Legal repository
Conditions of use and documentation
Documentation regarding the terms and conditions of the provision of Actalis services can be downloaded from this page.
SSL and Code Signing certificates
Compliance documentation of the services
Root CA Certificates
Contractual documentation
Qualified Digital Signature
These documents apply to all forms of Qualified Electronic Signature, including Automatic Mass Signature and Remote Digital Signature.
Compliance documentation of the services
National Services Card (CNS)
Timestamping
Certificates
Root Certificate (self-signed) Time Stamping Authority
Issuer: CN=Actalis Time Stamping CA G1,OU=Certification Service Provider,O=Actalis S.p.A./03358520967,C=IT
Fingerprint SHA1: 4095 7377 f74A 3038 DAA6 04EA EA4C 5CFE 9C57 DE0A
Root Certificate (self-signed) Qualified Time Stamping Authority G1
Issuer: CN=Actalis EU Qualified TimeStamp CA G1,OU=Qualified Time Stamping Authority, organizationIdentifier=VATIT-03358520967, O=Actalis S.p.A.,L=Ponte San Pietro,C=IT
Fingerprint SHA1: d1 f7 93 53 f3 08 d0 a8 66 51 f4 3a 4a 6e 00 d8 1c 92 f5 77
Root Certificate (self-signed) Qualified Time Stamping Authority
Issuer: CN=Actalis TSA 1 EIDAS,OU=Qualified Time Stamping Authority,O=Actalis S.p.A.,C=IT
Fingerprint SHA1: 2320 7BF8 C3D6 275E 24F6 65B4 D950 CE0D 3EC6 AA43
Contractual documentation
Certificates - National Service Card (CNS)
Root Certificate (self-signed) for CNS of Provincia autonoma Bolzano
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Provincia autonoma Bolzano - CA Cittadini 2020
SHA1 Fingerprint=42:59:C5:8A:A7:B3:CA:1F:49:3E:99:FF:AE:45:15:CD:F5:72:DB:A4
Root Certificate (self-signed) for CNS of Provincia autonoma Trento
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Provincia autonoma Trento - CA Cittadini 2020
SHA1 Fingerprint=00:E6:80:1A:68:31:EE:21:FD:00:6A:6D:09:D5:F2:24:03:FE:64:09
Root Certificate (self-signed) for CNS of Regione Abruzzo
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Abruzzo - CA Cittadini 2020
SHA1 Fingerprint=D6:CE:78:56:09:3B:A5:02:4A:62:37:0D:51:55:F1:01:4D:45:CB:95
Root Certificate (self-signed) for CNS of Regione Basilicata
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Basilicata - CA Cittadini 2020
SHA1 Fingerprint=57:2B:25:4F:5E:7B:BF:5E:9B:08:85:43:B6:9F:8E:8E:61:2D:AD:DC
Root Certificate (self-signed) for CNS of Regione Calabria
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Calabria - CA Cittadini 2020
SHA1 Fingerprint=6F:1E:E2:49:85:60:C5:5A:DF:AD:36:D6:49:75:FB:7F:1A:F1:53:CE
Root Certificate (self-signed) for CNS of Regione Campania
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Campania - CA Cittadini 2020
SHA1 Fingerprint=FC:97:E8:7F:79:CE:68:6D:C6:2B:01:FE:94:33:70:61:59:12:CF:FA
Root Certificate (self-signed) for CNS of Regione Emilia Romagna
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Emilia Romagna - CA Cittadini 2020
SHA1 Fingerprint=B8:01:25:4B:3E:44:D5:67:F2:70:D0:90:07:0A:8C:27:0F:68:25:D2
Root Certificate (self-signed) for CNS of Regione Lazio
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Lazio - CA Cittadini 2020
SHA1 Fingerprint=A7:30:45:9B:8A:51:DF:B0:98:B5:C6:7E:F4:E0:48:1E:64:6A:93:95
Root Certificate (self-signed) for CNS of Regione Liguria
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Liguria - CA Cittadini 2020
SHA1 Fingerprint=93:61:1A:C5:E7:EC:87:27:E8:B8:69:BD:80:CD:87:2D:60:D6:5F:5C
Root Certificate (self-signed) for CNS of Regione Lombardia
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Lombardia - CA Cittadini 2020
SHA1 Fingerprint=ED:29:36:DB:F7:50:DF:6B:FF:60:F8:D3:C9:2D:C3:03:9D:A2:6B:DF
Root Certificate (self-signed) for CNS of Regione Marche
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Marche - CA Cittadini 2020
SHA1 Fingerprint=65:1A:01:FF:DF:DE:CD:6F:9B:38:88:C9:9A:40:48:D2:8B:04:C8:94
Root Certificate (self-signed) for CNS of Regione Molise
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Molise - CA Cittadini 2020
SHA1 Fingerprint=47:C1:47:C0:38:93:4D:A5:C3:B3:1C:60:AB:09:8C:1F:DC:48:0F:3A
Root Certificate (self-signed) for CNS of Regione Piemonte
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Piemonte - CA Cittadini 2020
SHA1 Fingerprint=90:70:43:11:E7:5B:34:0A:EC:85:51:AA:F0:DE:DD:0C:85:E6:EB:B3
Root Certificate (self-signed) for CNS of Regione Puglia
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Puglia - CA Cittadini 2020
SHA1 Fingerprint=40:50:45:0A:E7:A5:E4:40:06:17:0C:E9:01:B3:38:E6:96:A4:E6:5C
Root Certificate (self-signed) for CNS of Regione Siciliana
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Siciliana - CA Cittadini 2020
SHA1 Fingerprint=26:7D:BE:0E:F7:5E:D0:8F:0E:2A:86:47:C9:93:0F:5B:36:C8:5C:40
Root Certificate (self-signed) for CNS of Regione Toscana
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Toscana - CA Cittadini 2020
SHA1 Fingerprint=CA:74:F9:D7:DA:36:52:AB:42:FF:E6:6D:23:BD:14:B9:0B:3E:FF:14
Root Certificate (self-signed) for CNS of Regione Umbria
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Umbria - CA Cittadini 2020
SHA1 Fingerprint=70:7B:A5:AA:39:B2:4C:45:B6:6A:16:7F:0C:C0:45:0F:01:4C:11:EC
Root Certificate (self-signed) for CNS of Regione Veneto
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione Veneto - CA Cittadini 2020
SHA1 Fingerprint=86:A1:AD:15:72:65:73:2A:09:EF:0A:42:01:75:26:8C:70:86:8B:FD
Root Certificate (self-signed) for CNS of Regione autonoma Friuli Venezia Giulia
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione autonoma Friuli Venezia Giulia - CA Cittadini 2020
SHA1 Fingerprint=9C:2E:35:A1:F1:F7:00:41:F8:95:33:51:0A:92:52:01:60:2E:A0:94
Root Certificate (self-signed) for CNS of Regione autonoma Valle d'Aosta
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione autonoma Valle d'Aosta - CA Cittadini 2020
SHA1 Fingerprint=FF:0A:2C:1F:49:59:4E:F6:BD:9F:11:C9:B1:F3:27:87:D8:09:31:E9
Root Certificate (self-signed) for CNS of Regione autonoma della Sardegna
Issuer: C = IT, O = Actalis S.p.A., OU = Servizi di Certificazione, CN = Regione autonoma della Sardegna - CA Cittadini 2020
SHA1 Fingerprint=91:2A:4A:C3:73:C9:55:C3:38:E5:58:27:95:66:C7:27:71:37:47:67
S/MIME Certificates
Service conformity documentation
Code Signing - Best Practices
Issuing procedure
Access to private keys should be limited to authorized personnel. To guarantee this, some basic security guidelines should be followed.
- Restrict connections to PCs used for Code Signing.
- Minimize the number of users who have access to Code Signing keys.
- Adopt physical seurity measures to limit access to Code Signing keys.
Protect proven keys with hardware encryption devices
Private keys, if stored in software, are highly exposed to security attacks. We advise generating and storing Code Signing keys in encrypted hardware devices and following the guidelines below.
Use a device (e.g. smart card or USB token) that complies with FIPS 140 Level 2 or better still Common Criteria EAL4+ security regulations. Make sure that the device is protected by a PIN or strong passphrase (avoid simple sequences that are easy for cyber criminals to guess).
Always apply a timestamp to a signed code
Applying also a timestamp to a code can validate a signed code even beyond the expiry or revocation date of the code signing certificate.
Apply a timestamping service to signed code.
Use test certificates to sign code that has not been issued yet
Test keys and Code Signing certificates do not have to meet the same security requirements applied to production environments (a test certificate can also be self-signed, or issued by a private CA).
Sign the code during the test phase (before it has been issued) with a test certificate (not issued by a trusted Root CA), using different keys to those used in the production environment.
Authenticate code before signing
Any code subjected to Code Signing should always be authenticated before being signed and issued.
Set up and apply a strict procedure for submitting code to the code signing procedure and for approval, to make sure that malign or not approved code cannot be signed. Keep a record of all code signing operations for auditing purposes and for investigations in the event of a security incident.
Run an antivirus scan before signing the virus
Code Signing allows you to verify the origin of your code and its integrity (has not been altered), but does not ensure that your code is virus-free. This also applies to any third-party libraries embedded in your code.
Always perform an anti-virus scan before signing your code.
Reduce the risk of multiple certificates (do not use a single key)
If a security problem is detected in your code, a warning message can be made to appear when attempts to install the code are made in the future: this can be achieved by revoking the Code Signing certificate. However, if other (problem-free) software has also been signed with the same certificate, the warning message will also appear for them.
Avoid signing all your software with the same certificate. Use different Code Signing certificates, ideally changing keys frequently.
Revoke compromised certificates
If the Code Signing private key is compromised, or if malware or suspicious code signed with the certificate is discovered, the issuing Certification Authority must be notified. In such cases, to protect everyone, the Code Signing certificate must be revoked, as provided for in the CPS.
Notify Actalis if the Code Signing private key is compromised (send an email to cert-problem@actalis.it). Revoke the compromised certificate.
SSL Certificates - Best Practices
Best practices documentation