Support center
Firewall configuration - BETA
Summary
To activate and use your CertifiO digital signature, you need to enable specific communication flows from your environment to ours. The same applies for some of our signature tools. These flows are always initiated by the workstation toward Notarius’ network, using standard protocols. No information related to the documents or their content is communicated to Notarius or any third party.
The purpose of this page is to publish the various DNS entries and ports requirements to enable set up the necessary configuration in your network, if applicable. The deployment of service in a cloud-based environment means that we no longer publish explicit ranges of IP addresses, but only a list of DNS entries and associated ports.
Who requires or trust these flows?
As an ISO 27001 (Information Security Management) certified public key infrastructure operator, our infrastructure is subject to rigorous security controls and periodic vulnerability testing.
Other than Notarius, the Government of Canada and the governments of several Canadian provinces and US states use Entrust certificate authority software and related technologies. All require that communication flow to their servers be authorized. These communication protocols are governed by stringent standards set by the IETF, ISO and NIST.
Several of Notarius’ clients have also assessed these considerations. Major companies operating in the engineering, transportation, aerospace, hydroelectricity and mining sectors authorize outbound communication flows to Notarius’ servers.
Main domains to authorize
Here is a list of the main domains related to digital signature services.
- notarius.com
- notarius.net
- certifio.com
- certifio.ca
- consigno.com
- verifio.com
Detailed communication flows & services
Only a few outbound flows are required to activate the digital signature, sign a document, ensure its authenticity and confirm the validity of a third party’s signature (internal or external to your company).
Here is a detailed list of services, their description, dns entries and ports linked to these flows.
Is your organization using proxies? LDAP (tcp 389) and CMP (tcp 829) are not proxy friendly.
We have a solution that uses http and https only.
| Service | Description | DNS | Port |
|
Subscription, activation, digital signature management |
Encrypted communication to activate, update or recover a digital signature certificate. Includes all relevant information to create a trusted public/private key pair on the user’s computer. Uses CMP (Certificate Management Protocol). Ref: RFC 6712 Encrypted communication from the browser to management portal to enroll, activate, manage and invoice digital signatures. |
|
tcp 443 (https)
tcp 829 (pkix-3-ca-ra) |
|
Timestamp authority |
Add a certified timestamp token upon signature. Uses TSP (Time stamp protocol). Ref: RFC 3161 |
|
tcp 80 (http) |
|
OCSP responder |
Add the proof of validity of the digital signature, and verify the authenticity of a document. The communication includes the signatory’s public distinguished name (DN). Uses OCSP (Online Certificate Status Protocol). Ref: RFC 6960 |
|
tcp 80 (http) |
|
Certificate Revocation List (CRL) LDAPs are also required for certificate creation and management, as well as for encryption public key searches at the QCC.) |
Add the proof of validity of the digital signature, and verify the authenticity of a document. Uses LDAP (Lightweight Directory Access Protocol). Ref: RFC 2251 |
|
tcp 80 (ldap over http)
tcp 389 (ldap)
tcp 636 (ldaps) |
|
Applications download |
To download applications such as Certifio Manager, ConsignO Desktop, Entrust client, ConsignO Server, etc. |
|
tcp 443 (https) |
|
Applications licensing (Certifio Manager & ConsignO Desktop) |
Encrypted communication to manage ConsignO’s user rights. This includes a license file and the signatory’s public distinguished name (DN) |
|
tcp 443 (https) |
|
CertifiO Manager |
Light desktop application removing the need to install JAVA to access your account on the Notarius portal, to activate or recover your CertifiO digital signature and to sign in application such as ConsignO Cloud with it. |
|
tcp 443, 24250 (https) |
|
CertifiO Manager – Server Edition |
The Server Edition allows multiple users to use CertifiO Manager in a server or virtualized environment. |
|
tcp 443, 24251- 24270 (https) |
|
ConsignO Cloud |
Web application for signing electronic documents. Depending on the bundle selected, you will need to authorize access to the consigno.com domain and/or the sub-domain linked to your entity in order to use the cloud application. |
|
tcp 443 (https) |
|
Templates download for ConsignO Desktop |
Unencrypted communication to ConsignO Desktop’s PDF and XML templates. |
|
tcp 80 (http) |
|
Notification and Updates for ConsignO Desktop |
Encrypted communication to get the update notifications and “what’s new” notifications. |
|
tcp 443 (https) |
|
Online verification application |
Web application for verifying Notarius-issued digital signatures in your PDF documents. |
|
tcp 443 (https) |
———————————
What information transferred, how and why? – Security considerations – Firewall configuration rules
Summary
To activate, use and validate Notarius’ digital signature, four outbound communication flows to Notarius’ servers must be enabled. These flows are always initiated from the given workstation and use standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party.
Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing. Several major companies operating in the engineering, transportation, aerospace, hydro-electricity and mining sectors authorize outbound communication flows to Notarius’ servers.
Why Notarius?
CertifiO, the trusted digital signature from Notarius, enables users to sign an electronic document with the same legal value as a handwritten signature on a printed document. It assures the document’s origin, integrity and authenticity. CertifiO for Professionals is the only digital signature recognized by 25 professional associations in Canada.
What information is transferred, how and why?
Some outbound communication flows are required to activate a digital signature, sign a document and guarantee its authenticity, and validate a third party’s signature (internal or external to your organization).
Is your organization using proxies? LDAP (tcp 389) and CMP (tcp 829) are not proxy friendly.
We have a solution that uses http and https only.
| Service | Description | Port |
| ConsignO licencing | Encrypted communication to manage ConsignO’s user rights. This includes a license file and the signatory’s public distinguished name (DN). Required to use ConsignO. |
tcp 443 (https) |
| Digital signature generation | Encrypted communication to activate, update or recover a digital signature certificate. Includes all relevant information to create a trusted public/private key pair on the user’s computer. Uses CMP (Certificate Management Protocol). Ref: RFC 6712 Required to obtain a digital signature certificate. |
tcp 443 (https) tcp 829 (pkix-3-ca-ra) |
| Timestamp authority | Add a certified timestamp token upon signature. Uses TSP (Time stamp protocol). Ref: RFC 3161 Required to ensure long-term document reliability. |
tcp 80 (http) |
| OCSP responder | Add the proof of validity of the digital signature, and verify the authenticity of a document. The communication includes the signatory’s public distinguished name (DN). Uses OCSP (Online Certificate Status Protocol). Ref: RFC 6960 Required to ensure the document’s authenticity and long-term reliability. |
tcp 80 (http) |
| Certificate Revocation List (CRL) | Add the proof of validity of the digital signature, and verify the authenticity of a document. Uses LDAP (Lightweight Directory Access Protocol). Ref: RFC 2251 Required to ensure the document’s authenticity and long-term reliability. |
tcp 80 (ldap over http) or tcp 389 (ldap)1 |
| Digital signature enrollment, activation and management | Encrypted communication from the browser to management portal to enroll, activate, manage and invoice digital signatures. Required to obtain a digital signature. |
tcp 443 (https) |
| Templates download | Unencrypted communication to ConsignO Desktop’s PDF and XML templates. | tcp 80 (http) |
| Notifications | Encrypted communication to get the update notifications and “what’s new” notifications. | tcp 443 (https) |
| CertifiO Manager | Light desktop application removing the need to install JAVA to access your account on the Notarius portal, to activate or recover your CertifiO digital signature and to sign in application such as ConsignO Cloud with it. | tcp 443, 24250 (https) |
| CertifiO Manager – Serveur Edition | The Server Edition allows multiple users to use CertifiO Manager in a server or virtualized environment. | tcp 443, 24251- 24270 (https) |
1 Organizations who prefer to block port TCP 389 (ldap) can do so if port tcp 80 (http) is allowed to carry traffic from our servers. See details in the proxy configuration page.
What are the security considerations related to these flows?
These flows are always outbound: they are initiated from the client’s workstation to Notarius’ servers using standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party. Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing.
Who requires or trust these flows?
Other than Notarius, the United Nations, the Government of Canada and the governments of several Canadian provinces and US states use Entrust certificate authority software and related technologies; all require that communication flow to their servers is authorized. These communication protocols are governed by stringent standards set by the IETF, ISO and NIST.
Several of Notarius’ clients have also assessed these considerations. Major companies operating in the engineering, transportation, aerospace, hydroelectricity and mining sectors authorize outbound communication flows to Notarius’ servers.
What are the firewall rules?
Our environments are redundant, distributed and scalable; the IP address of a service can vary at any time within the specified range.
| IP range | Port |
| 206.55.89.0/27 | tcp 80 (http) tcp 443 (https) tcp 389 (ldap)1 tcp 829 (pkix-ca-ra) |
| 192.252.131.64/28 | tcp 80 (http) tcp 443 (https) tcp 389 (ldap)1 tcp 829 (pkix-ca-ra) |
Our download site and website require a DNS configuration.
| DNS Entry | Port |
| support.notarius.com | tcp 443 (https) |
| download.notarius.com | tcp 80 (http) tcp 443 (https) |
Notes:
- Organizations who prefer to block port TCP 389 (ldap) can do so if port tcp 80 (http) is allowed to carry traffic from our servers. See details in the proxy configuration page.
- All communications are outbound only; they are initiated by the client to our servers. In no circumstances do we initiate communication from our servers to the client.
- ConsignO Desktop opens a listening port on localhost on the user’s computer to avoid opening a new instance everytime a file is open from Windows Explorer. This approach, common in the industry, is also used by Adobe Acrobat, Microsoft Office, etc.