You can sign an access certificate yourself, for example, with OpenSSL software.
Requirements for the Distinguished Name:
- CN=<URL of the subscriber system that performs the communication with AIS or other unique identification of the subscriber system>
- O=<Name of organization>
- E-mail=<E-Mail for notification purposes, e.g., in case of end of validity>
- C=<Country of organization>
The following additional requirements shall be considered when preparing the certificate:
- Maximum term three years
- Hash algorithm minimum SHA-256
- Key length minimum 3072 bit
Special conditions still apply for access certificates within the framework of regulated (ZertES) or qualified (eIDAS) seal creation: The private key of the access certificate must be created on a cryptographic module in a joint ceremony of a Swisscom registration authority representative. This module must meet FIPS 140-2 level 2 or similar, e.g., Yubikey, Feitan key, or Microsoft Key Vault. If not, you can submit an implementation concept on how the assignment of the access certificate to the organization's representative can be done in other ways.