Digital Certificates

2010 Customs and Border Protection Type 3 digital certificate rollover

The existing Type 3 digital certificate used by the Australian Customs and Border Protection Service will expire on 23 September 2010, and Customs and Border Protection will be ‘rolling over’ to a newly issued certificate on Wednesday, 8 September 2010.

This means that users who send messages to the ICS (in both Industry Test and Production), using Electronic Data Interchange (EDI) software, need to rollover to the new Customs and Border Protection certificate.

The rollover will occur at 12:01am, with a scheduled outage between 12:01am and 4:00am. You must configure your Secure EDI application (SEDI) to accept the new Customs and Border Protection certificate on or after this time.

Important: This rollover does not affect any digital certificates that you or your organisation may have purchased. Organisations who only use Customs Interactive (the web-based component of the ICS), or who use the services of a bureau will not be affected by the rollover and will not need to take any action.

The below documents will assist in the rollover process, and answer any questions you may have.

2010 Customs Connect Facility (CCF) E-mail Gateway Type 3 digital certificate (zip file 1.36KB) - This certificate is an essential part of your EDI software. Customs recommends that you check with your software developer to confirm that your software includes these keys.

This is a PDF document Customs and Border Protection Type 3 certificate installation guide (202KB)

This is a PDF document Frequently Asked Questions (118KB)

Clients who intend to communicate electronically with Customs through the ICS must purchase one or more digital certificates. Clients are required to use PKI technology.

The security features of PKI include:

  • authentication (knowing who the message is from)
  • integrity (knowing it has not been tampered with)
  • non-repudiation (knowing that the sender cannot deny having sent it)

The Custom's PKI framework is established under the Government's 'Gatekeeper Strategy'. This means that Customs will only accept certificates issued by Certifying Authorities accredited under Gatekeeper, and which also meet Custom's service level standards. 
Currently the only Gatekeeper accredited Certifying Authority recognised by Customs is Verisign Australia. Digital certificates are purchased through Verisign.
Visit the VeriSign website.


What is a digital certificate?

A digital certificate should be considered as an electronic signature of either an individual and/or related entity. The digital certificate exists as a software file and is housed within web-browsers. A digital certificate creates a unique identifier that can be checked by the receiver of information to provide evidence of the sender's identity and confirm that the document (if signed) has not been altered or interfered with.
A digital certificate contains two separate certificate parts (each with public and private keys); one for signing (authenticating) and another for encrypting/decrypting electronic messages.


Who needs a digital certificate?

A digital certificate will be required by any organisation or person in the exporting, importing, brokering, forwarding, cargo reporting, cargo carrying/handling and related industries who will communicate directly with Customs electronically.
These include:

  • service providers - for example brokerages, cargo reporters, freight forwarders and bureaus
  • exporters, importers, and cargo reporters who communicate directly with Customs and who do not use service providers to communicate with Customs - if you use a service provider for some functions (for example to lodge import or export declarations) but intend to communicate directly with Customs for other functions (for example to use the diagnostic facility) you will still need to have a digital certificate
  • software developers for the purpose of developing software
  • Customs Interactive users.


How many digital certificates will be needed?

All direct electronic communicators will need at least one digital certificate. The number of certificates required by a business will be dependant on the IT setup and the method of communication chosen by the organisation.
For those businesses that plan to use EDI, the software developers who supplied the EDI software will be able to provide advice and assistance.


Types of certificates

There are five types of certificates available from certification authorities (CAs) for communicating with Customs, depending on the nature of the communicator.


Type 1 - grade 2 individual certificates
For users who are operating as an individual, where the digital certificate identifies and authenticates them personally.


Type 2 - grade 2 non-individual certificates
For organisations without an Australian Business Number (ABN), where the digital certificate identifies the organisation and the individual.


Type ABN-DSC grade 2 certificates
For organisations with an ABN (including sole traders and government agencies). The initial certificate will be issued to an authorised officer in the organisation. The authorised officer can then organise for additional certificates to be issued for other individuals within the organisation. These certificates will then be issued by the CA.


Type 3 (device) certificates
The type 3 (device) certificate will not authenticate human entities. This is a device or server-based certificate for organisations whose communications are signed by a server. This will be of direct relevance to businesses that use EDI to communicate with Customs. To obtain a type 3 (device) certificate, an applicant must have an ABN and obtain a type ABN-DSC certificate. The applicant must already have an ABN-DSC certificate in order to apply to the CA for a type 3 certificate.

Type 3 Host (Device) certificates
A Type 3 Host (Device) certificate is for use where your organisation wants a device certificate to be hosted by another organisation, called a host bureau.
You will need a Type 3 Host (Device) certificate if you require a host bureau to:

  • communicate import declarations to Customs on your behalf
  • host your digital certificate and private keys.

To obtain a Type 3 Host certificate you must first obtain an ABN-DSC Authorised Officer certificate. You must also have registered your ABN DSC details with Customs. Customs expects that most clients who communicate via EDI will use Type 3 (device) certificates. As these clients will also be ABN holders they will require a nominated employee within the organisation to be an authorised officer and hold a type ABN-DSC certificate. For businesses that plan to lodge import declarations in the ICS, the authorised officer must be the owner of the consignment or a licensed broker. That person can then seek additional certificates for others in the organisation who are required to communicate with Customs via Customs Interactive.

Important: VeriSign has discovered a technical issue with Gatekeeper Type 3 (Device) certificates that are generated using Internet Explorer 7 on Windows Vista. This issue results in a failure to decrypt messages that are delivered by Customs.
For more information, go to: http://www.verisign.com.au/gatekeeper/customs/device/, or view this document.

http://www.cargosupport.gov.au/site/page5951.asp modified: 27 August, 2010 4:06 PM