Cancel

Notarius
Developer Center
Integrate our solutions into your applications
Our solutions and API
double-chevron

Support center

Find your answer by topic or keyword

Home / Support center / CertifiO Desktop / Firewall configuration

 

Firewall configuration

Summary

To activate and use your CertifiO digital signature, you need to enable specific communication flows from your environment to ours. The same applies for some of our signature tools. These flows are always initiated by the workstation toward Notarius’ network, using standard protocols. No information related to the documents or their content is communicated to Notarius or any third-party.

The purpose of this page is to publish the various DNS entries and ports requirements to enable set up the necessary configuration in your network, if applicable. The deployment of service in a cloud-based environment means that we no longer publish explicit ranges of IP addresses, but only a list of DNS entries and associated ports.

 

Who requires or trust these flows?

As an ISO 27001 (Information Security Management) certified public key infrastructure operator, our infrastructure is subject to rigorous security controls and periodic vulnerability testing.

Other than Notarius, the Government of Canada and the governments of several Canadian provinces and US states use Entrust certificate authority software and related technologies. All require that communication flow to their servers be authorized. These communication protocols are governed by stringent standards set by the IETF, ISO and NIST.

Several of Notarius’ clients have also assessed these considerations. Major companies operating in the engineering, transportation, aerospace, hydroelectricity and mining sectors authorize outbound communication flows to Notarius’ servers.

Main domains to authorize

Here is a list of the main domains related to digital signature services.

  • notarius.com
  • notarius.net
  • certifio.com
  • certifio.ca
  • consigno.com
  • verifio.com

Detailed communication flows & services

Only a few outbound flows are required to activate the digital signature, sign a document, ensure its authenticity and confirm the validity of a third party’s signature (internal or external to your company).

Here is a detailed list of services, their description, dns entries and ports linked to these flows.

 

Is your organization using proxies? LDAP (tcp 389) and CMP (tcp 829) are not proxy friendly. 
We have a solution that uses http and https only.

Service Description DNS Port

Subscription, activation, digital signature management

Encrypted communication to activate, update or recover a digital signature certificate. Includes all relevant information to create a trusted public/private key pair on the user’s computer. Uses CMP (Certificate Management Protocol). Ref: RFC 6712

Encrypted communication from the browser to management portal to enroll, activate, manage and invoice digital signatures.
  • certifio.notarius.com
  • secure.notarius.com
  • tk-proxy1.notarius.com
  • ca-ccq.notarius.com
  • ca1.notarius.com
  • ca2.notarius.com
  • ca3.notarius.com
  • proxy1-ccq.notarius.com
  • proxy1-ica1.notarius.com
  • proxy1-ica2.notarius.com
  • proxy2-ccq.notarius.com
  • proxy2-ica1.notarius.com
  • proxy2-ica2.notarius.com
  • proxy1.notarius.com
  • entrust.notarius.net
  • ca.certifio.ca
  • idp-proxy.certifio.com/
  • ssa-prod.certifio.com

tcp 443

(https)

 

tcp 829

(pkix-3-ca-ra)

Timestamp authority

Add a certified timestamp token upon signature. Uses TSP (Time stamp protocol). Ref: RFC 3161
Required to ensure long-term document reliability.
  • tsa1.notarius.com
  • timestamp.certifio.com
  • tsa.certifio.com

tcp 80

(http)

OCSP responder

Add the proof of validity of the digital signature, and verify the authenticity of a document. The communication includes the signatory’s public distinguished name (DN). Uses OCSP (Online Certificate Status Protocol). Ref: RFC 6960
Required to ensure the document’s authenticity and long-term reliability.
  • ocsp1.notarius.com
  • ocsp-ccq.certifio.com
  • ocsp-ica1.certifio.com
  • ocsp-ica2.certifio.com

tcp 80

(http)

Certificate Revocation List (CRL)

LDAPs are also required for certificate creation and management, as well as for encryption public key searches at the QCC.)

Add the proof of validity of the digital signature, and verify the authenticity of a document. Uses LDAP (Lightweight Directory Access Protocol). Ref: RFC 2251
Required to ensure the document’s authenticity and long-term reliability.
  • crl.notarius.com
  • crl1.notarius.com
  • directory1.notarius.com
  • directory2.notarius.com
  • ldap1.notarius.com
  • ldap2.notarius.com
  • crl-ica1.certifio.com
  • webcrl.notarius.net
  • webcrl2.notarius.net
  • x500.notarius.net
  • x500a.notarius.net
  • x500b.notarius.net
  • x500p.notarius.com
  • ldap1.certifio.ca
  • ldap2.certifio.ca

tcp 80

(ldap over http)

 

tcp 389

(ldap)

 

tcp 636

(ldaps) 

Applications download

To download applications such as Certifio Manager, ConsignO Desktop, Entrust client, ConsignO Server, etc.
  • download.notarius.com

tcp 443

(https)

Applications licensing

(Certifio Manager & ConsignO Desktop)

Encrypted communication to manage ConsignO’s user rights. This includes a license file and the signatory’s public distinguished name (DN)
  • certifio.notarius.com
  • licensing.notarius.com  

tcp 443

(https)

CertifiO Manager

 Light desktop application removing the need to install JAVA to access your account on the Notarius portal, to activate or recover  your CertifiO digital signature and to sign in application such as ConsignO Cloud with it.
  • certifio.notarius.com
  • secure.notarius.com
  • tk-proxy1.notarius.com

tcp 443, 24250

(https)

CertifiO Manager –  Server Edition

The Server Edition allows multiple users to use CertifiO Manager in a server or virtualized environment.
  • certifio.notarius.com
  • secure.notarius.com
  • tk-proxy1.notarius.com

tcp 443, 24251- 24270

(https)

ConsignO Cloud

Web application for signing electronic documents. Depending on the bundle selected, you will need to authorize access to the consigno.com domain and/or the sub-domain linked to your entity in order to use the cloud application.
  • cloud.consigno.com
  • (votre entité).consigno.com

tcp 443

(https)

Templates download for ConsignO Desktop

Unencrypted communication to ConsignO Desktop’s PDF and XML templates.
  • localhost

tcp 80

(http)

Notification and Updates for ConsignO Desktop

Encrypted communication to get the update notifications and “what’s new” notifications.
  • https://notarius.com/consigno-desktop-notification-descriptor
  • https://notarius.com/consigno-desktop-update-descriptor

tcp 443

(https)

Online verification application

Web application for verifying Notarius-issued digital signatures in your PDF documents.
  • https://verifio.com

tcp 443

(https)

 

 

Was this information useful?

You already voted!

Thank you!

ConsignO Desktop - Installation (13) CertifiO Desktop - Subscription (42) CertifiO Desktop - Usage (35)