.
Important information
The Swiss Government PKI has delegated the issuing of publicly trusted SSL/TLS certificates to a partner company ("QuoVadis"). This was taken over by "DigiCert" some time ago. Due to this change, all authorised users (subscribers) who have obtained SSL certificates via the "QuoVadis" platform must be migrated to the new "DigiCert" platform.
The Swiss Government PKI will contact all subscribers directly by e-mail. This contains the sender address "DigiCert" and contains the invitation to register on the "DigiCert" platform. We ask all recipients to follow the instructions in the e-mail so that the new registration can be completed.
All existing organisations on "QuoVadis" and the existing domains have been pre-registered on "DigiCert" by the Swiss Government PKI. Subscribers may still have to enter the "RandomValue" in the DNS of the domain for validation. In this case, the Swiss Government PKI will contact the subscribers again.
To enable subscribers to familiarise themselves with the new "DigiCert" platform, the Swiss Government PKI will contact them and/or, if necessary, organise a virtual meeting with all authorised persons of an organisation.
Once the migration is complete, new TLS/SSL certificates can only be issued on the "DigiCert" platform.
Documentation
- Root information and the certificates for the validation chain can be downloaded at: https://www.digicert.com/kb/digicert-root-certificates.htm.
- Support instructions for issuing TLS/SSL certificates can be found at: SSL Certificate, SSL Certificate, Client Certificate & Code Signing Certificate Support (digicert.com).
Under Certificates: Form/Document Library you will find all forms and documents.
The Swiss Government PKI has delegated the issuance of publicly trusted SSL/TLS certificates to one partner company.
As a result, the issuance procedures for web SSL/TLS certificates and the registration of organisational units and domains will be adjusted in line with our partner's verification criteria and security requirements. It goes without saying that our partner's issuance procedures are also subject to international norms and standards, the rules set by the CA/browser forum and the associated audit procedures.
Registered users (which our partner refers to as "subscribers") have the option of autonomously requesting or revoking SSL/TLS certificates, depending on their authorisations.
The verification and authorisation of subscribers and requests remain under the control of the Swiss Government PKI.
Order/request
In order to submit a successful request for an SSL/TLS certificate, subscribers must first meet the following criteria:
- Class B certificate
The subscriber must hold a Swiss Government PKI class B certificate. - Administrator of the relevant server
The request is submitted by means of a certificate signing request. This must be generated on the relevant server with a new key pair. The subscriber/server administrator must have the necessary skills to create such a CSR, as well as administrator rights for the relevant server. - Domain authorisation
Subscribers must be authorised to create certificates for the relevant domain. In other words, they must be registered for this function with the Swiss Government PKI. New subscribers for SSL/LS certificates must register with the Swiss Government PKI using the corresponding form (see below). - Organisation registration
During registration, the SG PKI verifies the existence and operability of the organisation. Among other things, the organisation's UID is verified (see also www.uid.admin.ch). - EV SSL/TLS certificates
For EV SSL/TLS certificates, the partner certification authority additionally requires an authorisation letter from the organisation. You can find a template for this purpose below.
Ordering
- In preparation for the application for the (EV) SSL/TLS certificate, a Certificate Service Request (CSR) must be created on the relevant server.
- The CSR must be generated with a new key - reusing an existing key would produce an error when the request is processed centrally.
Please order the SSL/TLS certificate via Ticket
(Service Desk BIT 058 465 88 88 or RoBIT.
Creating the key pair and CSR file
In the event that any queries remain regarding how to create a correct CSR, a detailed description can be found at Creating the key pair and CSR file.
Revocation
- All subscribers to the partner portal can autonomously revoke the certificates they have issued.
- The revocation of a TLS/SSL certificate can also be requested via ticket (Service Desk BIT 058 465 88 88 / RoBIT).
Documentation
QuoVadis Global Privacy Notices