Start a conversation

Entrust Agreements

The Sequoia Project Knowledgebase Article

IMPORTANT: WHEN FILLING OUT THE ATTACHED ENTRUST FORMS 1) MAKE SURE TO SCAN AND EMAIL (AS AN ENCRYPTED .ZIP FILE) THEM TO SEQUOIA SUPPORT STAFF AND 2) ENSURE TWO CHECK BOXES ARE CHECKED BY THE NOTARY FOR IDENTITY DOCUMENTS PROVIDED. FOR CAREQUALITY CERTIFICATES, YOUR CAREQUALITY IMPLEMENTER CAN SECURELY UPLOAD THESE DOCUMENTS TO SEQUOIA IF YOU WOULD PREFER NOT TO EMAIL THEM.

Since Sequoia uses an FBCA cross signed Managed Certification Authority provider we are required to obtain a notarized Entrust Subscriber Identity Verification form, and an Entrust Subscriber Agreement at least every 24 months. These forms indicate the person officially authorized by Participant's to receive and accept responsibility for the secure use and management of the Participant's x.509 public certificate and its associated keys. This individual will be identity proofed, in person, by a licensed Notary and will be required to show the Notary several forms of identification. These identification forms should be included in the application. Once the Entrust Subscriber Identity Verification form, and the Entrust Subscriber Agreement forms have been completed, they should be electronically returned to TechSupport (techsupport at sequoiaproject dot org) whom will store them on our secure, encrypted, file system for future reference and audits. Note that contrary to instructions in the forms, the agreements should be returned to Sequoia Support Staff, not Entrust. Entrust has the authority to audit the eHealth Exchange Support Staff to assure compliance with their processes.

Note that we no longer allow the use of Proxies. All certificate codes are sent directly to the Subscriber for him/her to securely distribute to any other staff, vendors, or contractors needed to install the certificate. But the Subscriber remains responsible for secure handling of the certificate at all times.

Additional items to be aware of:

1) If the certificate becomes compromised, or decommissioned, or otherwise needs to be revoked, then the Subscriber must immediately send an email to techsupport at sequoiaproject dot org, which will be acknowledged, indicating that the certificate should be revoked. It is also prudent to contact text the following mobile phone with the same information at 512 dash 897 dash 0748. Only the Subscriber is authorized to revoke, hold, request a re-issuance, and otherwise manage the certificate. So this person needs to be highly available and to understand secure X.509 certificate management.

2) Approximately every 12 months, the certificate signature will expire and need to be re-issued. Participants are responsible for contacting Sequoia approximately 3 weeks prior to the certificate expiration to request a new certificate. More advanced notice is permitted if needed to allow for proper Subscriber internal deployment planning.

4) During the actual key installation process, PRODUCTION access is normally disabled for a brief period. Subscribers are advised to have the gateway vendor(s) on call during this process as it key installation is often problematic. In addition, Sequoia Support Staff will make reasonable efforts to be on call during this operation in the event that the key needs to be re-issued. Subscribers that wish to have Support Staff on call should schedule the production installation with staff at least 2 weeks in advance. Also please note that Support Staff will normally only be able to re-issue x.509 certificates. We will not be able to provide other assistance in installing the certificate in your specific environment.

5) The Subscriber is responsible for ensuring that the x.509 certificate is maintained securely at all times.

6) After installation of your certificate, please let us know and Sequoia will execute a limited scope security test to check for basic configuration and security issues. This test is not a substitute for a security audit.

Please review the Certificate FAQ document for additional critically important information for both eHealth Exchange and Carequality certificates.

https://ehealthexchange.kayako.com/Knowledgebase/Article/View/7/0/ehealth-exchange-entrust-x509-certificate-faq

2_activation_entrust_subscriber_agreement.pdf

  1. 211 KB
  2. View
  3. Download

3_activation_entrust_subscriber_identity_verification.pdf

  1. 570 KB
  2. View
  3. Download
Download all
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Eric Heflin

  2. Posted
  3. Updated

Comments