2.3. Gatekeeper Digital Certificates
Syscob Export-It and Export-It Plus only need to have Digital Certificates installed when the Customs Integrated Cargo System [ICS] system of the Department of Immigration and Border Protection [DIBP] (formerly Australian Customs Service) is an “EDI partner” for direct EDI Interchange traffic. Many exporters do not need to exchange EDI “Interchange” traffic with Customs because they obtain their EDNs via Single Entry Window [SEW] style RFPs (where DofA acts as their agent with Customs). In that case please skip this subsection and go directly to the SEDI Configuration topic.
If Customs must be an “EDI partner” then be aware that the certificates needed are
all part of the VeriSign “Gatekeeper” program that is also used by the
Australian Taxation Office [ATO] for web access. These are based on the
Public Key Infrastructure [PKI] paradigm. They use a dual-key scheme in
which a message encrypted with a “public” key can only be decrypted
by the corresponding “private” key—and vice versa. This
means that there are two forms for a Digital Certificate when exported to a file: one with
the “private” key, which is held and secured by the owner (with a “.pfx”
extension), and one with only the “public” key (with a “.cer”
extension) which is distributed to anyone wanting to be able to exchange secure communications.
Local Machine Certificate Store
Since an EDI endpoint is a hardware or software “device” the required Digital Certificates must be in the “Local Machine Certificate Store” and any Syscob user logon that can act in the SEDI role must have access to them. Unfortunately, Microsoft has changed the manner in which certificates are stored by Internet Explorer after MSIE7 (MSIE8, or later, may encrypt them with a current user GUID; which prevents retrieval at the “local machine” level). To avoid such issues be sure to use another web browser like Firefox (VeriSign recommendation) or an older Internet Explorer version (i.e. MSIE7 or MSIE6) to enrol, download and export all Digital Certificates needed for EDI.
Customs ICS Digital Certificate Files
The “Local Machine Certificate Store” must contain these three [3] certificate objects (which do not contain a “private” key) for the Customs ICS endpoint:
Gatekeeper Root CA: eSign Australia, Gatekeeper Root CA [no email]
File has “EGKROOTSKI.509.cer” name.
Gatekeeper Root CA: VeriSign Australia, Gatekeeper TYPE 3 CA [no email]
File has “Gatekeeper Type3 CA.cer” name.
Gatekeeper TYPE 3 CA: Australian Customs Service, CCF E-mail Gateway (cargo@ccf.customs.gov.au)
File has “CCF E-mail Gateway_YYYYMMDD.cer” name.
An archive containing all of the files above may be downloaded from the
Syscob Tools Repository (3.23 Kb).
After download extract the three [3] files in the archive and save them
in the “\ExportIt\VDF7\CMR_DC” folder of the
Export-It “server” drive.
Exporter EDI “Device” Type 3 Certificate File
Any “EDI partner” of ICS must obtain, download and export a
Gatekeeper Type 3 [device] certificate (also see below) into a file that contains a
“private” key and has a “.pfx” extension.
All actions done by an exporter in relation to this, their “site certificate”,
must be done on the same computer using the
same browser software!
Subsequent topics in this subsection provide instructions related to “site certificate” acquisition and export and import into the certficate store.
In the rare case where one, and only one, person ever uses Syscob software then it is possible to use a less expensive “standard” Gatekeeper ABN DSC CA [non-individual] certificate as the “site certificate” (rather than a “device” certificate). Be aware that this is not the Authorised Officer [AO] ABN DSC CA which is required to obtain any other Digital Certificate from VeriSign. The AO certificate is usable to access the ICS web site interactively, but not for EDI. However, the process of obtaining a “standard” Type 2 certificate is very similar and it must contain the dedicated EDI email address (just like a Gatekeeper Type 3 would).