Digital Signing guidelines - NatWest
Digital Signing guidelines - NatWest
Digital Signing guidelines - NatWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
7. Hardware Security Module<br />
Customers opting for a Hardware Security Module (HSM) solution should look to have this device installed and<br />
part-configured* ahead of submitting the Bankline Direct registration mandate.<br />
Bankline Direct certificates will be supplied as part of service registration process and are chargeable with a lifespan of<br />
three years. Please refer to your Relationship Manager or Implementation Manager for more details.<br />
*pre-configuration of Bankline Direct transmissions security (as outlined in section 5) cannot be completed until<br />
the details have been supplied.<br />
7.1 HSM Requirements<br />
The Bankline Direct service requires HSMs to conform to the FIPS 140-2, Level 2 standard. Please consult your<br />
HSM supplier for more information.<br />
7.2 HSM Setup<br />
During the registration process, the customer will receive a letter and a form from <strong>NatWest</strong> containing details on<br />
how to generate a Certificate Request.<br />
The Certificate Request must be generated from the HSM module and copied to a CD. The CD must be posted to<br />
<strong>NatWest</strong> (details outlined in the letter). Once the Certificate Request has been received by <strong>NatWest</strong>,<br />
a customer specific Certificate will be generated by TrustAssured (who are the <strong>NatWest</strong> certificate authority).<br />
The customer specific Certificate will be emailed in a zip file back to the requester for uploading into the HSM<br />
module. The following details will be sent to the customer:<br />
Production root.cer<br />
Production Sub CA.cer (This is the issue certificate of the Certificate Authority that signed the customer’s<br />
Certificate <strong>Signing</strong> Request)<br />
.cer (this is the uploaded into the HSM)<br />
7.3 Integration<br />
The HSM module must be configured to apply a digital certificate to payment files to an S/MIME standard.<br />
The following S/MIME file signing options must be enabled:<br />
the message syntax can be PKCS7 or CMS<br />
the algorithm must be SHA-1<br />
the signature can be detached (original data not included) or embedded (original data included)<br />
the Content Transfer Encoding can be None or Base64<br />
23<br />
The signing certificate can be included but it is not used. The customer’s public certificate(s) will already have<br />
been registered on Bankline Direct as part of the registration process.