Trustis
Trustis HMRC SET Certificate Service -- Frequently Asked Questions (FAQ)

    Which formal registration bodies can I use to support my organisation's certificate application?
    What is needed for a Letter of Authority?
    Which identity documents can be used to support certificate applications?
    Who can endorse a copy of my identity documents?
    What is needed to endorse the copy of my identity document?
    Why must I provide all the registration information?
    What authentication standards do HMRC SET Certificates issued by Trustis meet?
    What happens if my application details cannot be corroborated?
    Can I be guaranteed that I will be issued a certificate?
    Can I use HMRC SET certificates issued by Trustis for other purposes?
    What security and assurance standards does Trustis use for HMRC SET certificate services?
    Why must I have more than one certificate?
    What is a SET Reference Number (SRN)?
    What submission options do I have when applying for HMRC SET certificates?
    What is a PKCS#10 Certificate Signing Request (CSR)?
    What is the Online method for generating and submitting a CSR?
    Which web browsers are supported for use with Trustis' portal for HMRC SET Certificates?
    What is the minimum size of the Public Key submitted with my request?
    I have received an email after sending my request. What do I do next?
    How do I collect my certificate?
    What if I requested my certificates using the Online Request option?
    What if I requested my certificates using the PKCS#10 request option?
    I am using Internet Explorer and cannot see Microsoft Enhanced Cryptographic Provider v1.0. What should I do?
    I am creating a certificate request and a warning message has popped up saying “An Active X control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?”
    The web browser compatibility test shows a red cross next to one or more tests. What should I do?
    How do I renew my certificate?


Which formal registration bodies can I use to support my organisation's certificate application?
You can use any of the following registration bodies when submitting your application. These options will be made available to you on the application form.

Acceptable bodies are:

  • registered with the FSA as a Financial Services Firm;
  • registered with the FSA as a Payment Services Firm;
  • registered with the FSA as an Exempted Professional Firm;
  • a Limited Company and registered with Companies House in the UK;
  • a law firm registered with the Law Society of England and Wales (LS);
  • a law firm registered with the Law Society of Scotland (LSS);
  • a law firm registered with the Law Society of Northern Ireland (LSNI);
  • registered with the Association of Chartered Certified Accountants (ACCA);
  • registered with the Institute of Chartered Accountants in England & Wales (ICAEW);
  • registered with the Institute of Chartered Accountants in Scotland (ICAS);
  • registered with the Institute of Chartered Accountants in Ireland (ICAI);
  • registered with the Royal Institution of Chartered Surveyors (RICS);
  • registered with the Council for Licensed Conveyors (CLC);
  • registered with the Institute of Chartered Actuaries (IoA);
  • registered as a charity with the Charity Commission.

If your organisation is registered with a formal body which is not listed, the Trustis Registrars will contact you to confirm acceptability and progress your application.

What is needed for a Letter of Authority?
A letter on company headed paper can be faxed to Trustis on +44 1635 231 366. It must be signed by a person who is authorised to sign on behalf of your organisation. You can obtain a template for the letter by clicking here.

Which identity documents can be used to support certificate applications?
An endorsed identity document that provides details of the Nominated Recipient for the certificate is required. You will need to confirm the identity document to be submitted as part of your online application.

NOTE: Do not send original identity documents; please submit only endorsed copies of such documentation.

Acceptable identity documents are:

  • a current signed passport;
  • a residence permit issued by the Home Office to EU Nationals on sight of own country passport;
  • a current UK photocard driving licence;
  • a current full UK driving licence (old version) - old style provisional driving licences are not acceptable;
  • a current benefit book or card or original notification letter from the Department for Works & Pensions confirming the right to benefit;
  • a building industry sub-contractor's certificate issued by the Inland Revenue;
  • a recent Inland Revenue tax notification;
  • a current firearms certificate;
  • a birth certificate;
  • an adoption certificate;
  • a marriage certificate;
  • divorce or annulment papers;
  • an Application Registration Card (ARC) issued to people seeking asylum in the UK (or previously issued standard acknowledgement letters, SAL1 or SAL2 forms);
  • a GV3 form issued to people who want to travel in the UK but do not have a valid travel document;
  • Home Office letter IS KOS EX or KOS EX2;
  • Police Registration Document;
  • HM Forces Identity Card.

Who can endorse a copy of my identity document?
Typically, the representative of your organisation who is authorising the certificate application can endorse your identity document. A bank and/or building society official or a director/manager/personnel officer of a VAT-registered company is acceptable.

A full list of qualifying professionals is available here:
http://www.direct.gov.uk/en/TravelAndTransport/Passports/Applicationinformation/DG_174151

What is needed to endorse the copy of my identity document?
Your identity document must be endorsed with the words:

"I certify that this is a true and accurate copy of the identity document for [insert name of Nominated Recipient]"

The declaration must also include:

  • the signature of a certifying professional;
  • the name of the certifying professional;
  • the profession of professional body of the certifying professional;
  • the date the document copy was certified.

Why must I provide all the registration information?
Trustis must provide HMRC SET certificates to standards prescribed by HMRC. This includes confirming the details of the organisation receiving a certificate.

HM Government has established mechanisms for ensuring the identity of organisations and individuals who represent them. This is achieved by a process of corroboration and checking. The information and documents you provide allow this process to be completed.

What authentication standards do HMRC SET Certificates issued by Trustis meet?
Trustis provides HMRC SET certificates in compliance with HMG Standards. Specifically, Level Two of HMG's Minimum Requirements for the Verification of the Identity of Organisations, e-Government Strategy Framework Policy and Guidelines, Version 2.0, January 2003.

What happens if my application details cannot be corroborated?
If Trustis cannot satisfactorily complete registration with the initial information you provided, our registration staff will contact you. You may be required to correct your submitted information or provide additional evidence so that your organisation's identity can be assured.

Can I be guaranteed that I will be issued a certificate?
No. Whilst rare, it is possible that some organisations are unable to fulfil the standard required by HMG. In such a case, it is not possible for Trustis to issue a certificate.

Can I use HMRC SET certificates issued by Trustis for other purposes?
No. The Trustis certificates issued for HMRC SET Service are configured only for use with HMRC SET Service. Furthermore, HMRC requires exclusive use of the certificates that you use with its SET service. Trustis provides a range of digital certificates for other requirements; details can be found at www.trustis.com

What security and assurance standards does Trustis use for HMRC SET certificate services?
Trustis provides HMRC SET certificates from specialist secure facilities. The facilities and services it provides are approved and/or externally audited to ISO 27001, tScheme and WebTrust standards. Trustis' HMRC SET certificate service is compliant with the standards required by HMRC for certificates used with SET services.

Why must I have more than one certificate?
Digital certificates enable encryption of data, identification of the sender of data and assure the integrity of sent data. HMRC SET Service uses separate certificates for communication to and from its SET infrastructure. To support this, Trustis provides an integrated service that delivers both encryption and signing certificates as part of a single application.

What is a SET Reference Number (SRN)?
The SET Reference Number or SRN is assigned to applicant organisations by HMRC; it is your organisation's unique identifier within the HMRC SET service.

What submission options do I have when applying for HMRC SET certificates?
You may submit your certificate request by one of two methods: 1) generate and submit a PKCS#10 Certificate Signing Request with your application information, or 2) generate a certificate request using our online facility.

What is a PKCS#10 Certificate Signing Request (CSR)?
A PKCS#10 Certificate Signing Request (CSR) is a specially coded data file/message sent to a Certificate Authority in order to apply for a digital certificate. The CSR will contain information identifying the applicant (e.g. Distinguished Name information) and the applicant's Public Key. The CSR will not contain the applicant's Private Key.

The information pack provided by HMRC explains how to prepare a PKCS#10 Certificate Signing Request or alternatively you can use our online CSR generator which is simple and easy to use – see below.

Please be aware

  • Private keys must be kept secret. HMRC requires compromised keys to be replaced.
  • If you want to export your Private TLS from your Internet browser you should import it as “exportable”.
  • In order to prevent unknown signer warnings in an encryption tool’s verification history, create a local key and use it to sign all the HMRC SET keys as trusted with it.
  • Opening or overwriting a certificate can corrupt it beyond use. Move certificates using copy and paste.

    What is the Online method for generating and submitting a CSR?
    Trustis provides an online facility whereby HMRC SET certificate applicants can generate a key pair and Certificate Signing Request using a supported web browser instead of pre-generating a PKCS#10 request. Once the application has been approved and the certificate issued, the user will download the certificate using the same web browser. The full certificate and key pair can then be exported from the browser and used within other HMRC-approved applications.

    Which web browsers are supported for use with Trustis' portal for HMRC SET Certificates?
    Currently, Trustis supports the following browsers and operating systems for use with HMRC SET Certificate Portal:

    • Microsoft Windows 7 using Microsoft Internet Explorer (MSIE), version 10 in version 8 mode
    • Microsoft Windows 7 using Microsoft Internet Explorer (MSIE), version 8
    • Microsoft Windows Vista using MSIE, version 7 and above
    • Microsoft Windows XP using MSIE, version 6 and above
    • Microsoft Windows operating systems using Mozilla Firefox, version 3.5 and above.

    What is the minimum length of the Public Key submitted with my request?
    Trustis require that all certificate requests include a Public Key of 2048 bits in length. This key length is enforced by our systems and keys less than 2048 bits in length will be rejected. If you are submitting pre-generated PKCS#10 CSRs, you will be provided with the opportunity to test these in order to ensure they meet the required minimum length. Applicants using our online method for key generation will automatically generate keys at the required length.

    I have received an email after sending my request. What do I do next?
    You will receive one email per certificate request, so you should receive one email for the ‘TO’ certificate request, and one for the ‘FROM’ certificate request. The emails will contain a link to the certificate. When clicking on the link, please ensure that you are using the same machine and web browser that you originally used to create the certificate requests.

    How do I collect my certificate?
    Depending on how you ordered your certificates, you will either need to download your certificates, or install them. Please see the FAQ’s - Online Request option and PKCS#10 request option

    What if I requested my certificates using the Online Request option?
    You will receive one email per certificate request, with a link to the web site to collect your certificate. The link will take you to a page which will be split into two sections. Go to the section for ‘Online request’. Click the ‘Install certificate’ button and then follow the on-screen instructions.

    What if I requested my certificates using the PKCS#10 request option?
    You will receive one email per certificate request, with a link to the web site to collect your certificate. The link will take you to a page which will be split into two sections. Go to the section for ‘PKCS#10 request’. Copy the PEM file as per the on-screen instructions.

    I am using Internet Explorer and cannot see Microsoft Enhanced Cryptographic Provider v1.0. What should I do?
    This may be because you have not allowed ActiveX scripts to run. Please refer to the configuration guides according to your operating system - See online Help

    I am creating a certificate request and a warning message has popped up saying “An Active X control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?”
    This is a security message from the web browser. Choose Yes. This will allow the web site to run correctly.

    The web browser compatibility test shows a red cross next to one or more tests. What should I do?
    Have you followed the instructions for configuring your web browser? Go to the link See online Help If you have followed all the instructions and are still getting the red crosses, please contact Trustis support.

    How do I renew my certificate?

    There are two types of renewal: those who purchased a multi year subscription who have paid in advance and those who are have had a certificate previously but need to make payment for a single year or a multi-year subscription. In either case if you apply in advance of expiry of the current certificate renewal will be simpler.
    The rules laid down by HMRC permit certificate renewal only in a limited time window, (a maximum of one month), in advance of expiry of your existing certificate.

    If you have purchased certificates from us previously you will be informed about renewal via email to the address you provided during your original application. This will give you a URL link to a webpage where you can process your renewal. This process will allow you to generate an online request or submit a new PKCS#10 certificate request for your new certificate. Note – you are required to generate a new request, you must not use a private key associated with any previous certificate.

    You must complete your renewal process in the same window or tab that you started in. If you navigate away from the page it will be necessary for you to begin again using the link provided in the email.

    The renewal process includes collecting some information from you. This allows us to revalidate you eligibility for a certificate in order to comply with HMRC requirements. Even if you apply early the expiry of your new certificate will be on the anniversary of the expiration of your previous certificate so that you certificates will be valid for your full subscription period. Your previous certificate will remain valid until it expires, however it is important that you collect, install and test your new certificate prior to the expiration of your existing one.

    Please be aware that if the SRN or applicant have changed since the last certificates were issued or if the previous certificates have expired, we will need a letter of authority and personal evidence so we can perform the full verification required by HMRC.

    Your renewal application will be processed and you will receive an email containing a URL which allows you to collect your certificate. This is done in the same way as your previous certificate delivery. For full details, please see FAQ How do I collect my certificate.

 

 

Copyright © 2011 Trustis Limited. All Rights Reserved. This service is not responsible for the content of external websites.
Trustis Limited • Bldg 273 • New Greenham Park • Thatcham • RG19 6HN
Registered in England No: 03613613