Encryption strength and SSL certificates / Verschlüsselung bei SSL-Zertifikaten

Basically, the encryption strength of an SSL encryption has nothing to do with the SSL certificate. The encryption strength is exclusively determined by the encryption capacity of the sending and receiving system. The SSL certificate serves in the encryption process „only“ to identify a secure server, to mutually authenticate and to establish a secure channel (i.e. the exchange of a symmetric key). Any SwissSign SSL certificate allow the strongest encryption possible (128 or 256 bit with current systems).

Die Schlüssellänge der SSL-Verschlüsselung hat grundsätzlich nichts mit dem SSL-Zertifikat zu tun. Die Schlüssellänge wird ausschliesslich durch die Verschlüsselungskapazitäten des Sender- und Empfängersystems bestimmt. Das SSL-Zertifikat dient im Verschlüsselungsprozess 'nur' zur eindeutigen und sicheren Identifikation des Servers, für die gegenseitige Authentisierung als auch den Aufbau des sicheren Kanals (d.h. den Tausch der symmetrischen Schlüssel). Sämtliche SwissSign SSL-Zertifikate erlauben deshalb die höchstmögliche Schlüssellänge (128 oder 256 bit bei aktuellen Systemen).

I have received a new certificate, and can no longer read my encrypted data

You need the corresponding private key in order to decrypt the data. You must make sure that your old encryption certificate is still imported in your browser. This is the only way to decrypt data that was encrypted using your old certificate. If the certificate no longer exists in your browser, log in to your SwissSign profile and re-import the certificate. To do this, you will need the 16-character password you entered when you created the certificate.

I’ve forgotten the pass phrase for my profile, what do I do?

Contact your RA. Send us a digitally-signed e-mail to Diese E-Mail Adresse ist gegen Spam Bots geschützt, Sie müssen Javascript aktivieren, damit Sie es sehen können

We can identify you from your signature and can then set a new password. If you are unable to sign an e-mail digitally, send us a request by post including a copy of your ID card or passport and a handwritten signature. 

Problems renewing your ID: Error code -12227

This error message means there is no certificate available for authentication, or the certificate has expired. If the certificate has expired, create a new certificate.

What are Smartcards and Tokens?

Smartcards and Tokens are small pieces of hardware upon which you can store one or more certificates. Smartcards resemble credit cards, and Tokens are like USB sticks. Both contain a special chip that in itself is a tiny computer, including an operating system. It is extremely difficult to extract a private key from a correctly formatted Token or Smartcard.

What are SwissSign user profiles and how secure are they?

SwissSign user profiles are one of the modules for RA functions and are closely linked to the SwissSign CA. Profiles allow subscribers to manage their keys and certificates. For example, you can use your profile to revoke a certificate. Profiles are protected with a personal pass phrase.

What do CA and RA mean? What are CAOs and RAOs?

A CA (Certification Authority) issues the certificates after an RA has verified the requester and approved the certificate request. The CA signs the issued certificates to verify their authenticity.
An RA (Registration Authority) is a registration department that checks the requester and corresponding request for the existence of a certificate. The RA vouches for the fact that the information that represents these individuals is correct and is available in the form of certificates. The CA only issues a certificate after the RA has approved the request.
CAOs and RAOs are operators for the CA or RA; they are people with specific functions and duties relating to the CA or RA.

What does "revocation" mean?

Revocation is the process that makes a certificate invalid. Revoked certificates are listed in the CRL (Certificate Revocation List), and the CRL is published by the CA as per the corresponding CP/CPS.

When an encryption certificate is revoked, it is extremely important that you store the corresponding private key. You will still need this key to decrypt data that was encrypted using the old (revoked) certificate. When a signing certificate is revoked, you can safely delete the private key, because you can no longer use it to create valid signatures.

What does the attachment “smime.p7s” in my webmail mean?

The digital signature for a signed e-mail is sent as an attachment to that e-mail. This attachment is automatically checked by the e-mail program of the recipient. However, most webmail providers, such as Gmail, Windows Live Hotmail or Yahoo! just show the signature as an attachment with the filename “smime.p7s” and do not run a check of the signature.

What is "trust"?

 
Trust is one of the most important components of a public key infrastructure (PKI). To be able to work with certificates you must trust the CA that issued your certificate. Second generation SwissSign CAs are already installed into the following Root Trust Stores:

• Microsoft Widows
• Apple OS X
• Mozilla (NSS)

To find out more about a SwissSign CA, read the relevant Certificate Policy and Certification Practice Statement (CP/CPS).
To download and import the SwissSign Root Key go to the Support - Download Section.

What is a Certificate?

A certificate links the keys (public and private) to the subscriber. The RA has checked the information in the certificate and the CA has signed the certificate to prove that it is genuine. A certificate usually includes a certificate number, public key, personal name, e-mail address, validity period and possibly additional information such as the organisational unit to which the person belongs, and the country in which the organisational unit is active.

What is a digital signature?

You can use a private key to digitally sign a document (e.g. PDF, e-mail). This creates a valid digital signature, as long as your certificate was valid at the time the document was signed.
This digital signature can be verified by anyone who has your certificate or public key. This proves that you signed the document.

What is a pass phrase?

Pass phrase is the same as a sentence in that it can contain both lower and uppercase letters. The text string containing these letters is very long and also includes special characters. This makes a pass phrase much more secure than a password.

What is a PKI?

A public key infrastructure (PKI) is an infrastructure or environment where various applications and functions work using cryptographic keys (public key and private key) and certificates. These applications range from access control and secure e-mail through to various types of digitally-signed information.

What is a public key and what is a private key?

The key pair linked to the certificate consists of two parts:
The public key is public and is communicated freely. This public key is used to encrypt messages for the subscriber or to verify a subscriber signature.
The private key is private and only accessible to the subscriber. This private key is used to decrypt messages or to generate a signature.

What is a qualified certificate?

The term "qualified certificate" was coined in Europe during an EU-wide effort to promote a consistent standard for PKI systems. Although there is no formal definition, a "qualified certificate" usually describes a type of certificate issued according to legal guidelines for national legislature. At this time Switzerland is subject to its own digital signature law (Bundesgesetz über die digitale Signatur, ZertES, SR 943.03. In the EU the standard is ETSI TS 101 456, and in the USA and Canada ANSI X9.79

What is a root certificate?

A root certificate is a certificate signed by a CA. To use a root certificate you must first trust the corresponding CA.
Using a root certificate infers that the user instance recognises and accepts all certificates issued by the relevant CA. For a detailed description of CA usage, organisation, functions, methods and processes, see the Certificate Policy/Certification Practice Statement (CP/CPS).

What is an RFC?

RFC stands for "Request for Comments". RFCs are working documents that are generally and internationally accepted as Internet standards. The RFC system was created soon after the Internet came into existence.

More information under http://www.rfc-editor.org/

What is dual keying?

The term "dual keying" is often used in the context of Secure E-Mail. If you have a well-developed application then you can sign and encrypt e-mails. Simply import a SwissSign certificate into your e-mail application and off you go. But be careful! When you use a certificate for encryption and signing there is a risk you might lose important data. If you lose the pass phrase for the certificate, or even the certificate itself, then you will not be able to read your own encrypted data! For businesses (and for private users too, we hope) this is not acceptable.
"Dual keying": uses two key pairs (two certificates). One pair for signing e-mails (NEVER make a backup of the private key for this certificate) and one pair for encrypting e-mails (ALWAYS make a backup of the private key for this certificate). The best place for this backup is the SwissSign online database. You could also use a disk or CD. Simply create a request on the SwissSign website. If you lose your signing key then this is not so much of a problem, simply create a new one. If you lose the encryption certificate, log in to your SwissSign profile and download the certificate again. This means you will always be able to decrypt your data.

What is key usage?

The certificate contains an entry "Key Usage". This field defines the usage for the certificate. Possible key usage entries include:

Digital Signature, Non-Repudiation, Key Agreement, Key Encryption and/or Data Encryption.

What is ZertES?

ZertES is the abbreviation for the Swiss digital signature law (Bundesgesetz über die digitale Signatur, ZertES SR 943.03. This law stipulates that digital signatures with a qualified certificate have the same status as handwritten signatures.

Where can I use digital identities or certificates?

Using certificates guarantees you security, privacy and trust. They are used in various applications (Secure Mail, e-Business, e-Government, e-Health and so on).

Who tells me which "root keys" to trust?

You! Operating systems and browsers also define which roots you trust. These are listed in Trusted Root Stores. However, you can modify these Trusted Root Stores to meet your own requirements.

Why do I have problems accessing https pages in my browser running under Windows 2000?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The SwissSign root certificate is recognized as trustworthy in all current browsers and operating systems. In Windows 2000, however, the root certificates are not automatically installed; this has to be done manually. You can install the three root certificates (Platinum CA - G2, Gold CA - G2 and Silver CA - G2) using the following link.

Why do I have problems in my e-mail program running under Windows 2000?

The SwissSign root certificate is recognized as trustworthy in all current browsers and operating systems. In Windows 2000, however, the root certificates are not automatically installed; this has to be done manually.

 

 

 

 

 

 

 

 

 

 

 

You can install our root certificates using the following links:

SwissSign Platinum CA - G2

SwissSign Gold CA - G2

SwissSign Silver CA - G2

Why is my SSL certificate not considered trustworthy?

SwissSign's root certificates are installed in most commonly used browsers.
Update your browser to the latest version and install the latest root certificates from the Windows Update page.
It is also possible that your web server does not send the complete certificate chain to clients.
This problem can be solved by using the SSLCertificateChainFile function in the Apache configuration.
You can find instructions for the configuration of Apache with SSL certificates here (german only!).