• Progetti & Gruppi di lavoro
• Calcolo scientifico
  • Argus Authorization
  • Grid Certificates
    • OpenSSL Commands
    • RA procedures
    • Certificates and Cryptography
  • SLCS
  • Support and Downloads
  • Glossary
  • Contatto
• E-Infrastructure for E-Science
• Cloud Computing
• Learning Infrastructure
• E-Identity
• Gruppo di lavoro – ICT Law
• Gruppo di lavoro – Mail
• Gruppo di lavoro – Media
• Gruppo di lavoro – Rete
• Gruppo di lavoro – Aquisti IT
• Gruppo di lavoro – Sicurezza
• Gruppo di lavoro – Storage

SWITCHpki Grid User Certificates

This guide is intended for RA operators only and describes the procedure in place to confirm a SWITCHpki Grid User Certificate request.

Note: Please notice that Requesters should be made aware of the Short-Lived Certificate Service as well, for which more information can be found here SLCS

In this sense you should make sure that those Requesters who still want to obtain a long lived grid user certificate contact us beforehand at grid@switch.ch to explain their use case.

User identity vetting requirements

Users must go through face to face registration: this means that they will have to appear in person to you with their (still valid) photo ID document (notice: the original document, NOT a copy). You must check that the document is still valid and has been issued by a government authority. You must also make sure that they belong to the Organizations you serve as an RA.

As an alternative Requesters can also use the Yellow Identification service (provided by the Swiss post and whose cost is of 20 CHF) which allows them to send to you a validated copy of the identity document (see above).

Notice that face to face registration is only required at the time of the first certificate request and must be redone every three years (independently of the number of certificate requests) from the last face to face vetting.

Certificate application submission

1. Carry out the identity vetting of the Requester i.e.
   1. check the ID document i.e. that the document is still valid and has been issued by a government authority.
   2. check the organization affiliation e.g. organization membership card, employment contract or official letter.
   3. make sure that the Requester has a valid e-mail address of your own organization.
   4. make copies of the ID and organization affiliation documents.
   NOTICE: You must keep copies of all the documents presented by the Requesters. As an alternative, you can send the original copies to SWITCH via normal mail.
2. Fill in the following Request Form with the Requester's details, making sure to enter the Requester's first name(s) and last name exactly as they appear on the (still valid) photo ID document (passport, ID card). All given names must be included, paying attention to replace ä by a, é by e etc., and only capitalize the first letter (i.e. "John Doe", not "John DOE" or similar). You must then sign the Request Form.

3. Ask the Requester to sign the Request Form.
   In case the the Yellow Identification service was used, send to the Requester the Request Form via normal post or as a scanned document in an e-mail to the Requester's home organization e-mail: the Requester must then sign it and send it back to you via normal mail or as a scanned document in an e-mail.
   NOTICE: You must keep copies of all the completed Request Forms (duly signed by you and the Requester) at your home organization.
4. Give the Requester a copy of the Request Form, specifying that the Form is valid for three years, and that the details therein will be used for new certificate requests/certificate renewals: in particular the Passport/Government ID Number apearing in the Form must be kept by the Requester as information that may be needed in the future as well (even if the original document expires in the meantime).
5. Send a copy of the completed Request Form together with a copy of the Requester's photo ID document (passport or ID card - for the latter, both front and back, as the expiration date is only printed on the back) to the SWITCHpki RA. The documents can be sent either via normal post or via e-mail to the following address:
   SWITCH
   SWITCHpki RA
   P.O. Box
   CH-8021 Zürich
   
   Phone +41 44 268 15 15
   E-Mail pki@switch.ch

The SWITCHpki RA will further instruct the Requester on how to proceed.

Certificate Renewal

As mentioned above, you must carry out the Requester's identity vetting every three years.

At any other time, requesters can either

• contact you for a new certificate request: please forward the request to SWITCHpki at pki@switch.ch, and we will take care of it.
• or send an e-mail directly to SWITCHpki at pki@switch.ch .

The Requester will receive an invitation directly from us.

Certificate Revocation

Should the Requester contact you e.g. in the event of the Requester's private key having being compromised please

1. contact the SWITCHpki RA to immediately revoke the certificate
2. tell the Requester to submit a new certificate request.