Export and Import Controls System

EICS PKI Policy for Customs Brokers Certificates

PKI Certificate (myKEY) Authority and the LRAs

PWGSC (Public Works and Gov't Services Canada) operates the PKI Certificate Authority that EICS uses for creation and maintenance of our PKI Certificates. The Section is known as ICM – Internal Credential Management. The Local Registration Authorities (LRAs) liaise between yourselves and the Certificate Authority to take care of your Certificates (Entrust Profiles).

Please report any connectivity problems to Client Services Centre at 1-877-808-8838 or 613-944-1265 or the following email address: eics.scei@international.gc.ca

Your LRAs are:

Storage of PKI Certificates

The Entrust profile is conventionally created in this directory: C:\Program Files\EICS-SCEI Direct\Entrust Profile\. The Entrust Logon will point to this location. If you move the files, you will have to BROWSE to the new location. You MUST keep a safe backup copy of your entire Entrust Profile. If on a floppy disk, it must be locked up when you leave the office. Losing it would constitute a compromise of your PKI Certificate.

Automatic Certificate Updates – Please be Aware

The PKI Certificate Authority periodically (but not frequently) writes to your Entrust profile while you are logged in through Entrust. This "key update" prevents component expiry. The update will occur at logon, and an Entrust notification window will pop up, advising of the update.

Your PKI Group Certificate allows all of its users the ability to log in simultaneously on different PCs. It can be used as a single copy on a network drive, or as multiple copies, one per user's workstation. When one copy of the Certificate keys becomes updated, all of the other copies will no longer be valid, and a pop-up message appears:

Expired Profile - Profile expiré
"Your Entrust Profile is not current and contains old signing information."

OR

Cannot initialize Entrust. The user's public or private key information is invalid. (This message can also occur for other reasons.)

If that happens, check all the copies you have of the Profile by attempting to login with each one. Once you have determined which is the "good" Profile, you will need to make a new copy to replace the 2nd (and subsequent) Profile(s). The user who receives the update notification should perform the following tasks:

  1. Continue logging into EICS – let it open up fully
  2. Once EICS has loaded, shut the application down completely (this is to allow the Profile files to be closed after use)
  3. Copy the 5 files that make up your profile onto a floppy disk or shared drive
  4. Use this to copy the profile onto the PCs of the other users
  5. Keep the copy as your backup copy.

You MUST update your backup copy (of course you have a backup copy!) periodically in order to preserve the "key update", or it will be no good.

Please keep in mind that forgetting your PKI certificate password will result in delays of up to TWO (2) working days that you will not be able to access the EICS while your PKI certificate is being recovered.