Class A – Authority certificates (legal entities)

Certificate content

The owner authority is described in the certificate as a "distinguished name" in accordance with X.509. For regulated authority certificates, no information on the requester is stored outside the Swiss Government PKI. The certificate itself contains the authority's UID and the official name of the authority in the corresponding attributes "O=" and "OI=".

The certificate's "distinguished name" is determined according to the following rules:

• C = CH or LI country code in accordance with ISO 3166-1. This designates the country of the authority defined under the "O" RDN
• O = the O must match the name in the UID register (this is checked by the CSP and must be a maximum of 64 characters, https://www.uid.admin.ch)
• CN = commonly used name of the administrative office. This name does not have to match the registered name exactly (designation according to UID register).
• OI = NTRCH-CHE-nnn.nnn.nnn (= UID of issuing authority according to UID register), as required by the ESigA
• OU_1-2 = more detailed designation of the organisational unit according to federal directory (department, division, etc.) to which the certificate is attributed. Two OU fields may be entered.
• OU₃ = authority identification:
  • UID entities with the following codes for the legal form: 0117, all beginning with 02 (e.g. GE - 0220 - official abbreviation or name of federal authority (federal office))
• L = designation of the commune in which the authority is based
• SP = designation of the canton in which the authority is based
• E-Mail = email address which may be listed in a verification report in the event of an automated check of an electronically sealed document, in order to show the information office for the signed document type.

Submitting a request

As a prerequisite for being issued with a regulated authority certificate, the organisation must have a UID entity as defined in Article 3 paragraph 1 letter c of the Federal Act of 18 June 2010 on the Business Identification Number (BINA), version of 1 January 2022.The requester must be an authorised signatory for the UID entity concerned. They must be able to prove such authorisation by means of either a notarised commercial register extract or a legally signed power of attorney (proxy). The requester must be physically present for the issuance of the certificate.

The forms "Request form for a regulated authority certificate" and "Power of attorney for requesting a class A regulated authority certificate" shall be signed by the requester or person granting the proxy by means of an electronic signature certificate, and submitted to the SG PKI via MAC remedy.
In the case of the server-based authority certificate (seal), there is no need for a personal appointment if both the request form and the power of attorney are signed with a qualified certificate.

In the case of a seal on a smart card, a personal appointment is always required.

Using the certificate

More than one certificate can be issued for the same organisation (authority). The requests may be submitted by the same person at the authority. A regulated authority certificate can be set up on both a smart card and the SG PKI signature server (for clients within the Federal Administration only).

• Smart cards with the authority certificate may be handed over by the requester to employees in an orderly manner, whereby the requester bears the responsibility on behalf of the authority to record the handover of the certificates in writing in a traceable and complete manner.
• In the case of server-based authority certificates, the requester can authorise other people by means of the form «Request for authorisation to use seals», and can also rescind that authorisation.
• If the server-based seal is used in a specialist application via a TLS connection, the authorisation is granted via the specialist application.

Revocation

Revocation can be requested directly from the Swiss Government PKI by means of a revocation form and MAC remedy. The same prerequisites apply to revocations as to requests; alternatively, the requester can apply for the revocation.

• What are the reasons for a revocation?

  • The smart card has been stolen or cannot be located
  • The smart card is defective
  • Both PINs and PUKs for the smart card have been lost or forgotten
  • Termination of employment relationship
  • Changes in details on the certificate (authority name, email address, etc.)
  • Suspicion that the private key has been compromised (revealed) and someone else could use a service, e.g. sign an email.
  • Reorganisation
  • The current proxy user is not complying with the rules (non-observance of CP/CPS)
  • The LRAO considers that revocation is appropriate for other reasons

• Who can request a revocation?

  • The original requester
  • Certificate owners: authorised signatories as entered in the UID or commercial register
  • Line managers
  • The Swiss Government PKI officer
  • The Swiss Government PKI security officer
  • The Swiss Government PKI LRAO
  • The ITSOO of the office concerned

• How can a revocation be requested?

  • The original requester can go in person to a local registration office
  • An authorised person can send a revocation request by post to a local registration office
  • An authorised person can sign a revocation request with the signature key, unless the reason for the revocation request is a suspected or actual compromise of that signature key

  If the revocation request is not made by the original requester, the request must always be in writing and must be signed.