Getting an Informatie Vlaanderen Service Account

In order to make a Service Account we need a certificate, that identifies your organisation. This certificate can not be self signed, in other words the identity and validity of the certificate must be verified by a third party. It is possible you already have such a certificate that you use to consume other services (consult your security officer). If this is the case, you can reuse this certificate and skip step 1 and 2. In the other cases you need to obtain a certificate by following these steps.

1. Find a certificate provider

   First of all you need to decide where to get a non self signed "Client Authentication" certificate. If your organisation is a Flemish local government organisation, or you are working under contract of a Flemish organisation, you can obtain a free certificate from the Flemish government. You're local administrator in ACM-IDM can provide someone with Certificate Administrator rights (Gebruikersrecht Certificatenbeheerder). This person can then provide the organisation with certificates at PKI Flanders. The Certificate Administrator can choose two options: {your organisation}.be/agiv-services-test and {your organisation}.be/agiv-services. The first one is for testing in our Beta environment. The second one will be deployed to our production environment. The intermediate certificates of the Flemish government can be found at CA Documents. If you are not a flemish government organisation, you can obtain this certificate from a provider of choice (VeriSign, GlobalSign, Comodo, ...).

2. Make a CSR, to send to the certificate provider.

   A CSR, is a certificate signing request. You can produce CSR's with OpenSSL. It is important you fill in this information correctly, the third party will check these data. Use a sensible name for the common name so it identifies the company, it contains the purpose of the certificate, and contains the environment it is used in. "serviceaccount.production.yourcompanydomain" or "serviceaccount.beta.yourcompanydomain" for example are sensible choices. If you generate the CSR online, you will receive the CSR and the private key in the emailaddress you provided. The CSR has to be send to the certificate provider, the private key needs to be protected in your organisation (delete the mail, and hold the private key safe see RFC 3647), consult your security officer if in doubt.

3. On receiving the certificate

   Once you received the certificiate from the provider you will need to send the certificate without the private key to Informatie Vlaanderen. We need the certificate and the chaining certificates in a .crt, .der, or .cer file. To make an account of the certificate we also need an emailaddress and the organisation where the account must reside. The emailaddress is used for notifying changes to the priviliges of the account. Once we received this information an external test account is made. Your private key must be installed on your server, where the call will be send from, please try to limit this to a single server (and his loadbalancing companions) that are in the domain or in control of the organisation. If you are developing a client application that needs to be installed on many devices, please contact us for figuring out other possibilites. If you installed this certificate you can finally test your service see How To: Consume an Informatie Vlaanderen SOAP Service.

You have two options for getting a Service Account for the production environment

• You can reuse the external test Service Account, but this means that your external test account is not longer available. if you wish to switch the account just send a mail to Informatie Vlaanderen.

• You can get a new certificate for either the external test account, or the production account following the above steps.

If you have a trust relationship with Informatie Vlaanderen, you can use your own accounts as service accounts, and you do not need to have a certificate. contact Informatie Vlaanderen for more information