A digital certificate is an electronic document which conforms to the International Telecommunications Union’s X.509 specification. It is a document which typically contains the owner’s name and public key, the expiration date of the public key, the serial number of the certificate, and the name and digital signature of the organization which issued the certificate. The digital certificate binds together the owner’s name and a pair of electronic keys (a public key and a private key) that can be used to encrypt and sign documents.
Encrypting and digitally signing documents using certificates provides the following assurances about document transmissions:
The public key in the FDA’s certificate is used to encrypt a document for transmission. The FDA ESG uses the public key to verify the digital signature of a document received from a specified source.
Before encrypted and signed documents (sent submissions) are exchanged with the FDA ESG, there must be a certificate exchange to obtain the other’s certificate and public key. Each party obtains a certificate with a public-private key pair, either by generating a self-signed certificate or by obtaining a certificate from a Certificate Authority. The private half of the key pair always remains on the party’s computer. The public half is provided to the FDA ESG during the registration process and includes the certificate and public key, or the certificate alone.
There are situations when a valid certificate is not accepted by the registration module and is identified as invalid. If this occurs, zip the certificate file and email it to the FDA ESG administrator at esgreg@gnsi.com. Once received, FDA will assess the certificate and send a response.
The FDA ESG cannot accept certificates with blank data elements in the Issuer or Subject fields. These certificates will cause the FDA ESG to fail due to a defect in the Gateway software. The certificates provided should be valid for at least one year and no more than three years. Note, this requirement applies to both Pre-production (Test) and Production ESG systems.
NOTE: DO NOT SUBMIT CERTIFICATES WITH BLANK DATA FIELDS IN THE ISSUER AND SUBJECT FIELDS
The FDA ESG supports Public Key Infrastructure (PKI) to securely trade submissions over the Internet. PKI is a system of components that use digital certificates and public key cryptography to secure transactions and communications.
PKI uses certificates issued by certificate authorities (CAs) to provide authentication, confidentiality, integrity and non-repudiation of data.
There are two PKI options supported – in-house and outsourced. The option chosen can depend on a number of factors, such as cost, human and system resources, and the degree or sophistication of security desired. PKI establishes digital identities that can be trusted. The CA is the party in a PKI that is responsible for certifying identities. In addition to generating a certificate, this entails verifying the identity of a subscriber according to established policies and procedures. This is the case for in-house and outsourced PKIs.
In an organization that generates and uses its own self-signed certificates, the trading parties must verify the certificates and establish a direct trust. Once established that an identity or issuer of an identity can be trusted, the trust anchor’s certificate is stored in a local trust list. The FDA ESG has a local trust list for storing and managing established trust relationships. The application maintains a list of common public CA certificates similar to those kept in web browsers. Although convenient, this predetermination of trust might not complement every organization’s security policy. The decision of who to trust rests with the individual organization.
An in-house PKI makes it possible to achieve complete control of security policies and procedures. It also carries the burden of management and cost to set up and maintain the system.
FDA recommends using certificates with 3 years validity.
Third-party certificate authorities can be leveraged to purchase X.509 certificates for general use. The CA manages the security policies and details such as certificate revocation. The level of outsourcing can range from purchasing a public key certificate that is valid for 1 year to 3 years from a commercial CA, to outsourcing all of the PKI services that an organization requires.
If you plan to use an outsourced certificate, the following are just a few of the many companies that sell the X.509 certificates (Displayed in alphabetical order). FDA recommends using certificates with three years validity. Please note that some vendors do not offer a three year certificate on their website, but you may call them directly to purchase a three year certificate. Telephone contact information is available on each vendor’s website.
Note: References to commercial products are for illustrative purposes only and does not constitute an official FDA endorsement. If you are a CA and would like to list your URL here, please send the URL linking to your Class 1 Personal Identification certificate (i.e. Secure Email certificate) page to esgpreg@fda.hhs.gov.
The minimum requirement for a digital certificate for use with the FDA Electronic Submissions Gateway is a Class 1 Personal Identification certificate (i.e. Secure Email certificate). The list of digital certificates identified above has been proven to meet the FDA Electronic Submissions Gateway requirements. This list does not represent all digital certificates accepted for use with the FDA Electronic Submissions Gateway, and various other certificates with additional functions are accepted as well, but these additional functions, which are outside the FDA ESG requirements, are not necessary
CA will send you an email with PIN number and a link to a website where you can import/install the certificate. Accept all defaults and say "yes” to all pop-ups, your certificate will be installed in your browser. Note, if you are using WebTrader, you do not have to install the certificate on the same machine that you will be using. Once the certificate is installed in the browser you can export the public and private keys out and use them where ever you want. AS2 users will need to install the certificates in their system. Configuring the certificates may defer from sponsor to sponsor depending on what gateway software being used.
You public key is ready. This is the key that you should use when registering.
To export private key (.PFX or .P12)
Your private key is ready. Ths is the key that you should use when sending submissions.