This is an old revision of the document!
Table of Contents
Workstation Installation Guide
Introduction
With the implementation of the CeRTNA Documentation Wiki, this version of the Workstation Installation Guide serves as consolidation of multiple user guides. This document covers the installation and configuration requirements for the following platforms:
- APEX Transport Client
- ERDS Web Client
- G2G Web Client
- Entrust PKI Certificates
You can quickly move to any section by clicking the table of contents shown above
Overview
The CeRTNA ERDS workstation configuration requirements are driven by several factors as shown below:
- Workstation Security As Outlined By The California DOJ
- Encryption & Authentication Technologies Used By Entrust
- Two-Factor Authentication Via SafeNet USB Tokens
- Support Of The ERDS Web Based Application
In order to access the CeRTNA application, an ERDS application must meet the security requirements as outlined by the California DOJ. The California DOJ Baseline Security Requirements can be viewed at the following URL:
https://oag.ca.gov/sites/all/files/agweb/pdfs/erds1/Baseline_9_2014.pdf
Section 4.2.7 of the referenced DOJ document outlines the security requirements for a workstation.
To ensure compliance with the DOJ regulations, a CeRTNA ERDS workstation must pass a security audit before it can be used to process production level electronic recording. A new section has been added to this document that outlines the steps to be taken to prepare for the initial workstation security audit.
The CeRTNA application currently uses a toolkit provided by Entrust to perform authentication and encryption services. The Entrust services make use of Public Key Infrastructure (PKI) and Microsoft Cryptography API (CAPI) technologies. The Entrust toolkit uses Java to deliver its functionality and therefore a CeRTNA ERDS workstation must have a version of Java that is compatible with the version of Entrust tools that are in used by CeRTNA.
To support Two-Factor Authentication the CeRTNA application uses USB token technology provided by SafeNet. Drivers are required to communicate with the token and CeRTNA receives SafeNet drivers from Entrusthat that are compatible with the Entrust toolkit. Information about where to obtain the latest drivers and how to install them is provided later in this document.
Finally, the CeRTNA ERDS application is a web-based .NET application that is served up from a Microsoft Internet Information Services (IIS) web server platform. This means a web browser is required to access the CeRTNA ERDS application functionality. Currently the ERDS application will only work with the Microsoft’s Internet Explorer web browser.
HW & OS Requirements
Hardware and software has changed significantly since CeRTNA's original launch in 2008. Since that time the CeRTNA ERDS application environment is transitioning from a simple web client application to a more sophisticated thick client application named APEX.
Hardware Requirements
The following workstation specifications are designed to satisfy the requirements for running APEX and are current as of May 10, 2025:
- Processor: Intel i5 or greater
- Memory: 16 GB Minimum / 32 GB Recommended
- Disk Storage: 100 GB Recommended (Depends on your environment. See note.)
- USB Port: Available USB 2.0 port (See note.)
- Network Adapter: 100 Mbps or higher.
Notes:
- The SafeNet eToken requires a USB 2.0 or 3.0 style port. USB-C adapters are not supported.
- CeRTNA exchanges files with the recording vendor software using a Windows folder. This folder can be either a local folder on the local hard drive of the workstation, for example the C: drive, or it can be a shared network folder, for example \\your_server\shared_folder\. If you use a network share, the CeRTNA ERDS workstation will need to have network access to the shared folder or UNC path where the CeRTNA ERDS XML transactions will be accessed for submissions, stored upon retrieval, and or picked up for return. Please refer to the section Folder Structure in the Workstation Installation Guide for a description of how the standard CeRTNA ERDS folder structure should be created.
- In most cases, the Disk Storage requirements for CeRTNA are minimal. The XML files that are submitted by an agent or returned by a county are moved to a PROCESSED subfolder and APEX automatically keeps the subfolder cleaned up based on a “Number of days to keep files” setting in CeRTNA's agent and/or county configuration record. The current default setting for the “Number of days to keep files” is 45. The larger that number is, the more storage space that will be used. Allocating 100 GB of storage space will most likely cover any storage requirements needed by APEX.
- If you will be using a standalone workstation, you will need a security cabinet for your ERDS workstation. You can click this link to see a security cabinet that CeRTNA recommends.
- If you will be submitting transactions, you may need to acquire a scanner and scanning software. The brand of scanner/software is left up to the submitter, however, any scanner/software selected needs to be able to produce, black & white, CCITT T.6 (Group4-Compressed), 300 dpi, TIFF image files.
Operating System Requirements
CeRTNA will certify and support the CeRTNA ERDS software (APEX) and the required tools on the following Microsoft Windows platforms:
- Windows 10 Professional (32-bit or 64-bit versions.)
- Windows 11 Professional (64-bit version.)
- Windows Server 2012 Standard/Enterprise (Installed as a VM.)
- Windows Server 2019 Standard/Enterprise (Installed as a VM.)
Important: Home Editions of Microsoft Windows operating systems are not supported because they do now have support for Local Security Policy.
Firewall Considerations
APEX communicates using SSL port 443 (https) and some communications take place using port 80 (http). The following table contains a list of hosts that must be reachable in order for APEX to be installed or be used after the installation:
| Host | IP Address | Description |
|---|---|---|
| dev-ws02.certna.org | 204.246.133.236 | APEX installation |
| apex-setup.certna.org | 204.246.133.236 | APEX installation |
| apex-prd.certna.org | 204.246.133.237 | APEX production ERDS web |
| apex-prd.certnag2g.org | 209.170.199.196 | APEX production G2G web |
| reports.certna.org | 204.246.133.238 | APEX production ERDS reports |
| reports.certnag2g.org | 209.170.199.202 | APEX production G2G reports |
| *.sectigo.com | * | PKI certificates (Note 2) |
| *.digicert.com | * | PKI certificates (Note 2) |
| *.ssl.com | * | Code Signing certificate (Note 2) |
| *.godaddy.com | * | SSL certificates (Note 2) |
CeRTNA no longer interfaces with Entrust, therefore, the references to *.entrust.com and *.entrust.net shown above have been stricken out.
Note 1: CeRTNA recognizes that different firewalls are in service at our customers and that firewall features functions can vary broadly. CeRTNA prefers to minimize the amount of IT administrative support required by creating rules based on the following tolerance and/or capabilities of your firewall:
- Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org)
- Use host names if possible. (Ex: apex-prd.certna.org or reports.certna.org)
- Last resort, use IP addresses.
The preceding list is sorted in order of preference.
Note 2: Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificates. The CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expired. Further, during the APEX installation/update process, the code-signing certificate is validated. The lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functions. It is important that your firewall team take this into consideration.
Workstation Support
In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support.
| Host | IP Address | Description |
|---|---|---|
| *.microsoft.com | * | Top-level Microsoft domain, to avoid issues with Windows functionality. (Note 3) |
| *.update.microsoft.com | * | General Windows update domain. |
Configuring the firewall rules for Windows Updates and other fundamental OS support, for example, virus definition files for Endpoint Protection or other 3rd party system management tools is the responsibility of your organizations IT staff. The information provided in the preceding table is here simply point out that there are additional URL's that may need to be accommodated beyond those that are required for APEX and/or CeRTNA functionality.
Note 3: Support for Teams meetings and screensharing is also required for remote support of the APEX software.
Supporting Software Requirements
Java Runtime Environment (JRE)
CeRTNA is actively transitioning customers to its APEX software. Although APEX does not require Java, CeRTNA still supports customers using the ERDS or G2G web client to send and retrieve XML transactions. In order to use the CeRTNA ERDS or G2G web client, customers must have a Java Runtime Environment (JRE) installed.
As mentioned in the overview section there are a variety of tools required to deliver the CeRTNA application functionality. An extensive number of hours have been invested by CeRTNA to validate the proper application functionality across operating systems, encryption decryption tools, browsers, platforms (ERDS & G2G), certificate renewals/downloads, application roles (submitters, counties, administrators) etc.
In order for everything to work properly together the most important item becomes the Java Runtime Environment (JRE). Comprehensive functionality will only be supported if you are using one of the following JRE versions:
| JRE Version | Download URL |
|---|---|
| JRE 7.51 (x86) | https://www.certna.org/ErdsUI/Downloads/jre-7u51-windows-i586.zip |
| JRE 8.121 (x86) | https://www.certna.org/ErdsUI/Downloads/jre-8u121-windows-i586.zip |
Due to requirements for installing and/or updating Entrust PKI certificates, CeRTNA cannot support JRE 6 Update 45. If you are still running JRE 6 Update 45, please update your workstation to use one of the supported versions shown in the preceding table. CeRTNA recommends using JRE 8.121, if possible.
Once you have downloaded one of the JRE installation files shown above, unzip the file to a working folder such as C:\JRE_Setup or a folder name of your choosing. Once the zip file has been extracted open the following subfolder: C:\{your workfolder}\ and double-click the JRE setup program to start the setup process. If you are prompted by User Access Control (UAC) to allow the installation, click the Yes button.
Click on one of the following links to view the installation instructions for either JRE7 or JRE8
XML Parser
Starting with Windows 7, support for Microsoft’s Core XML Parser is delivered with the operating system. It does not need to be downloaded and installed separately.
CeRTNA ERDS & G2G web applications require that you set your Internet Explorer browser into Compatibility Mode. If you do not configure your Internet Explorer browser for compatibility mode, you see the message ‘XML Parser Not Found’ if you attempt to complete a process that requires the application to parse an XML file, such as submitting a transaction or viewing a transaction.
These installation instructions are for the SafeNet Authentication Client 10.8
SafeNet Authentication Client
The following items should be taken into consideration before installing the SafeNet Authentication Client:
- If you are using APEX and do not plan to send or retrieve transactions using the CeRTNA APEX client you do not need to install the SafeNet Authentication Client.
- If you are using a CeRTNA G2G workstation you do not need to install the SafeNet Authentication Client.
- Important: If you plan to use your CeRTNA G2G workstation as a backup to your CeRTNA ERDS workstation, you should install the SafeNet Authentication Client on your CeRTNA G2G workstation.
CeRTNA uses SafeNet USB tokens for ‘two-factor authentication’. These tokens require drivers to be installed in order to recognize the token. Currently CeRTNA is supporting two different types of tokens, the SafeNet iKey 4000 token and the SafeNet 5100 eToken.
The current version of the Entrust SafeNet Authentication Client software can be downloaded from the following URL:
https://knowledge.digicert.com/general-information/how-to-download-safenet-authentication-client
This zip file is approximately 20 MB in size.
Important Note: If you currently have another version of the SafeNet Authentication Client installed you will need to use the Windows Control Panel to uninstall the older version, before installing an updated version of the SafeNet Authentication Client software.
To install the SafeNet Authentication Client 10.8 software make sure your token is NOT plugged in.
Run the downloaded Installer (E.G. SafeNetAuthenticationClient-x64.msi) to start the setup process.
The following window is displayed:
Click the Next button to continue.
The following window is displayed:
You can leave the 'Use the existing configuration settings' checkbox selected.
Click the Next button to continue.
The following window is displayed:
Click on the I accept the license agreement radio button.
Click on the Next button to continue.
The following window is displayed:
Use the default program location for the destination folder.
Click on the Next button to continue.
Click the Typical radio button.
Click the Next button.
The following confirmation window will be displayed:
Click the Install button to start the installation.
You will see a User Access Control (UAC) prompt requesting permission to install the software. Select Yes to allow the software to be installed.
The following window is displayed while the installation progresses:
When the installation completes, the following window is displayed:
Click the Finish button.
You will see a new 'S' icon in your taskbar. (Lower right area of your screen.) As shown below. The icon will appear dimmed out, until your SafeNet token is inserted.
Token Installation
To use the CeRTNA APEX application for submitting or retrieving transactions on your ERDS workstation, customers must complete a fingerprint/background check. Once this process is complete and the approval paperwork has been provided to CeRTNA staff a SafeNet token will be mailed to you. The token will contain your DigiCert PKI certificate, which is used for digital signing and encryption/decryption functionality.
After you receive your SafeNet token, insert the token into an available USB port on your system. The token will be automatically recognized and linked to the SafeNet driver.
Once the device driver is successfully linked to your SafeNet token, the 'S' icon will appear illuminated as shown in the picture below:
This completes the Token Installation.