Ask a Question

Solution ID : SO20573

EV - Symantec Code Signing and Certificate Pickup

Solution

The solution explains how to process EV code signing orders, certificate pickup options and procedure before and after issuance of the certificate.
 

Policy
Validation of EV Code Signing orders
Validation for Trust Asia and iTrusChina enrollments from China
Certificate pickup options (USB token or HSM device)
Hardware Security Module (HSM) procedure
Post issuance
Token shipment procedure
Token shipment (MSFT TEAM)
MPKI procedure

 



Policy:
 

  • Tokens cannot be shipped to Argentina, China, or any embargoed country
  • If USB token was selected as the certificate pick up option, then the technical contact’s physical address cannot be a P.O. Box

 



Validation of EV Code Signing orders:
 

  • Use standard SSL EV procedures ( SO21939)
  • No domain authentication required
  • TC information on order must be updated to English per Export and Shipping, in order for customer to recieve token. 
  • Payment method cannot be changed after enrollment (the customer must re-enroll if payment needs to be updated)
  • If USB token was selected as the pickup option, and the technical contact is located in Argentina or China, the order must be rejected with the following note to the organization contact: “You have requested a hardware token to be shipped to a country that is currently blocked for allowing the importation of cryptographic devices, such as Argentina or China”

 



Validation for Trust Asia and iTrusChina enrollments from China:

 

  1. The technical contact must be an employee of the enrolling organization
  2. Trust Asia or iTrusChina must be listed in the billing contact field within the order
  3. Trust Asia and iTrustChina enroll through a specific Partner URL and are not required to select a pick-up option (pick-up option and username information will be left blank)
  4. A comment must be placed in audit trail: “Token Shipment is Not Required
  5. Before issuing the certificate:
    a. Send an email to Token Support: cs-orders@symantec.com (internal use only)
    b. Enter the following in the subject line: “Not Sending Token on EV CS Order# XXXXXX
     

Certificate pickup options (customer has four options during enrollment):


Once the pickup option is selected, it cannot be changed by an analyst or the customer (the customer must re-enroll).

  1. New USB token: Click here for token shipment procedure
  2. Existing USB token: Customer can reuse existing tokens (for example, when renewing an order)
  3. Hardware Security Module (HSM): Customer would have to purchase device on their own (check procedure below)
  4. I don’t know: If selected during enrollment, the customer must select one of the three options above before we can proceed with the verification call


A pickup option must be selected before issuance. Other than during enrollment, customers can select a pickup option in their account (with the exception of Trust Asia and iTrustChina orders: see above).

 



Hardware Security Module (HSM) procedure:

  • The HSM device is required to be FIPS 140-2 compliant
  • The customer is required to submit a CSR when HSM is selected
  • During enrollment, the customer is asked to verify if their device is FIPS 140-2 compliant
  • The customer can choose Yes or No
If Yes: (customer update steps) click here if No selected
 

1. Verify HSM is FIPS (Select)

a. HSM make from a drop down menu
b. HSM model, and
c. Firmware version

If HSM make not listed can choose “other” and fill in their own HSM device name in the drop down menu, then submit CSR.

Screenshot example of customer enrollment:


2. Once the HSM agreement has been completed, it will display the HSM make, model and firmware version in MMAVIS. Analysts are required to check the HSM device to see if it is FIPS 140-2 compliant.
Check the device here: NIST

To confirm compliance:
a. Enter the HSM Make (Vendor) and HSM Model (Module Name) in the search form 
b. In the search results, select a certificate that shows a status as Active or Historical
c. Confirm the following: 
        1. Module Name matches HSM Model in MMAVIS 
        2. Standard is FIPS 140-2 
        3. Status is Active or Historical
        4. Overall Level is 2 or higher 
        5. Module Type is Hardware
        6. Firmware Versions contains the HSM Firmware in MMAVIS 
        7. Vendor matches the HSM Make in MMAVIS 
d. If the make, model or firmware does not match, contact the customer to confirm correct HSM information



3. Once confirmed the device is compliant, select the FIPS Compliant: checkbox and click update. Note the audit trail accordingly that you checked and confirmed the HSM make/model/firmware is FIPS compliant.

MMAVIS HSM review:

  • We cannot add the HSM make/model/firmware for the customer initially (only edit what they input)
  • The HSM make, model, and firmware fields are editable once entered by the customer through their
    Symantec Trust Center (STC) account

If No:
 
  1. If the customer chooses No, knowing they’re using an HSM device, but unsure of the device specifications:
    a. The customer will need to input this information through their Symantec Trust Center (STC) account and confirm their device is HSM compliant.
     
  2. Check the Pickup Information section in MMAVIS:

a. If the order shows Pickup Choice as HSM and the make, model, and firmware is blank, send the Send HSM Agreement Reminder Email from MMAVIS
b. This email gets sent to the technical contact 
c. Leave corresponding status comment for HSM and select Need more info for Org Auth as this needs to be completed before the verification call is made and is considered part of the authentication step
d. The HSM agreement is confirmed once the customer inputs the HSM information through the Symantec Trust Center (STC) account


Pending and reminders:

  • The HSM Reminder email will link the customer to the HSM agreement page (to fill out make, model, firmware and confirm it is FIPS compliant) and to their corresponding order number.
  • A queue of orders under EV CS HSM Pending checkbox on the MMAVIS search page will display orders that are waiting for customers to choose their pickup option or confirm their HSM device is HSM compliant.


^back to top^


 

Post issuance:

 

  • Once issued, the order status immediately will go to Approved (CSR Pending)
  • The certificate will revert back to the enrollment date and not the date we issued it
  • The actual validity date will begin on the date the token is received and installed

Example:
Enrolment date is 01/01/2015 Certificate issued on 01/02/2015, the status changes to Approved (CSR Pending) while the certificate start date will be 01/02/2015. The customer receives the token and installs the certificate on 01/06/2015. The validity date will change to 01/06/2015

 


Token shipment procedure:

  1. An email is sent to the Microsoft Authentication team within 24 hours of issuance.
  2. If a new token is required, then the Microsoft team will send to the technical contact’s address:
    a. Domestic shipment: FedEx Next Day
    b. International shipment: FedEx International (3-5 business days with no overnight shipment option)
  3. For shipment status check audit trail comments to find the date token was sent and tracking number.


Token Support: 

  • Email: cs-orders@symantec.com (internal use only). These are handled by Jennifer Schneider; back-up analysts: Khanh Dang and Blanca Chaidez.
  • Escalations: Brad Tsutsui and Jennifer Schneider


^back to top^
 


 

Token shipment (MSFT Team):
 

All EV request emails will come through Moxie

1. Track the Request: The agent who is processing the email must enter the following information in the EV_ACS_Android Requests spreadsheet located in Box.

  • Date of Request
  • MMAVIS Order Number
  • Technical Contact Name
  • Product Type
  • Requester Country Code
  • Initials of Vetter & Issuing Agent
  • Notes (pending commercial invoice, pending tracking, tracking number)
     

2. Send EV Code Signing - Shipment of Hardware Token email from Salesforce
3. Save the shipping label in the following box folder: Token Invoices (click here)
4. Ship the Token

 

Domestic Shipments:

FedEx log-in page: https://www.fedex.com/en-us/home.html

Log-In Credentials:
dcmtvship, MTVshipping12
DG EIN: 41-2089542

Step 1: Click “Create a Shipment” from Shipping tab. 

Step 2: Fill-out all sections, see below for all required details (some details will be auto-populated):

1. From: Update Contact Name and Phone Number fields to yourself
2. To:

  • United States is defaulted
  • Enter details into all fields:
    1. Company
    2. Contact Name
    3. Address 1/2
    4. Postal Code
    5. City ** city should auto-populate when zip code is entered
    6. Phone no.

3. Package & Shipment Details:

  • Ship Date should be preset to same day.
  • No. of Packages: 1
  • Weight: 1 lbs.
  • Declared Value: 21 US Dollars
  • Service Type: Standard Overnight
  • Package Type: FedEx Envelope

4. Billing Details:

  • Bill transportation to: My Account – 730-730
  • Your Reference: (order number) 

Pickup/Drop-off: Tick, Use an already scheduled pickup at my location

5. Complete your Shipment: click Ship

Step 3: The next page will be the label - Print
International    Shipments:  Step 1: Use the log-in credentials above to gain access

Step 2: Fill-out all the sections, please see below for all required details (some details will be auto-populated):

  1. From: Update Contact Name and Phone No. fields to yourself
  2. To:
    • Pick receiver's country from drop down menu
    • Enter details into all fields:
      •   Company
      •   Contact Name
      • Address 1/2
      • Postal Code
      • City ** city should auto-populate when zip code is entered
      • Phone no.
  3. Package & Shipment Details:
    • Ship Date should be preset to same day.
    • No. of Packages: 1
    • Weight: 1 lbs.
    • Declared Value: 21 US Dollars
    • Service Type: International Priority
    • FedEx Envelope
    • Package Type: tick -> Products/Commodities
    • Total customs value: 21 US Dollars
  4. Billing Details:
    • Bill transportation to: My Account – 730-730
    • Bill duties/taxes/fees to: My Account -730-730
    • Your Reference: (order number) 
  5. Pickup/Drop-off:
    • Tick: Use an already scheduled pickup at my location
  6. Continue your Shipment: Continue
  7. Commodity Information:
    •  In “Select or create” drop down, choose “Safenet Token
    • Commodity 1 will appear; update & ensure details are correct (some are auto-populated):
      • Commodity description: Safenet Token 5110
      • Unit of measure: pieces
      • Quantity: 1
      • Commodity weight: 1.0 As totals lbs
      • Customs value: 21.00 As totals USD
      • Country of manufacture: China
      • Click “Add this commodity”
  8. Customs Documentation:
    • Tick: Commercial Invoice
    • Optional Ticks: Use company letterhead on file & Use company signature on file (Note: Company letterhead already uploaded)
    • Terms of sale: Delivered Duty Paid
  9. Electronic Export Information: Not required
  10. Pickup/Drop-off: Ensure details are correct from Step 4
  11. Complete your Shipment: Click Ship

Step 3: The next page will be the label and commercial invoices. Please make sure “Label” and “Commercial Invoice” (3 copies) is both ticked so that all required documents are printed.

Step 4: On all copies of the Commercial Invoices, manually write in Digicert’s EIN number where indicated: 41-2089542 and sign at the bottom (unless using signature on file). No title or written date is required.

Shipments to Brazil:
 Any tokens being shipped should include the organization’s CNPJ number in the commercial invoice request.

 

4. Respond to the customer’s email: Response should state "We have received your request for an EV Identity token. Your FedEx tracking number is XXXXXXXXXX"

5. Note the EV_ACS_Android Sheet: Once shipment tracking information has been received, enter the shipping-tracking number, date shipped, and your initials, on the EV Requests spreadsheet and in the audit trail for the order in MMAVIS.

6. Save and upload the shipping label to the following Box folder: Token Invoices (click here)


 



MPKI procedure:

Validation procedure:

If the organization is already EV enabled, but we do not have a shipping address confirmed in audit trail or Acknowledgement of Agreement letter completed for EV SSL and EV Code Signing (confirmed in audit trail by authentication), complete a new verification call.

Confirm the following:
a. Organization contact's name
b. Quantity (should match order fulfillment email)
c. Street address
d. City, state, country
e. Email
f. Phone number

 

Payment and Token procedure:

  1. Receive order fulfillment email with EV Code Signing units
  2. Determine if customer is using unit consumption model or subscription model:
    a. Item Description will show “Enterprise High Volume Pricing” to indicate subscription model. Authentication loads 9,999 units into the account, however, number of tokens shipped to customer should match the quantity listed in the order fulfillment email.
    b. For unit consumption model, Authentication loads the same quantity of units and ships the same quantity of tokens listed in order fulfillment email.
  3. Send MPKI for SSL EV - EV Code Signing Token Shipment email from Salesforce to the Microsoft team at cs-orders@symantec.com
  4. Fill out all required information
  5. Microsoft team will ship tokens to confirmed address
  6. Microsoft team documents all tracking details in Box. If customer calls for tracking information, please locate details in Box


 

Token shipment: (MSFT Team)

  1. Receive email from Enterprise Authentication: MPKI for SSL EV Code Signing order approved: Please Ship Token (Email will include all required information for shipment)
  2. Track the request in Box

    For MSSL orders, please use the following format:
    a. Order Number: MSSL
    b. Contact Name: O and OU provided in email (Example: Symantec Corp - IT Department)
     
  3. Follow standard domestic and or international requirements as above
  4. Ship the token
  5. Send confirmation email to customer: MPKI for SSL EV – EV Code Signing Shipment of Hardware Token

    a. Fill out Carrier Name in email
    b. Token requests for internal orders can be sent via inter-office (Confirm with the contact if token is needed)



CSR Based EV Code Signing Feature (HSM Validation):

  1. CSR Based EV Code Signing can only be enabled after we have received EV Code Signing-IT Audit.docx document from customer and have validated their device is at least FIPS 140-2, level 2 compliant through NIST website.
  2. To confirm compliance:
    a. Enter the HSM Make (Vendor) and HSM Model (Module Name) in the search form 
    b. In the search results, select a certificate that shows a status as Active or Historical
    c. Confirm the following: 
            1. Module Name matches HSM Model in MMAVIS 
            2. Standard is FIPS 140-2
            3. Status is Active or Historical 
            4. Overall Level is 2 or higher 
            5. Module Type is Hardware
           
    6. Firmware Versions contains the HSM Firmware in MMAVIS 
            7. Vendor matches the HSM Make in MMAVIS 
    d. If the make, model or firmware does not match, contact the customer to confirm correct HSM information
  3. Once we receive signed IT Audit form and device has been validated, enable CSR Based EV Code Signing feature under Custom Features
  4. Note the audit trail with EV Code Signing IT Audit Form details and that you checked and confirmed the HSM make/model/firmware is FIPS compliant.


 

^back to top^