To work in the NSD EDC system the user's computer must have the following certificates and keys installed:
- NSD certificate (public key) to encrypt messages sent from the client to the repository;
- Clients certificate with public and private keys, used for creating digital signature to messages sent from the client to the repository and for decrypting messages sent from the repository to the client;
- Root certificate of the Moscow Stock Exchange (Certification Authority, hereinafter CA).
Scheme 1 shows the general procedure of installing certificates and keys.
Scheme 1 – the general procedure of installing certificates
Obtaining a certificate
From the Moscow Exchange you obtain a certificate of registration document and a CD disk, comprising of:
- software (MOEX EDS DSSK: Certificates storage, MOEX EDS DSSK: Java API);
certificate of registration with private key.
The key and the certificate of registration are not intended to provide security of the transmitted information. They will be added to the Certificates storage for the generation of the private and public key and creating of a request to issue a certificate for the Moscow Exchange. The key and the registration certificate are to be copied to the root folder on any external drive, such as a usb-stick.
Certificate of registration are used for:
generation of user's private and public key;
creation of a request to issue a public key certificate.
Depending where the certificate is stored (external hard drive or a computer), the order they are added to the Certificates storage and making a request will differ.
If the key and the certificate of registration are stored on the user's computer
During the first start a window will open informing you that you need to insert an external drive. As the key and the certificate of registration are located on your computer, skip this step and click Cancel
During the initial connection the user only has a certificate of registration, so skip this step by clicking Cancel
Next the storage will be automatically checked for the presence of a personal certificate.
During the first start a personal certificate and copies of storagies are not available. Skip step by clicking No
Then the screen will sequentially display windows for selecting the certificate of registration, where you need to click OK and Yes respectively
The window for adding a certificate of registration will appear, where you need to select the certificate file and click Open. The registration key will be imported automatically (provided that it is next to a certificate, in the same folder)
Next, the screen displays information about adding certificates of registration
The certificate of registration will serve as a basis for creating a personal and local storage. The personal storage is confirmed with an electronic signature using the registration key.
The personal storage will display the certificate of Moscow Exchange, and the user’s registration certificate under Certificate of registration
Click OK to continue working in the storage
Next, you will need to generate your public and private key and a request for their confirmation by the Moscow Stock Exchange by clicking OK
If the key and the certificate of registration are stored on an external drive
Before you begin, insert an external drive in the usb-port on your computer, then run the Certificates storage. This opens a window where you will need to select device containing the key and certificate of registration and click OK
|As a result the key and the certificate of registration will be added automatically. The screen will display a message containing information about the added files, where you need to click OK|
The certificate of registration will serve as a basis for creating a personal and local storage (profile). The personal storage is confirmed with an electronic signature using the registration key.
The personal storage will display the certificate of Moscow Exchange, and the user’s registration certificate in Certificates of registration section
Next, a message will appear informing you that the personal storage is protected with the registration certificate. In this window you need to click OK to create private keys and make a request for their confirmation (see Generation of user keys and creating a request)
Public and private key are created simultaneously with the request to the Certification Authority to issue a certificate. Keys cannot be used to protect information transmitted until they are certified by the Certification Authority (the Moscow Exchange). Therefore, a request is made for their confirmation, which contains information about the generated public key (Fig. 2) and information about the user, automatically added from the certificate of registration. The Moscow Exchange (CA) responds with an email containing certificate signed by the CA root certificate.
If the certificate of registration are stored on the computer, after step 7 in the table above, Certificates storage will automatically generate user's private and public keys and a request to issue a public key certificate (Fig. 2).
If the certificate of registration are stored on an external drive, to generate keys and make a request select the Справочник сертификатов (Certificates storage in the menu) (Fig. 1.1) → Сформировать запрос на получение сертификата (Generate certificate request) (Fig. 1.2), or click an icon on the toolbar.
Fig. 1 – generation of a request
In the Certificate request dialog box, click OK (Figure 2). This will open the Export files for the Registration Centers, where you should select a folder to which the request will be saved and click the Save button (Fig. 3).
Fig. 2 – request parameters Fig. 3 – export files
The resulting request (a *.pse file) needs to be compressed and sent to email@example.com, with a scanned and signed registration certificate (document) attached. The subject field should specify the name of the organization and the required scope of the certificate (for example, the Oblachnye Investitsii CJSC – exchange market EDI, stock market EDI). The Moscow Exchange will respond with a letter with an attached ZIP-file of the certificate. This certificate must be added to the Certificates storage.
The resulting certificate is valid only for the generated public and private key that is stored on the user's computer. Therefore, a certificate from the Moscow Exchange must be added to the Certificates storage installed on the same computer, where the certificate issue request was generated!
Adding a certificate to the Certificates storage
To add a certificate to the Certificates storage:
- run Certificates storage menu using the Start menu→All Programs→ ПКЗИ СЭД МБ (MOEX EDS DSSK)→Справочник сертификатов (Certificates storage);
select Справочник сертификатов (Certificates storage)→Импортировать сертификат в локальный справочник (Import Certificate) to the local storage (see Figure 4). This will open a window to select the certificate file (Fig. 5);
Fig. 4 – starting to import file Fig. 5 – selecting a certificate
- select the certificate file (see Fig. 5.1 ) and click OK (see Fig. 5.2 ). Before adding a window will open displaying the certificate to be added, in which you should click OK (Fig. 6).
Fig. 6 – information about the certificate to be added
This will open a window informing the certificate was successfully added to the Certificates storage, where you need to click OK (Fig. 7). Example of adding a certificate is presented in Fig. 8.
Fig. 7 – informative message Fig. 8 – example of adding a certificate
Then the certificate must be set as default. To do this, select the added certificate, right-click on the shortcut menu, and select Сделать сертификат рабочим (Make certificate workable) (Fig. 9).
Fig. 9 – selecting the working certificate
After adding a personal certificate to the Certificates storage, the personal storage is signed on the member’s personal certificate. The generation of a digital signature for sent messages is ensured by the private key.
Settings will be automatically applied to 64-bit Certificates storage.