to immediately revoke the certificate

  2. tell the Requester to submit a new certificate request.