Aditya Anand, DGM – SAARC & ME, GMO GlobalSign, explains about the role of digital certificates and the process of acquiring the right one to fit the purpose
Pharmaceutical companies need to stay compliant with various processes and approvals which involves excessive paperwork and administration challenges associated with it. Digital signatures are required by pharma companies to submit essential documents in electronic format to the Food and Drug Administration (FDA). FDA Electronic Submissions Gateway (ESG) serves to streamline the process of accepting electronic regulatory submissions. ESG provides pharma, biotech, food, tobacco and other regulated industries, that perform research, product development, testing, or manufacturing of FDA regulated products, a method to electronically submit a wide-range of forms including AERS – Adverse Event Reports to the FDA.
Both pre-market and post-market regulatory information can be submitted for review via FDA ESG channel. It ensures that information submitted electronically travels securely and automatically reaches the intended FDA centre or office, without having to open or review the submissions. Setting up a WebTrader account requires the participants or senders to acquire a x.509v3 digital certificate.
Digital certificates ensure private and secure submission of electronic documents. The digital certificate binds together the owner’s name and a pair of electronic keys (a public key and a private key) that can be used to encrypt and sign documents. A PersonalSign Digital certificate is a Digital ID issued to an entity (i.e. individual or a department) that helps to prove the entity’s identity. The Digital ID binds an individual’s verified identity (typically including the name, company name and email address of the Digital ID owner) to a unique cryptographic credential. A digital certificate enables individuals and organisations to secure business and personal transactions across communication networks. PersonalSign Certificates identify, prove and contain different levels of information which are defined as classes. Each class represents the level of identity verification – from simple email verification to full identity assurance. PersonalSign Certificates allow individuals and organisations to represent their digital identities through the use of digital signatures in many applications – from secure email to two factor authentication to document signing. Digital certificates can be obtained from either a public or private Certificate Authority (CA). It must be an X.509 version 3 certificate and all data fields in the Issuer and Subject fields must be completed. The FDA has approved several CAs including GlobalSign as a source of FDA ESG compliant digital certificates. In the simplest of definitions, digital certificates issued to individuals and/or organisations, also known as digital IDs, are the electronic counterparts to driver licenses, passports and membership cards. A digital certificate can be presented electronically to prove your identity or your right to access information or services online. Digital certificates bind an identity to a pair of electronic keys that can be used for encrypting and signing digital information. A stricter definition is as follows – The public key of a subject and the associated information, digitally signed with the private key of the issuer of the certificate.
What is a certificate authority?
Certificate Authorities, or CAs, issue digital certificates. They are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity (authentic because the CA has verified the identity). CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place online. CAs issue millions of digital certificates each year, and these certificates are used to protect information, encrypt billions of transactions, and enable secure communication. Browsers, operating systems, and mobile devices operate authorised CA ‘membership’ programmes where a CA must meet detailed criteria to be accepted as a member. Once accepted, the CA can issue SSL Certificates that are transparently trusted by browsers, and subsequently, people and devices relying on the certificates.
The Electronic Submission Gateway accounts cannot be shared. Each individual must have their own account. Although there is no limit to the total number of accounts held by a company, each individual is limited to one account. Another specific requirement is that the registered e-mail address must be for an individual and not a group e-mail id.
Digital certificates cannot be shared because they are associated with individual accounts. WebTrader accounts also cannot be shared. Digital certificates are associated with WebTrader accounts to establish the origin of a submission. There are also additional requirements to it:
- FDA must be able to establish origin of a submission to supply electronic information for FDA review
- Use of a PKI Digital Certificate and account name determines origin of the regulatory submission
- PKI Digital Certificate utilises public/ private key exchange for encrypting and decrypting as the submission signature
The FDA references an option to create a self-signed certificate using Adobe Acrobat. Self-signed certificates are not legally binding as an independent certificate authority has not verified the contents of the digital ID. The FDA requires certain forms (e.g., 1571, 356h) have an embedded signature, whether it’s a scanned signature or placed from a certificate prior to submission through the ESG. These certificates are only for visible signatures inside PDFs and cannot be used to sign a full submission to the ESG.
Class of certificate
The minimum requirement for a digital certificate for use with the FDA Electronic Submissions Gateway is a Class 1 Personal Identification Certificate. Although the Digital Certificates- Class 1 and Class 2, are available for varied validity periods, ranging from one year to three years, the FDA recommends a three-year certificate validity. This reduces redundant steps in future. Class 1 Certificate binds to only email address and is sufficient for clients requiring Digital IDs for general use. Class 2 Certificates are Digital IDs used to represent themselves as an individual, since they bind with an email address and individual, both.
The certificate acquiring process for use with the FDA ESG Gateway WebTrader includes a series of steps and extends upto two to three days. Broadly, the steps in the process are as follows:
- Select a provider and place order for your digital certificate
- Install your digital ID using Internet Explorer browser
- Make a copy of the public certificate (.cer/p7) and submit to FDA
- Make a copy of the public/ private certificate (PKCS12) and submit to FDA
- Hence, it is wise to select a provider which extends tangible support in the process.