OnboardingChecklist.md

Onboarding Checklist

Common Hints

Registration Process: Process

It is highly recommended:

• to use certificates issued from a public CA which follows the CAB Forum Rules
• not to reuse any certificates across the different staging environments

Links to the Environments

• Test Environment: https://test-dgcg-ws.tech.ec.europa.eu
• Acceptance Environment: https://acc-dgcg-ws.tech.ec.europa.eu

Test Environment

For a successfull connection to the gateway there are several steps to prepare:

1. Certificates must be prepared for Test Environment (self signed allowed)
   • Authentication: NB_TLS
   • Upload: NB_UP
   • CSCA(s): NB_CSCA
2. Send the Public Keys in PEM Format to the contact of the Test Operator (functional mailbox)
3. After Onboarding in the Test Environment, check the connectivity with the following command:
   curl -vvv -H "Accept: */*" --resolve ****.ec.europa.eu:443 --cert "auth_de.pem" --key "key.pem" https://****.ec.europa.eu/trustList
   You should see a output like:
   
4. Test the other Truslist Routes in the same style (e.g. with DSC/CSCA/Upload/Authentication...)
5. Create an Document Signer Certificate and sign it by the CSCA
6. Create an CMS Package with the following Command:

    openssl x509 -outform der -in cert.pem -out cert.der
    openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary
    openssl base64 -in signed.der -out cms.b64 -e -A 

Note: cert.der is your DSC, signing.crt ist the Uploader Certificate)

7. Upload the CMS Package to the Gateway
   curl -v -X POST -H "Content-Type: application/cms" --cert auth_de.pem --key key.pem --data @cms.b64 https://****.ec.europa.eu/signerCertificate
   
8. Download the Trustlist again, and check if your DSC is available.

Note: Some versions of curl don't attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/):

OpenSSL Test Example (working)



WinSSL Test Example (Not working)

Acceptance Environment

1. Order/Generate your certificates according the defined requirements in Certificate Governance:
   • Authentication: NB_TLS (TLS Template)
   • Upload: NB_UP(Upload Template)
   • CSCA(s): NB_CSCA (CSCA Template)
2. Transfer the certificates via circABC to the Secretariat
3. After the certificate whitelisting, test the functionality again with your backend (E2E)

Production Environment

1. Push the certificates together with your application for going live over circABC to the secretariat (TBD)
2. Connect your production setup