This page contains informations about how to use a certificate to authenticate yourself on applications from the FPS Finances.

This page is split into the following sections :

1. Technical requirements
2. Getting a digital certificate
3. Usage with Internet Explorer
4. Usage with Firefox
5. Troubleshooting

For issues related to digital signature, please follow this link.

1. Technical requirements

The authentication with certificate requires the digital signature of an identication token. Creating a digital signature requires up-to-date browsers and libraries for encrypting data. Not all browsers are able to make such a signature. The following browsers are supported (other browsers may work but are not officially supported) :

1. Internet Explorer >= 5.5
2. Firefox >= 3.0

The components required for making digital signatures are the following :

• A digital signature certificate.
• For Internet Explorer :
  • The CAPICOM library (should be automatically installed, see section 3).
• For Firefox :
  • Nothing (natively supported).

2. Getting a digital certificate

A certificate is needed to authenticate yourself with the system.

3. Usage with Internet Explorer

3.1. Installation of the CAPICOM library

This library is used to digitally sign data, verify digital signatures, envelop data for privacy, hash data, encrypt/decrypt data and more. If this library is not present on your computer, it is automatically installed, when possible. Depending on your configured security level, you may have to perform the following steps :

Low security level configured, or site minfin.fgov.be belonging to trusted sites

With such configuration, the CAPICOM library is automatically installed. You can jump to section 3.2. To see how to add the site of the Ministry of Finances to the list of trusted sites, see here.

Medium security level configured, site minfin.fgov.be not belonging to trusted sites

With this configuration, Internet explorer will first ask you if ActiveX controls can be actived. Click on the bar located on the top of the screen, and click on "Install ActiveX Control...".

Internet Explorer will next ask you the authorization to install the CAPICOM library. You can safely install this component. Click on "Install".

Highest security level configured, or manual installation of CAPICOM

If you need to manually install the CAPICOM library, a version for Internet Explorer 6.0 SP1 and above can be manually downloaded and installed from the Microsoft web site.

A copy of the CAPICOM library is also locally available here. Follow these steps to register this library in Windows:

1. Download capicom.cab
2. Unzip the file
3. Copy the capicom.dll library to the system directory of Windows, usually C:\Windows\System32
4. Open a Command Prompt as Administrator :
   Start > Programs > Accessories > right click on Command Prompt > Run as... > Administrator
5. Enter the system directory : cd \Windows\System32
6. Register the library : regsvr32 capicom.dll
7. Restart the browser

3.2. Installing a digital certificate into Internet Explorer

The digital certificate need to be registered into your browser(s). Many certificate providers give a tool to register it automatically. When the certificate is only provided as a file, the following steps are needed to load it into your browser.

1. In Internet Explorer : go to "Menu Tools" > "Internet Options..."
2. Click on tab "Content", next on button "Certificates...". A list appears with all your installed certificates.
3. Click on "Import...". This opens a wizard. Click on "Next".
4. On the dialog box that appears, enter the complete path to your certificate file, and click on "Next".
5. Enter the password you received from the Certification Authority. You can also mark the private key as exportable. Click on "Next".
6. Choose "Automatically select the certificate store..." and click on "Next".
7. You will received a message indicating whether the import was successful or not. Click on "Finish".
8. The newly imported certificate should now appear in the tab "Personal" of the "Certificates" dialog box. You can check the validity of the certificate by double-clicking on it. You should see the mention "You have a private key that corresponds to this certificate".

3.3. Configuring Internet Explorer

Some options must be activated to allow you to make a digital signature:

1. Go to menu Tools" > "Internet Options...".
2. Click on tab "Security", "Custom Level".
3. Make sure that "Microsoft VM > Disable Java" is NOT checked.
4. Check that "Scripting > Active scripting" is set to Enabled.
5. Check that "Scripting > Scripting of Java applets" is set to Enabled.
6. Check that "ActiveX controls and plug-ins > Download signed ActiveX controls" is set to Prompt or Enabled.
7. Check that "ActiveX controls and plug-ins > Run ActiveX controls and plug-ins" is set to Enable.
8. Check that "ActiveX controls and plug-ins > Script ActiveX controls marked safe for scripting" is set to Enable.
9. Click on "OK", and "Apply".

4. Usage with Firefox

Digital signature is natively supported in Firefox. However, your certificate must be carefully imported into Firefox. The process of importing the certificate into Firefox should be described by your Certification Authority. Note that Isabel certificates may not be supported by Firefox.

4.1. Installing a digital certificate into Firefox

When the certificate is provided as a file, it must be in the PKCS12 format (extension : .p12). If it is not, the certificate can still be imported and exported into this format using Internet Explorer, or by using openssl. Contact your certificate provider for those questions. The following steps are needed to load your certificate into Firefox :

4.1.1 Open the Firefox Certificate Manager

1. Go in menu "Tools > Options... > Advanced" or "Edit > Preferences > Advanced" depending on your version of Firefox.
2. Click on tab "Security" or "Encryption" depending on your version of Firefox.
3. Click on "Show certificates" or "View certificates". This opens the Certificate Manager

4.1.2 Check that the certificate of your CA is trusted by Firefox

Firefox will not trust your certificate if your Certification Authority (CA) is not trusted by Firefox. Here is how to check that your CA (e.g. GlobalSign, Certipost, QuoVadis, ...) is trusted by Firefox :

1. In the Firefox Certificate Manager, select tab "Authorities".
2. For GlobalSign certificates : check that the certificate "GlobalSign PersonalSign Class 3 CA" is present.
3. For Certipost certificates : check that the following certificates are present : "Certipost E-Trust Primary CA for Qualified certificates" and "Certipost E-Trust Secondary Qualified CA for Physical Persons".
5. For QuoVadis certificates : check that the following certificates are present : "QuoVadis EU Issuing Certification Authority G2" and "QuoVadis EU Issuing Certification Authority G3".

You can check which CA is needed for you by looking at the name of the issuer of your certificate. This name can be viewed on Windows by opening the certificate.

If the certificate of your CA is missing in Firefox, you must import it. Here is how to import it :

1. • Either click on the certificate(s) of your provider :
     • GlobalSign Root CA (For GlobalSign certificates, should already be known by Firefox)
     • GlobalSign Primary Class 3 CA (For GlobalSign certificates)
     • GlobalSign PersonalSign Class 3 CA (For GlobalSign certificates)
     • Certipost E-Trust Primary Qualified CA (for Certipost certificates)
     • Certipost E-Trust Secondary Qualified CA for Physical Persons (for Certipost certificates)
   • Or (more difficult but more secure ) :
     1. download the certificate of your CA from their web site (see http://www.certipost.be/, http://www.globalsign.com/ or https://www.quovadisglobal.be). Contact your CA for any help.
     2. Open the Firefox Certificate Manager (see section 4.1.1).
     3. Select tab "Authorities", and click on "Import".
     4. Select the certificate of the CA.
2. In each popup window that appears, check all boxes and click on "OK". See figure below.

4.1.3 Import your certificate

1. In the Firefox Certificate Manager, select tab "Your Certificates".
2. Click on "Import".
3. Select the file containing your certificate, and click on "Open".
4. Depending on your configuration, you will be asked to enter the password for accessing your keystore.
5. Next, enter the password you received from the Certification Authority, and click on OK.
6. Your certificate should now appear in the tab "Your certificates".

4.1.4 Check that your certificate is correctly installed

1. In the Firefox Certificate Manager, select tab "Your Certificates".
2. Select your certificate and click on "View".
3. Check that Firefox correctly recognize the purposes of the certificate (See figure below)

4.2. Configuring Firefox

Some options must be activated to allow you to make a digital signature :

1. Go in menu "Tools > Options... > Web Features" (Or "Edit > Preferences > Web Features" in old versions).
2. Make sure that option "Enable Javascript" is checked. Check also that your browser does not block popup windows coming from our web site.

4.3. Using your certificate to authenticate yourself

This section describes how you can use your certificate to authenticate yourself on an application of the FPS Finances.

1. If multiple authentication mode are proposed, select "Certificate Authentication" :
   
2. A new screen appears and a popup windows like the one below shows up :
   
3. Select your certificate and, if needed, type the password that secures the access to all your certificates. By default, this password is not set in Firefox. In that case, just leave this field blank ank clik "OK". Note that this is not the password that was given by your your Issuer and that protected your certificate. It is instead the password that you can set in Firefox here : Menu Edit > Preferences > Advanced > Encryption > Security Devices, select Software Security Device and click on "Change Password". It is strongly recommended that you set such password to protect the access to your software certificates.
   

5. Troubleshooting

Error 101 : No data to sign

There is no data to sign. This problem usually appears if you used the "back" button or if some error occurred in the application. In such situations, it may happen that the application "loses" the document that you wanted to sign. You probably need to go a few steps backward, and restart the signature processus.

Error 501 : The CAPICOM library is not properly installed, aborting. (IE only)

The CAPICOM library was not found. Make sure that a file named capicom.dll is present in your Windows system directory (usually C:\Window\System32\ or C:\Winnt\System32). This library should have been automatically installed, provided that you authorized the installation, see section 3.1.

To enable automatic installation, you can tell the browser to trust the Web site of the Ministry of Finances :

1. Go in menu "Tools > Internet Options...", tab "Security"
2. Click on "Trusted Sites", button "Sites..."
3. Type in the text box "*.minfin.fgov.be", and click on "Add" to add the site to the list of trusted sites. See screenshot below.
4. Click on "OK", and next on "Ok".

Error 502 : The certificate store does not contain any certificate. (IE only)

You do not have any certificate installed in your browser, or no certificate is suitable for signing a document. Make sure you successfully imported your digital certificate in the browser.

Error 503 : Failed to access the keys of the selected certificate. Permission was probably denied. (IE only)

This is a permission issue. The current user does not have sufficient permissions to access the key of your certificates. These keys are stored in "Key containers" for which you should have access. The steps to resolve this problem depend on the version of Windows you are using :

Windows NT :

The permission of the key container are specified in the registry. To change these permissions, open regedt32 (not regedit!), open the hive HKEY_LOCAL_MACHINE and highlight the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineKeys\<container name>. Select Security/Permissions from the menu and make sure Everyone has Full Control over this key.

Windows 2000 and Windows XP :

In Windows Explorer, locate the C:\Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\ directory. Change the access rights on this directory and all the files it contains by performing the following steps :

1. Right-click on the C:\Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\ directory.
2. Point to Properties
3. Click Security tab.
4. Make sure that You, the Administrator and the System have full control over this directory (check that all Allow boxes are checked).
5. Click Advanced.
6. Select the two check boxes (Inherit... and Replace...) on the bottom to enable the propagation of these access rights to all sub-directories and files.
7. Click Apply, then Yes, and OK.
8. Click OK.

You may have to reproduce these steps for the C:\Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\ directory

Note These are hidden files. In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:

1. Click Start, point to Settings, and then click Control Panel.
2. If you are in Category View : click Appearance and Themes
3. Click Folder Options.
4. On the View tab, under Hidden files and folders, click Show hidden files and folders.

Error 504 : Failed to access the keys of the selected certificate. Permission was probably denied. (IE only)

See Error 503.

Error 505 : Failed to access the keys of the selected certificate. Probable conflict between some of your certificates. (IE only)

The problem probably lies in some conflict between the certificates that are registered into Windows. This problem is related to Windows, not to the application. It can be solved by manually deleting certificates.

To delete a certificate on Windows 2000 or Windows XP:

1. Click Start and select Run.
2. Type mmc and press ENTER.
3. On the File menu, select Add/Remove Snap-In.
4. Click Add.
5. Double-click Certificates.
6. Select My user account.
7. Click Finish.
8. Click Close and then OK.
9. Double-click Certificates - current user.
10. Double-click Personal and then Certificates.
11. Click the certificate to delete.
12. Press DELETE and click Yes.
13. Close the Console1 window.

If you have a software certificate, you have to register it again in the browser.

Error 509 : Failed to make the signature. The certificate could not be found. (IE only)

This error appears when Internet Explorer cannot find the certificate selected. This error appears with Isabel certificates. This error is cause by a faulty update of the Isabel certificates by Isabel Office Sign. A solution is available on the Isabel on-line support (www.isabel.be), section "Isabel Web Support", under document ID 48700 (make a search using this ID). If this does not solve the problem, contact the Isabel Helpdesk.

Error 510 : An error occurred during the signature process (IE only)

The CAPICOM library failed to create the digital signature. Depending on the actual error, one or more of the following actions may help in solving this problem :

• Re-install the CAPICOM library. You can simply delete the capicom.dll file in your Windows System directory (e.g. C:\Windows\System32), and next perform the installation procedure (see above).
• Re-import your certificate, as it might be corrupted.
• Use Firefox
• Try with another computer and/or another Windows

Error 601 : Your browser failed to sign (Firefox only)

Your certificate is not correctly installed in Firefox and/or Firefox does not trust it.

Check that your certificate is trusted by Firefox. To do this, open the Firefox Certificate Manager (see section 4.1.1) and check that Firefox trusts your certificate (see section 4.1.4).

If you have some problem, read section 4.1 and check that :

• your certificate has not expired
• that the certificate of your Certification Authority (CA) is trusted by Firefox (see section 4.1.2)

If you still have a problem relating the use of your certificate with Firefox, please contact the issuer of your certificate provider (GlobalSign, Certipost, Isabel or QuoVadis).

Error 602 : No suitable certificate has been found (Firefox only)

Firefox could not find a suitable certificate. Try (re-)import your certificate and follow the advises given in section 4.1.

When I click "OK", the window that asks for the certificate pops up again in Firefox. (Firefox only)

The password you entered is not correct. Beware : this password is not the password of your certificate (the password that was given by you certificate provider). It is instead the password of the software security device that contains all your certificates. This password is blank by default in Firefox. You can thus leave the password field blank and clik on OK. Please read section 4.3.