SAG:  Importing Certificates

This utility can be found in the “VDF7” subfolder of the Syscob application “local” or “server” folder for the computer on which a user logon, the “SEDI user”, will run SEDI.  It is named “ExpCertM.exe” and can be started via the “CLICK HERE to access DC store” button of the “Digital Certificates” tab of the SEDI_exp configuration settings window, via a shortcut in the “Tools” subfolder of the “Export-It” folder on the user Desktop or the Start button programs menu or by just running the “\ExportIt\VDF7\ExpCertM.exe” executable.

The main window of the utility (reduced image at right) has an upper pane that shows the contents of the “Local Machine Certificate Store”, a central button bar and a lower pane where the session log can be seen.  When all imports and removals are completed the upper pane should contain the four [4] Digital Certificates described in the Digital Certificates topic.  There is an exception when a new “site certificate” (with a “private key”) is imported.  Since, by default, Windows® sees this as a “protected item” it will not appear in the upper pane after import.  But on exit from the Export-It Certificate Manager then subsequent execution will show it (since this forces evaluation rather than relying on an assumption).

When a certificate is selected, by clicking on it in the upper pane, it will be highlighted and the buttons in the central bar that would affect it would become enabled.  For example, the “Details” button would open a Certificate Details window (example at right) which shows the selected certificate properties (including whether it is expired or revoked and its embedded email address).

However, initially the upper pane will be empty and the four [4] needed Digital Certificates must be imported.  These will be imported from four [4] files which, when Syscob recommendations are observed, should all be found in the “CMR_DC” subfolder of the “VDF7” subfolder in the application “server” folder and also the “local” folder of a “SEDI machine”.  The latest Customs certificate files can always be downloaded from the Tools Repository on the Syscob web site.  The four [4] required certificate files which need to be in the store are:

• “EGKROOTSKI.509.cer” contains the Gatekeeper Root CA: eSign Australia, Gatekeeper Root CA [no email] certificate that is part of the verification chain.
• “Gatekeeper Type3 CA.cer” holds the Gatekeeper Root CA: VeriSign Australia, Gatekeeper TYPE 3 CA [no email] that is also part of the verification chain.
• “CCF E-mail Gateway_YYYYMMDD.cer” (as this expires every two years the “YYYYMMDD” value will vary) is the file with Gatekeeper TYPE 3 CA: Australian Customs Service, CCF E-mail Gateway (cargo@ccf.customs.gov.au) certificate, the currently valid Type 3 certificate for Customs used to encrypt EDI interchanges.
• The “.pfx” file produced by the Exporting Type 3 procedure that contains the exporter's Type 3 (or “standard” Type 2) “site certificate” with a private key.  This certificate must have the Export-It dedicated EDI email address embedded within it.

The same procedure is used to import all four certificate files, except that the “.pfx” file will require that the password (assigned when the certificate was exported) be entered.  If the password is not known it cannot be “recovered” (due to 128 bit encryption) and the certificate cannot be imported from the file (meaning that file is useless).  Since the three “.cer” files do not contain a private key (only a public key) they do not require a password for import.  To import each certificate from its file follow these instructions:

1. Press the “Import” button for a dialog to choose one of the four files listed above.  Select one of the files and press the “Open” button of the Import Certificate dialog:
   • For a “.cer” file a confirmation dialog will appear.  To import the certificate press the “Yes” button (or press the “No” button to cancel the import).
   • For a “.pfx” file a confirmation dialog requesting the file password will appear.  To import the certificate enter the password assigned at time of export and press the “OK” button (or press the “Cancel” button to cancel the import).
2. If the import is successful then the lower log pane will record the import.  If the password was requested and is not correct then this will also be seen in the log pane.  Or if the certificate already existed in the store then the log will say “Certificate already exists in store, no need to add.” to indicate that the import was not performed.
3. For each “.cer” file the certificate will appear in the upper pane.  But a “.pfx” file is assumed to be a “protected item” so it will not immediately appear (to see it you must exit from, and then re-enter, the Export-It Certificate Manager program).

Repeat the steps above for each of the four (4) certificate files.  When all four [4] Digital Certificates, and only those four (4) certificates, are resident in the “Local Machine Certificate Store” then SEDI communications will be able to use them for EDI interchanges with Customs.

Every two [2] years the “site certificate” and the Customs Type 3 certificate will need to be renewed and replaced in the store.  Illustrated step-by-step instructions for this procedure can be found in the Changing Site Certificate guide.  The latest Customs certificates can always be downloaded from the Tools Repository on the Syscob web site.