Welcome to the Mortgage Industry Certificate Issuance Portal
This site will help you obtain a digital certificate for your company to use for signing and encrypting your transactions with the MERS® eRegistry.
We have set up a very straightforward process and tailored the procedures to get you up and running quickly.
Please be aware that the MERS system is transitioning to the Non-Federal Issuer (NFI) PKI so this will be a little different than previous certificates.
The NFI Device certificates will be issued for 3 Years at a cost of $1119.00 at the request and concurrence of MERS.
We have broken the process out into eight simple steps (Note: Steps 5-8 are post request):
The NFI Device Certificate Authorization letter must be signed by a Duly Authorized Representative/PoC who is known to MERSCORP Holdings. This information will be verified by MERSCORP holdings prior to certificate issuance.
Step 3: Review and Agree to the Subscriber Obligations
To accurately represent themselves in all communications with WidePoint (ORC) and the PKI, and abide by all the terms, conditions, and restrictions levied upon the use of the issued private key(s) and certificate(s).
To protect the certificate private key from unauthorized access in accordance with the Private Key Protection section (6.2) of the NFI CPS.
To immediately report to the Registration Authority (RA) and request certificate revocation processing if Private Key Compromise is suspected.
In the event of a PKI sponsor change, due to the verified individual having left the employ of the subscribing company or is no longer being assigned as the PKI sponsor for the certificate(s), the applicant company must designate a new PKI sponsor for the certificate(s). The applicant company must designate a new PKI sponsor and the new PKI sponsor must complete a new identity verification.
When replacing the server certificate the PKI sponsor must complete a new identity verification.
Confirm that PKI Sponsor is a current employee of the applying company and that you are authorized to obtain device certificates for the company by completing and submitting the NFI Device Certificate Authorization letter.
That the server designated in the certificate request is the only system on which the certificate is to be installed.
To use the certificate only for authorized applications that have met the requirements of this CPS.
To use the certificate only for the purpose for which it was issued, as indicated in the key usage extension.
To report any changes to information contained in the certificate to the appropriate RA for certificate reissue processing.
An NFI Device Certificate PKI Sponsor (subscriber) and their applicant organization found to have acted in a manner inconsistent with these obligations is subject to revocation of all NFI Device Certificates issued to that applicant organization.
I understand that during this process I will be generating my key pair when creating the CSR and will possess the only copy of my private key on the workstation/computer on which I created the CSR. If lost, damaged, or compromised, I will be responsible for requesting and incurring the costs of a new certificate.
Step 4: Generate a CSR (Certificate Signing Request)
You must generate a CSR (Certificate Signing Request). There are several methods of creating a CSR. Some servers have a ‘built in’ or preferred method of doing this, please refer to the documentation for your server. If you are using any sort of Hardware Security Module (HSM) this will have very specific methods for creating certificate.
Below are sample methods of generating a CSR and are meant to serve as guidelines for creating your CSR. They should not be interpreted as ‘set-in-stone’ instructions. Please be aware of any restrictions or requirements of your environment.
An example of CSR generation (myrequest.req) and private key (mysecret.key) using OpenSSL:
[user@computer ~]$ openssl req -nodes -sha256 -newkey rsa:2048 -keyout mysecret.key -out myrequest.req
Generating a 2048 bit RSA private key
writing new private key to 'mysecret.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :.
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:Company/Organization
Organizational Unit Name (eg, section) :.
Common Name (eg, your name or your server's hostname) :CN=MERS-client.Domain Name
Email Address :.Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :.
An optional company name :.
The output of the CSR action is usually a text file that you will submit to WidePoint (ORC).