Australian Customs Service requires that all access to the Integrated Cargo System [ICS] use a "Gatekeeper" Digital Certificate [DC] obtained from VeriSign Australia. There are three types of DC under the "Gatekeeper" program:
- Authorised Officer [AO] Gatekeeper ABN DSC CA
An AO certificate must be obtained before any other type of DC can be purchased. It identifies the individual within a business who is authorised to represent the company to VeriSign on matters related to purchasing, renewing or revoking the company's certificates. It requires this individual to undergo a "100 point identity check" at an Australia Post "KeyPost Authorised Outlet". An AO certificate costs $187, including GST, and must be renewed every two years.
An AO certificate can also be registered for access to the Customs Interactive web site!
- Standard Gatekeeper ABN DSC CA
A "Standard" certificate identifies a person within a business, but that individual does not have to undergo an identity check — because the "Standard" certificate can only be purchased by the Authorised Officer (whose identity has been verified). Each "Standard" DC currently costs $93.50, including GST, and must be renewed every 2 years. A "Standard" certificate can be used for:
- Access to the Customs Interactive web site by only the person named in the certificate (i.e. every user of Customs Interactive requires either an AO or a "Standard" ABN DSC).
- EDI access to the ICS system if, and only if, there is one (and only one) person using the Export-It EDI application for creating and changing Customs documents.
For either use the certificate must be registered with Customs before it can be used. For EDI access to the ICS the certificate must be registered for the "EDI site" on the Customs database. For individual access to Customs Interactive the certificate must be registered under the person's name on the Customs registration database.
- Device Gatekeeper Type 3 DSC CA
The Type 3 [device] certificate identifies a system, hardware or software, in a business which may be used by multiple persons — it does not identify an individual. Therefore, a Type 3 [device] certificate cannot be used to access the Customs Interactive web site. It is only for use with Export-It EDI access to the ICS system, when there is more than one user of the Syscob software, and must be registered for the "EDI site" on the Customs database before it can be used (the Customs Connect Facility [CCF] Gateway will ignore any messages it receives unless they are signed with a DC that is registered for the Customs "EDI site"). A renewed Type 3 certificate also requires that the renewed DC be registered before it can be used. A Type 3 [device] certificate certificate costs $594, including GST, and must be renewed every two years.
Note that it is an exporter's responsibility to purchase, download, install and preserve the Digital Certificates which they require. VeriSign requires that all Digital Certificates (AO, Individual and Type 3) be obtained by the AO using the same web browser (which may be IE6 or IE7 or Firefox or other, but not IE8 or IE9) on the same PC! The exporter is also responsible for ensuring that certificates are properly registered with Customs and that they are employed within the requirements of Customs and VeriSign (e.g. that one person's DC is not used by another individual). Improper use can result in loss of access to Customs facilities and civil or legal prosecution.
Because Microsoft Windows ties a DC to a "user object" — not a user name — extreme care must be observed whenever any change is made to user logins. Re-installation of Windows on a PC, updates which affect the "protected items" used by Microsoft Cryptographic Service Providers (such as from IE6 to IE7) or changes from Windows [local] login to domain login may all cause loss of the ability to use existing Digital Certificates. Syscob strongly recommends that an exporter's IT staff be familiar with the implications of any change to platforms where DCs are installed before the changes are made! Searches of the system Resource Kit, MSDN and TechNet for issues related to "protected objects" and "protected properties" should be made and the Microsoft CSP mechanisms understood when making any changes to platforms which have Gatekeeper Digital Certificates in use.