This site will help you obtain a digital certificate for your company to use for signing and encrypting your transactions with the MERS® eRegistry.
We have set up a very straightforward process and tailored the procedures to get you up and running quickly.
Please be aware that the MERS system is transitioning to the Non-Federal Issuer (NFI) PKI so this will be a little different than previous certificates.
The NFI Device certificates will be issued for 3 Years at a cost of $1140.00 at the request and concurrence of MERS.
We have broken the process out into eight simple steps (Note: Steps 5-8 are post request):
- Step 1: Trust the certificate authorities
- Step 2: Print and fill out accompanying NFI Device Certificate Authorization letter
- Step 3: Review and agree to the Subscriber Obligations
- Step 4: Generate a CSR (Certificate Signing Request)
- Step 5: Submit your CSR to WidePoint (ORC) – WidePoint will respond by sending you a Certificate Request form
- Step 6: Take your Certificate Request forms to a Notary or to WidePoint’s Fairfax office
- Step 7: Mail/FedEx the Certificate Request form packages to WidePoint’s Fairfax office
- The cost of the certificate is $1140 for a 3 Year certificate; ORC accepts VISA, MasterCard, American Express, or Corporate Check
- Step 8: ORC will issue the certificate and send a Certificate Issuance Notification email
- Step 9: Execute the instructions in the Certificate Issuance Notification email
Step 1: Trust the certificate authorities (Must trust all entries below.)
- 1a. Download the WidePoint NFI Root 2 Root Certificate Authority ::
- 1b. Download the ORC NFI 6 Intermediate Certificate Authority ::
Step 2: Print and fill out accompanying forms
Print and fill out the NFI Device Certificate Authorization letter and send to ORC with your certificate request form.
The NFI Device Certificate Authorization letter must be signed by a Duly Authorized Representative/PoC who is known to MERSCORP Holdings. This information will be verified by MERSCORP holdings prior to certificate issuance.
Step 3: Review and Agree to the Subscriber Obligations
In order to request and use an NFI Device Certificate issued under the WidePoint NFI Certificate Practice Statement (CPS), the applicant agency or company and Device Certificate PKI Sponsor (subscriber) must agree to the following obligations:
- To accurately represent themselves in all communications with WidePoint (ORC) and the PKI, and abide by all the terms, conditions, and restrictions levied upon the use of the issued private key(s) and certificate(s).
- To protect the certificate private key from unauthorized access in accordance with the Private Key Protection section (6.2) of the NFI CPS.
- To immediately report to the Registration Authority (RA) and request certificate revocation processing if Private Key Compromise is suspected.
- In the event of a PKI sponsor change, due to the verified individual having left the employ of the subscribing company or is no longer being assigned as the PKI sponsor for the certificate(s), the applicant company must designate a new PKI sponsor for the certificate(s). The applicant company must designate a new PKI sponsor and the new PKI sponsor must complete a new identity verification.
- When replacing the server certificate the PKI sponsor must complete a new identity verification.
- Confirm that PKI Sponsor is a current employee of the applying company and that you are authorized to obtain device certificates for the company by completing and submitting the NFI Device Certificate Authorization letter.
- That the server designated in the certificate request is the only system on which the certificate is to be installed.
- To use the certificate only for authorized applications that have met the requirements of this CPS.
- To use the certificate only for the purpose for which it was issued, as indicated in the key usage extension.
- To report any changes to information contained in the certificate to the appropriate RA for certificate reissue processing.
An NFI Device Certificate PKI Sponsor (subscriber) and their applicant organization found to have acted in a manner inconsistent with these obligations is subject to revocation of all NFI Device Certificates issued to that applicant organization.
I understand that during this process I will be generating my key pair when creating the CSR and will possess the only copy of my private key on the workstation/computer on which I created the CSR. If lost, damaged, or compromised, I will be responsible for requesting and incurring the costs of a new certificate.
Step 4: Generate a CSR (Certificate Signing Request)
You must generate a CSR (Certificate Signing Request). There are several methods of creating a CSR. Some servers have a ‘built in’ or preferred method of doing this, please refer to the documentation for your server. If you are using any sort of Hardware Security Module (HSM) this will have very specific methods for creating certificate.
Below are sample methods of generating a CSR and are meant to serve as guidelines for creating your CSR. They should not be interpreted as ‘set-in-stone’ instructions. Please be aware of any restrictions or requirements of your environment.
An example of CSR generation in Microsoft:
Subject = "C=US, O=ORC PKI, OU=Company/Organization, CN=MERS-client.Domain Name"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256 (or SHA2)
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
Subject Alternative Name
Type: DNSName Value: Domain Name
Type: IPAddress Value: IP Address
An example of CSR generation (myrequest.req) and private key (mysecret.key) using OpenSSL:
Please enter the following ‘extra’ attributes
[user@computer ~]$ openssl req -nodes -sha256 -newkey rsa:2048 -keyout mysecret.key -out myrequest.req
Generating a 2048 bit RSA private key
writing new private key to 'mysecret.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :.
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:Company/Organization
Organizational Unit Name (eg, section) :.
Common Name (eg, your name or your server's hostname) :CN=MERS-client.Domain Name
Email Address :.
to be sent with your certificate request
A challenge password :.
An optional company name :.
The output of the CSR action is usually a text file that you will submit to WidePoint (ORC).
Step 5: Submit your CSR to WidePoint
Please send an email to firstname.lastname@example.org to submit your CSR.
The email should attach the Authorization letter, the CSR output text file, and have a subject of “MERS certificate CSR” and include the PKI Sponsor’s (requestor’s):
- Name; [Firstname, M., Lastname]
- email address
- phone number