Frequently Asked Questions

If you choose this method of identification, please take your printed service contract to the notary nearest to you and ask for it to be recorded in a so-called deed of confirmation. In this case, the notary will verify your identity and the fact that you have signed the service contract and will notarise it.

Please send the notarised service contract to 1439 Budapest, PO Box 663.

We recommend this method of identification mainly for our clients who are not resident in Budapest.

For information on the fees for the notarial deed registration, please consult the website of the National Chamber of Notaries.

Identification by face-to-face meeting can be replaced by a qualified electronic signature based on a qualified certificate for the service contract. If you have a qualified signing certificate, please authenticate your service contract electronically and send it to igenylesek@netlock.hu. (Authentication by stamp certificate is not a valid means of triggering identification.)

If you need help with the electronic authentication of your service contract, download our guide from our website.

If you choose this method of identification, a member of our staff will contact you by phone after you have sent your application to arrange a time and place. At the agreed time and place, please have your ID card and a printed service contract with you.

We recommend this method of identification primarily for our clients residing in or near Budapest.

Please refer to our price list for our MobilRA service fees.

If you choose this method of identification, please come to our customer service, as indicated by email after your application, where a member of our staff will carry out the identification during customer service hours.

Please bring your printed service contract and your ID card with you.

We recommend this method of identification mainly for our customers in Budapest.

To issue a Qualified Signing Certificate and a Qualified Website Authentication (IV SSL) Certificate requested by a natural person, the identity of the requesting Customer must be verified by his/her personal presence or by an equivalent means. NETLOCK offers the following options:

• In-person appointment at NETLOCK Customer Service during office hours
• Face-to-face meeting at a time and place agreed with the requesting Customer (MobilRA service).
• Identification by a notary
• Verification of identity by electronic signature

You can choose from the above options when applying for a certificate and ordering a package. Non-qualified Signing Certificates, Non-qualified Stamping Certificates and Website Authentication (OV SSL) Certificates requested by organisations (not natural persons) do not require the above identification. In this case, the requesting Customer only needs to send a copy of his/her identity document to igenylesek@netlock.hu.

When requesting an online SSL certificate, the identity of the requesting Customer is not verified at all.

When requesting a certificate that includes organizational information, NETLOCK will verify the organizational information and the eligibility of the requesting Client to request the certificate.

The following options are available for Customers to sign and submit the service contract to NETLOCK.

• If the identification required for the issuance of the requested certificate is done at the NETLOCK Customer Service or through our MobilRA service, please hand over the signed original service contract to one of our staff.
• If the identification for the issuance of the requested certificate is carried out by a notary, please send the original of the notarised contract to 1439 Budapest, PO Box 663.
• If the service contract is certified by electronic signature, please send it to igenylesek@netlock.hu.
• If personal identification by personal presence or equivalent is not required for the issuance of the requested certificate, you can also send the signed, scanned service contract to igenylesek@netlock.hu.

If you sign your service contract by hand, please do so in the same way as the signature on your ID card.

NETLOCK will authenticate the service contract with an electronic stamp or the hand signature of an authorised NETLOCK employee.

During the certificate application process, our staff will verify the provided information, prepare the fee request or invoice, verify the identity of the requesting Customer, and, if applicable, prepare the Customer Device according to the rules and regulations. Throughout the processing of the application, NETLOCK will keep you informed via email about the status of the process and the necessary steps to take.

Once issued, the certificate can be downloaded by logging into the Client menu.

If you would like to use our NETLOCK SIGN service for certificate services, please register with NETLOCK SIGN and request a certificate - or inquire about implementation options.

Once you have applied for a certificate, our staff will email you the steps required to verify your identity and organisation.

If you have not yet requested a certificate from us, please register in the NETLOCK client menu and select the New Certificate Request option.

To request a qualified certificate, please register in the qualified client menu.
To request a non-qualified certificate, please register in the enhanced security client menu.

If you would like to request your certificate as a bundle (including client device and timestamp service), please select the bundles offered for your primary use case under the Custom Solutions menu on our website, click on the order button and fill in the bundle order form.

Once you have applied for a certificate and ordered a package, our staff will email you the steps required to verify your identity and organisation.

If you would like to use our certificate service as a bundle (including signing device and time stamp service), please select the packages offered for your primary use case under the Custom Solutions menu on our website, click on the order button and fill in the package order form. Our staff will then prepare your Client Menu registration, record your certificate request and prepare your Service Agreement, and email you the steps required to verify your identity and organisation.

If you have already applied for a qualified or non-qualified certificate from us, you can apply for a new one by logging in to your own qualified or enhanced security client menu.

Once you have applied for a certificate, our staff will email you with the steps required to verify your identity and organisation. For data that has not changed and has been verified in a previous certification process, it is not necessary to send a copy of the document.

If you have a valid signatory certificate issued by NETLOCK, please use it to electronically authenticate your service contract. If you are requesting a qualified certificate, electronic signature with a qualified certificate may replace the need for in-person identification.

After submitting the certificate request, please send a copy of your identity document to igenylesek@netlock.hu.

The following identity documents are accepted for Hungarian and other EU citizens:

• ID card
• Driving license
• Passport

For non-EU citizens, only a valid passport can be accepted as identification document.

A certificate including organisational data should be requested by the person or persons authorised to represent the organisation, or by a person authorised by them. If you are applying for a certificate as a proxy, please send a copy of the authorisation and a copy of the specimen signature or specimen signature of the attorney(s) to igenylesek@netlock.hu after submitting the application. Sample documents are available under Regulations and documents.

If you have a general authorisation to act on behalf of the organisation, you do not need to request a separate authorisation to apply for a certificate, but if you do not have such document, please use the sample authorisation that can be downloaded from our website.

When requesting a Web site authentication certificate, NETLOCK will verify the right of use of the domain(s) to be included in the certificate.

If the domain(s) is/are not owned by the requesting Customer or the organisation it represents according to the relevant domain registry(s), we will also request from the requesting Customer a so-called domain use authorization, in which the owner of the domain(s) certifies that the domain(s) is/are legally used by the requesting Customer or the organisation it represents.

You can download a sample domain licenc on our website.

If your certificate is about to expire, you can apply for its renewal. In this case, we will issue you a new certificate with the public key and subject details of the certificate you are renewing.

To renew a certificate, please log in to your client menu and under the Issued Certificates menu, click on the Renew Certificate button on the data sheet of the certificate you wish to renew, verify the data is correct, then enter the additional information requested by the system and save your Service Contract.

Renewal can be requested at least 30 days before the expiry date of the certificate, which will be communicated to our customers by email at the email address provided during registration. In order for us to issue a renewed certificate before its original expiry date, you must submit your renewal request in your Client Menu no later than 14 business days prior to the expiry date. The renewed certificate will be issued 2-10 business days before the expiry of the current certificate, if the necessary conditions are met, to allow you to complete the necessary system migration, certificate upload, etc. in a timely manner. Certificates may be renewed more than once, but NETLOCK has the right to refuse renewal requests.

For more information on renewals, please refer to our policies.

If the original certificate to be renewed required identification by personal encounter or equivalent means, this procedure must be repeated when the certificate is renewed.

If the certificate to be renewed is a qualified signing certificate, please validate the service contract before the expiry of the certificate with a certificate that replaces the face-to-face identification.

If the certificate to be renewed is not a qualified or non-signatory certificate, but you have such a valid certificate, you can also authenticate the service contract with it, which can also be used to trigger the face-to-face meeting. NETLOCK reserves the right, however, to carry out an additional identification procedure for signatures made with certificates that it has not issued, even if the Customer is present in person.

If you need help with the electronic authentication of your service contract, please refer to our guide.

The documents requested at the time of the original certificate to be renewed need to be resubmitted and presented only if any of the information has changed or if the validity or reliability of any of the documents previously submitted is no longer valid or can be questioned.

Qualified signing, sealing, and website authentication certificates come with a specific liability value.

The limit of indemnity is per insured event (an insured event is one or more temporally related claims for the same cause). If an insured event involves several clients or several different contracts and their certificates, the amount of indemnity is determined in relation to each client and contract (certificate) so that the total indemnity does not exceed the maximum limit of indemnity, and the limit of indemnity for each service or type of certificate is limited.

NETLOCK has liability insurance to cover its liability for damages.

NETLOCK excludes liability for loss of profit, loss of revenue, cost savings, delays to third parties, pecuniary and non-pecuniary or consequential loss, except for intentional breach of contract and for damage to human life, limb, or health.

Details of the financial liability or limitation of financial liability in relation to certificates are set out in the relevant service regulations and the General Terms and Conditions, which can be downloaded under the regulations and documents section.

The service fee includes the generation, issuance and storage of the certificate, its continued availability via the client menu and the provision of status services until the end of the validity period. However, the fees do not include the costs of the key storage devices, which are essential for the creation of qualified signatures and stamps, but may also be necessary in other cases.

The two-year fee is valid for two-year certificate and the subscription fee is payable in one lump sum. Before the end of the subscription period, i.e. before the expiry of the certificate, renewal of the certificate can be initiated by requesting a renewal of the certificate. The renewal fee is the same as the current certificate fee.

More information is available in the Price list.

• Signing and sealing certificates and their keys may only be used for signing, sealing or signature and stamp verification.
• Website authentication certificates may only be used to identify web servers accessed via SSL and TLS.
• Encryption and authentication certificates may only be used for encryption or user identification according to their intended purpose.

Any use of certificates and keys other than the above, and in particular their use for the provision of trust services, is prohibited.

The detailed rules for the use of certificates and keys are set out in the relevant service policies, which can be downloaded from the Regulation and documents section.

• Verifying the validity of Netlock issued timestamps means verifying the provider signature or stamp on the timestamp.
• The signerInfo attribute of the SignedData/SigningCertificate or SigningCertificateV2 field of the signature or stamp contains the certificate identifier (ESSCertID or ESSCertIDv2).
• The Subject/commonName field of the certificate contains the unique name of the issuer, which must include the words "qualified" and "timestamp" or their Hungarian equivalents ("minősített", "időbélyegző", "időpecsét"); the organizationName field must contain the name "Netlock Kft." or "Netlock Ltd." or "Netlock".
• The service provider signature or stamp on the certificate must be verified up to the root certificate, which can be verified in the EU Trusted List (see above).

Certificates issued by Netlock can only be used for signing or stamping within their validity period, provided that their status is valid (i.e. not revoked or suspended). The verification must be performed for all the top-level service certificates in the certificate chain, up to the root certificate (see previous section).

The validity of the certificate status can be checked using the revocation list of the provider (see the crlDistributionPoints field of the certificate) or the OCSP response (see the authorityInfoAccess:OCSP field of the certificate). The revocation list and the OCSP response can be found as signature or stamp data or obtained from the provider during the validity period of the certificate using standard methods (see Technical Information). It can be obtained beyond the validity period of the certificate through an individual procedure.

It must be checked in the certificate data:

• the subject's details (Subject and Subject Alternative Name fields, name and unique identifier in the case of an organisation, name and email address in the case of a natural person, domain names and other identifying data in the case of a website - see section 7.1 of the relevant Service Policy),
• the Key Usage field (Keyusage, extendedKey Usage), which must correspond to the intended use (see section 7.1.2 of the relevant Service Policy),
• the authentication scheme under which the certificate was issued by the service provider (CertificatePolicies/policyIdenttifier - for the meaning of these standard identifiers, see Chapter 1.2.1 Authentication schemes of the relevant service policy; the identifier is used to decide whether the public key private key pair included in the certificate is suitable for qualified or unqualified signature or stamp creation),
• any textual information provided by the Service Provider, which may contain additional restrictions on the use of the certificate and its associated private key (CertificatePolicies/userNotice/explicitText)

In the event of any ambiguity, please check NETLOCK's policies or contact NETLOCK's customer support.

There are two sides to the check: the technical and legal validity of the signature or stamp must be examined separately.

Technical validity

The technical validity of a signature or stamp is usually established by means of an authentication application. The application automatically performs the technical verification steps, i.e. it determines: 

• the coherence of the signature or stamp, the control data (public key) and the signed or stamped document;
• whether the control data (public key) is accompanied by a certificate;
• whether the certificate associated with the control data (public key) was valid at the time the signature or stamp was affixed;
• the validity of the service provider's signature and certificate (so-called intermediate issuer certificate) on the certificate for the control data (public key);
• and the validity and trustworthiness of the root certificate (root certificate) of the top-level service provider that authenticates the intermediate root certificate.

In order to determine the validity of a certificate at the time of signing or stamping, it is necessary to have credible information on the date of signature or stamping. Failing this, verification may raise questions, so in all cases a time-stamped signature or stamp is the most reliable.

If the time stamp has expired, the date of signature or stamp cannot be verifiably established. However, in the event that the signed or stamped document has also been provided with a new, so-called archival time stamp before the expiry of the time stamp of the signature or stamp, it "preserves" the authenticity of the original signatures, stamps and time stamps.

If the cryptographic algorithms used for signatures or stamps and time stamps are weakened, the authenticity of the document is no longer guaranteed. As above, if an archival timestamp with a stronger algorithm was applied to the document before the algorithms were weakened, it will "preserve" the authenticity of the original signatures, stamps and timestamps.

This "preservation" of authenticity is valid until the expiry of the validity of the archival time stamp or until the algorithm of the archival time stamp is weakened. In these cases, a new archive timestamp is always required to maintain authenticity.

There are several ways to check the trustworthiness of the root certificate: the application can maintain its own list of trusted providers, use the operating system list or check the EU Trust List.

Legal validity

To determine the legal validity and acceptability of a signature or stamp, the following checks are required:

• the technical validity of the signature or stamp (see above);
• the certificate for the signature or stamp was issued by a registered trust service provider, i.e.:
  • the issuer is on the EU Trust List; and
  • whether it is registered by the competent territorial trust authority (in Hungary, trust service providers are supervised by the NMHH, which can be accessed by clicking here).

If the above conditions are fulfilled, the signature or stamp has legal effect, but its acceptance also requires verification that the signature or stamp complies with the requirements of the relevant case. If, for example, a law specifically requires a qualified signature, a non-qualified signature or stamp, or even a qualified stamp, cannot be accepted even if its technical and legal validity is otherwise in order as described above.

NETLOCK services are available after the conclusion of a service contract. In case the requested qualified certificate (also) contains personal data, NETLOCK must identify the natural person requesting the certificate by means of a personal meeting in order to issue the certificate. It must verify furthermore all the information contained in the certificate against authentic data. If the certificate (also) contains data of a legal entity, NETLOCK must also verify the name, unique identifier and representative of the legal entity against authentic data.

Policies and contractual conditions

For detailed rules on the provision and use of NETLOCK's trusted and non-trusted services and the terms and conditions of contracting, please refer to NETLOCK's policies.

Prices and payment information

For information on the fees for services and payment terms, please refer to the NETLOCK price list.

Read more...

From 1 July 2016, Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS) will apply, providing a single framework for electronic authentication and administration in the EU. As of the same date, the new requirements for electronic authentication in Hungary are contained in Act CCXXII of 2015 on the General Rules for Electronic Administration and Trust Services (Eüt.) and the related implementing regulations.

Non-qualified (enhanced security) services will have to be provided in accordance with the new rules from 1 July 2016, while qualified services will be migrated by 30 June 2017.

The key EU and national legal principles for trust services are:

• A qualified electronic signature/stamp issued in one EU Member State must be recognised as a qualified electronic signature/stamp in all other Member States.
• According to eIDAS, a qualified electronic signature should be considered at least equivalent to a handwritten signature within the EU and its legal effect should be determined on that basis, and in the case of stamps, the integrity of the data associated with them should be presumed.
• The legal effect of advanced signatures and stamps is left to national competence by eIDAS.
• A document on which the issuer has affixed a qualified electronic signature or stamp shall be considered as full evidence until proven otherwise.
• An enhanced security stamp or signature based on a qualified certificate shall be treated in the same way as a qualified signature or stamp.
• In the case of an enhanced security signature or stamp not based on a qualified certificate, the contents of an electronic document authenticated by it shall be presumed not to have been forged unless the contrary is proved.
• In the domestic legal order, qualified signatures and stamps and enhanced security signatures and stamps based on qualified certificates may be used to create a document with full probative value.
• eIDAS has also created a single European regulation for website SSL certificates and introduced the concept of qualified and non-qualified website SSL certificates.
• The new legislation does not contain provisions for website authentication certificates based on encryption and authentication and domain validation only, which are available as Online SSL from NETLOCK.

Information on video identification

must be known, understood and accepted prior to video registration.

You must also consent to it,

to be identified by video in NETLOCK.

Reading of the statements

At the beginning of the video identification, you will be asked to read the following statements related to the registration:

"I have read, understand and accept the information about video identification."
"I agree to be identified by video identification."
I agree and accept that I will be verified by video verification.

During the registration process, you will be asked to enter the verification code sent by SMS. Please open your messages and prepare this code.

Identity card

You will need to enter your ID number and show your ID card during the identification process, so please keep it handy and have it ready.

Security is important for NETLOCK! All data is handled securely and in accordance with legal requirements.

• All information and video recordings are encrypted and stored securely in NETLOCK.
• The video recordings can only be processed and viewed by NETLOCK employees with special access rights and are not accessible to third parties.

• Your web camera is used for identification, so please allow its use during video registration, and NETLOCK will warn you about this.
• Check that the camera lens is clean and that nothing is blocking the camera.
• Before starting the video registration, please check that the email address you wish to use is working properly and is in a usable state. It is possible that the activation email and other emails sent by the service provider may be sent to the spam folder, please check this when using the NETLOCK service.
• During video registration, random tasks should be performed. To ensure a successful application, please pay close attention and focus on these during the registration process.
• Follow the video registration instructions! Read the tasks carefully and pay attention to fit them into the time frame.
• Until the end of the video registration, stay alone in front of the camera and make sure that the room is quiet.
• It is advisable to create the right lighting conditions for video recording, and find a suitable, bright place for this. Position yourself close to the window, preferably facing the window. If there is not enough light, turn on the lights in the room. Be aware that direct bright light shining into the camera can be distracting.
• You can interrupt and restart the video registration process at any time if you have already entered the necessary registration details.
• The video tasks will be recorded in our system at the end of the registration process and the registration video will be uploaded. Do not close your browser window during the uploading process, as you will be warned by the
• NETLOCK system. At the end of the process, a large amount of data will be uploaded (25-50 MB data traffic).

• Browser

The latest version of Google Chrome, Mozilla Firefox, or Microsoft Edge based on Chromium is recommended.

• A stable internet connection (preferably WiFi or wired internet).
• Mobile phone and phone number

Mobile phone and phone number capable of receiving text (SMS) messages.

• Web camera (min. resolution: HD ready 720p) and microphone.
• "Up to date" operating system

For maximum protection and security, it is always necessary to keep the operating system of the device up to date and update it if necessary.

• After the video enrolment, NETLOCK experts will check the information you have provided and, if everything is in order, they will authorise the issuance of the e-signature certificate. The processing of the registrations received is continuous and the duration of the processing depends on the number of registrations received.
• After a successful registration, a confirmation message will be sent to the e-mail address you provided during registration.
  • The e-mail will contain the certificate details and documentation about the NETLOCK service.
• Upon successful registration, access will be activated and the NETLOCK service will be available for use

In case of an unsuccessful registration, NETLOCK will send you a notification with a brief explanation of why the registration and certificate request are rejected.

After an unsuccessful registration, you can resubmit a certificate request with a new video registration, even to the same e-mail address that was used to submit the certificate request.

Examples of rejection cases:

• Incorrect or incorrect personal data.
• Incorrect or incorrect video enrolment tasks
• Poor quality video

NETLOCK personal video registration consists of the following 6 simple steps. After the video registration process, the signing certificate is issued from the NETLOCK system after a short video identification.

You need a working email address to register!

Steps for registration and certificate application:

1. Start registration
2. Register to register and start the registration process
3. Enter and activate e-mail address and phone number
4. Registration and activation of your email address, registration and password
5. Verification of registration and issuance of certificate
6. Start using the NETLOCK system

Certified electronic signatures with full legal force and literality on your computer, mobile phone or tablet.

Full audit and EU, eIDAS compliance

Provides e-signature capability that is legally enforceable in all EU member states.

Multi-factor authentication for both login and signature

Video enrolment* enables secure, anytime automated customer authentication (*Legal environment: the method qualifies as strong customer authentication (SCA) under current Hungarian (Government Decree 541/2020 (XII. 2.) and EU legislation (Act CCXXII of 2015) and EU legislation, and enables the issuance of the strongest legal effect Qualified Signature Certificate (QSCD), as well as business and stamp certificates).

Online video identification requires approximately 25-50 MB of data traffic and optimally 5 minutes

Take note!
Please create the conditions for this and make sure that you can concentrate on the customer identification process for a few minutes without disturbance.

• Platform independent solution, i.e. able to create electronic signatures from a PC (Windows, Linux, MAC), mobile phone or tablet (Android and soon iOS will be supported).
• E-sign/sign individual and large volumes of documents with personal, business or stamp certificates.
• Placement of visible signature images on PDF documents.
• Remote working and workflow support.
• Easy REST integration for business use. Centralized and on-premise implementability. Scalable system.
• Certificate lifecycle management.
• Intuitive, browser-based, large-screen interface.
• Cloud-based key storage with high security access.

• Make the resulting pfx-extension file available to the partner company that has access to the EESZT system.
• The cer-extension file received must be given to the State Health Care Supply Centre (SHSC).

During online registration, a Service Agreement is automatically generated and sent to the e-mail address you provide. Once you receive this, please print it out, sign it, scan it and send it back to us together with the documents listed below (details of how to do this will be included in the email):

• A specimen signature or specimen signature of the person authorised to represent you (or, in the case of other organisations, a document with an equivalent function, such as a letter of appointment)
• Authorisation from the representative(s) of the organisation, if the applicant is not the person authorised to sign on behalf of the organisation or is not individually authorised to sign
• Service contract - automatically generated after the application is submitted and sent to you by email. Please print it out, sign it and scan it and send it to us.

The verification of the organisational data (e.g. name, registered office, tax number) is carried out by the authentication division of NETLOCK. If the available database does not give a clear result for the details of the organisation, it may also be necessary to send the following documents: articles of association/statutes/extract from the court. In this case, our staff will contact the applicant and inform him/her about the sending of the necessary documents.

Why is it necessary to submit the above documents?

The certification authority (NETLOCK) is the supervisory body of the National Media and Infocommunications Authority (NMHH), and the data in the certificate must be verified by the certification authority before the certificate is issued.

There are also several types of authentication certificates. According to the law, organisations, doctors and institutions providing healthcare services need a so-called "enhanced security class C authentication certificate". If you are interested in more details about what exactly is EESZT, what is its legal background and what other certificates exist, click on the link below!

Legal background

From 1 November 2017, all publicly-funded healthcare providers (GP surgeries, specialised care facilities) and pharmacies must use EESZT services.

The certificate issued is valid for 2 years to reduce the administrative burden on you. If you decide after the first year that you want to renew the certificate for the following year, there is no administrative work to be done, only the payment of the second year's service fee.

This certificate will give you the possibility to access the EESZT online system in a secure and identified way. In fact, the certificate is a digital identification key that you need to access the EESZT system.

The certificate you request will be sent to you by e-mail and can be downloaded via the link in the letter. There will be two links in the letter, please download both. You will need to download a file with a pfx- and a cer- extension.

The certificate is actually a digital code string, a file that you need to download to your computer. This file will identify you when you log in.

In particular, but not exclusively, the Customer shall be liable for:

• providing and verifying the information requested by NETLOCK for the provision of the Service;
• cooperating, where necessary, with identification and data verification procedures;
• reporting changes to verified information;
• to be informed of the applicable service rules and the GTC;
• for the correct use of products and services;
• inform NETLOCK of disputes arising from the use of the Services.

Clients are entitled to use the services under their service contract, in accordance with the General Terms and conditions and the Rules of Service, if their fees are paid on time.

NETLOCK shall be responsible for the service activities carried out within the framework of its regulations. NETLOCK shall have the right to refuse or limit the provision of services in the event of a serious breach of contract by the Customer.

The rights and obligations of the parties are set out in detail in the GTC and the relevant service regulations, which can be downloaded from the Regulations and documents section.

The conditions for concluding a service contract are primarily:

• the submission of a request to NETLOCK for the service in question, as specified on the website;
• the submission of the data and documents required by NETLOCK for the provision of the service in question;
• the validity of the data submitted (verified by NETLOCK on the basis of credible sources);
• where necessary, identification of the Customer by means of a personal meeting with the Customer.

The conditions for concluding a contract are set out in detail in the General Terms and Conditions, which can be downloaded from the Regulations and documents section.

The subscriber is obliged to pay in advance for the periodic services and any additional  (e.g. optional) services used, as well as other agreed fees (e.g. administration fees), as set out in the Terms and Conditions, based on the Price List or individual customer offers.

In the event of termination or withdrawal within 14 days of the conclusion of the service contract, NETLOCK will refund the full service fee.

NETLOCK shall store and process personal and/or confidential data in its possession in accordance with the applicable legal provisions and the provisions of its non-public Data Management Policy. NETLOCK's data management registration number is NAIH-50145/2017.

In case of questions, objections and complaints about its services contact NETLOCK by e-mail, telephone or in person. In the event of any dispute or complaint, the Customer is obliged to promptly notify NETLOCK and to fully inform NETLOCK of all aspects of the matter before taking legal action. The parties shall at all times attempt to resolve their disputes amicably through negotiation.

For detailed business and legal information on the services, please refer to the relevant Service Policy, clause 9 and the General Terms and Conditions, which is available in the Documents and regulations section.

As a qualified trust service provider, NETLOCK provides trust services at both qualified and non-qualified levels:

• we provide both qualified and non-qualified levels of certificate services for signing, stamping and website authentication
• our timestamp service is only available at the qualified level
• our encryption, authentication and online (DV) SSL certificate services are not covered by eIDAS and EETS

Our website clearly distinguishes between qualified and non-qualified services (both in text and visually using icons), so you can always be sure that the service you require is provided as a qualified or non-qualified trust service.

You can request certificates and other services through our website by clicking on the Order button on the Products, Services or Solutions subpages of the relevant product, service or solution page.

Cards blocked for any reason cannot be unblocked by NETLOCK. In the event of a card being blocked, NETLOCK provide the security unblocking PIN (SO PIN) to the cardholder after the customer has been identified. Once the SO PIN has been transferred, the customer can unblock the card and set a new PIN in the card management program.

At the same time as the transfer, NETLOCK deletes the SO PIN from its system and records, ensuring that it cannot be made available again. After the transfer, the customer is responsible for the retention and secure storage of the SO PIN.

If you have any further questions regarding your blocked card, please contact our Customer Service.

The card can only be verified in person at the NETLOCK Customer Service and always in the presence of the certificate holder at a pre-arranged time. The verification takes place at the NETLOCK reception.

During card verification, the cardholder must enter his/her PIN code on a dedicated device. If you have any further questions regarding the conditions of the card verification and the appointment, please contact our Customer Service.

IMPORTANT! NETLOCK provides scanning only for its own devices, that includes the card and reader, and does not include the customer's computer or devices provided by other service providers.

If the certificate owner does not renew the expiring certificate in time, and the certificate expires as a result, NETLOCK cannot generate a new key for the customer's existing device. In such cases, the customer always need to apply for a new card. In case of new card application terms and conditions  please contact our Customer Service.

You can request a timestamp service, as part of a timestamp fee package and a certificate service package, or by requesting an individual offer at ajanlat@netlock.hu.

After signing the service contract and paying the fee, our staff will provide you with the URL to access the service with your unique identifier.

For information on the prices of our timestamp fee plans and service packages, please consult our price list.

NETLOCK provides a qualified time-stamp service for its Customers to issue time-stamps in accordance with the RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol as part of its qualified time-stamp service.

A time stamp is a credible proof that the time-stamped document definitely existed in its current form at the time the time stamp was issued.

Both qualified and advanced signature and seal certificates are available as part of the NETLOCK SIGN Business service.

One advantage of the qualified and advanced seal certificates is that issuing a certificate can be done without personal appearance. In the case of qualified signature certificates, a personal appearance or equivalent identification is required.

When signing PDF documents, Adobe Reader will correctly display PDFs signed with qualified certificates even with default settings. However, when using advanced certificates, the verification result will only be displayed correctly after enabling Windows certificate store integration in Adobe Reader.

Based on the type of certificate, the following options are available when ordering both qualified or advanced subscription packages:

• Signature certificate (personal profile): The certificate owner can sign electronic documents as an individual. This type of certificate can also be used for company signatures, but it does not certify that the person represents a legal entity.

• Signature certificate (organizational profile): The certificate owner can sign electronic documents as an individual belonging to a legal entity, so that the signature contains both the individual's and the organization’s details. This type of certificate can also be used for company signatures and clearly proves the legal entity to which the certificate belongs.

• Seal certificate: An organization can sign (stamp) electronic documents as a legal entity. The electronic seals created are not a substitute for a company signature, but they allow the legal entity to recognize the electronic document as belonging to it in a court of law (equivalent to stamping a paper document). This type of certificate is best suited for electronic invoicing and for purposes where a company signature is not required.

NETLOCK SIGN Business service can be purchased in different solution packages, depending on the type of certificate (advanced or qualified) and the number of documents to be signed per year (1000, 3000, 5000, 10000). More information and the pricing of the available packages can be found at the following link.

The following features are available in NETLOCK SIGN Business:

• Signature certificate, stamp, timestamp application/registration
• Upload, download, and deletion of documents (single or bulk)
• Electronic signing, stamping, and timestamping of documents (single or bulk)
• Electronic signature verification of documents signed in the system
• Display of user data and certificates available for that user
• Ability to set PDF signature image profiles
• Ability to query the number of signature transactions initiated in a given period

Accessible from a simple web browser, NETLOCK SIGN is a cloud-based solution that enables users to electronically sign documents anywhere, anytime, without the need for traditional e-signature tools such as smart cards and card readers. Furthermore, it is platform-independent and works on any device (PC, Mac, smartphone, tablet).

NETLOCK SIGN Business represents the next generation of electronic signature services, enabling users to sign documents electronically via an web interface, even for a large number of documents at the same time. Documents signed through this service hold the same legal validity as traditional handwritten signatures and are uniformly accepted across all countries of European Union.

The NLToken web signing module supported by SIGNASSIST CryptoServer is able to support all standard signature formats and levels required by the eIDAS Regulation 910/2014/EC, and also the E-AKTA v1.5 format, which is widely used in Hungary.

ETSI TS 103 172 & EN 319 142 PAdES Baseline (PAdES-B, -T, -LT, -LTA)
ETSI TS 103 171 & EN 319 132 XAdES Baseline (XAdES-B, -T, -LT, -LTA)
ETSI TS 103 173 & EN 319 122 CAdES Baseline (CAdES-B, -T, -LT, -LTA)
ETSI TS 103 174 & EN 319 162 ASIC Baseline (ASIC-S, ASIC-E)

After browsers have introduced the key generation option, NLToken allows the user to generate a key on his own computer and request a certificate for it. After installing NLToken, logging into the NETLOCK client menu (Qualified or Advanced) and following the instructions, NLToken performs the necessary cryptographic operations in the background.

Key generation, previously available in Internet Explorer, has been disabled. If you have started the process in Internet Explorer, you will be able to finish importing the issued certificate in Internet Explorer, but you will not be able to submit a new enrolment anymore, only with NLToken 2.0 in supported browsers.

The operating systems supported by the NLToken web signing module are the following:

• Microsoft Windows 10 (64-bit)
• Microsoft Windows 10.0 (64-bit) Microsoft Windows 8.1 (64-bit)
• Microsoft Windows 7 SP1 (64-bit) Microsoft Windows 8.0.1 (64-bit)

The support for Windows NT, XP, Vista and Windows 8 operating systems has been discontinued, and NLToken product support is not provided above these operating systems.

IMPORTANT! MacOS and Linux are not supported operating systems!

Which browsers are supported by the NLToken 2.0 solution?

• Microsoft EDGE (Chrome-based version)*
• Google Chrome**
• Mozilla Firefox 75.1+

The solution also supports Windows Terminal Server based operation. Always enable NLToken as an extension after installing it in your browser.

*In Microsoft EDGE (Chrome-based version) browsers, you can also install the extension from the Google Chrome application store:

NLToken 2.0 – Chrome Web Store (google.com)

If you have not already installed an application from the Chrome Web Store, you must first enable it.

** Google Chrome disables extensions in incognito mode, so NLToken will not load there.

The key storage devices supported by the NLToken web signing  module are the following:

• Gemalto IDClassic 340 (NETLOCK IDC340 & Microsec "eSG" marked smart cards)
• Oberthur 7.0 (NETLOCK)
• BIT4ID Crypto Java Card (NETLOCK)
• BIT4ID Touch & Sign 2048 (Microsec "eSB" marked smart card)
• New type of electronic identity card (eID)

The solution does not limit the range of supported card readers, supporting most commercially available ISO 7816 and ISO 14443 compliant card readers for electronic signatures.

The previous versions of NLToken used the red logo, while the latest NLToken 2.0 version now features the blue NETLOCK logo.

If any issues are experienced with the earlier version:

• Uninstall the "NL signing" add-on from your browser and the Chrome Token Signing application from your computer.
• After the uninstallation is complete, visit the NETLOCK│NLToken website, download, and install the latest NLToken 2.0 installation package.
• Then, install the new NLToken add-on (available free of charge) from the application store.

The NLToken Web Signing Module is a browser-side extension that manages traditional smart card key storage devices.

This can be accomplished from supported browsers using a native communication channel, enabling electronic authentication with keys available in the local Windows certificate store, as well as key generation. Both the installer and the add-on are available free of charge in the respective browser's application store.

As part of the mobile enrolment service, a member of our staff will visit you in person to carry out the identification necessary to issue the certificate.

Please consult our price list for information on the fees for our MobilRA service.

You have the option to apply for a certificate in an accelerated 3-day or 1-day procedure instead of the standard 14 working days.

Please refer to our price list for information on the fees for this service.

Optional Services are additional services that can be used in addition to or in conjunction with the Certificate Services. The fee for optional services is usually payable together with the fee for the certificate(s) requested.

If the identification is not carried out through our customer service or MobilRA service and you have requested your certificate on a device, you can collect your device from our delivery agent on weekdays between 9am and 5pm.

Please refer to our price list for information on the fees for our delivery agent service.

If you request our post-payment service, the issuance of certificates and the activation or availability of our other services are not subject to the service fee being credited to your NETLOCK account. In this case, we will issue your certificate within a few days after successful verification of your application, identification and contract conclusion, with priority processing.

Please refer to our price list for the fees for our post-payment service.

Placement of the Customer's facial image as shown on the Customer's ID card on the requested Customer Device. Only available for personal and business certificates and for standard plastic cards of credit card size.

Please refer to our price list for information on the service fees.

The CA Browser Forum (CA/BROWSER FORUM) has adopted a new method for domain authentication. To use the email verification method, you can add your preferred email address to DNS TXT records. This email address can be used as the recipient of future verification emails.

Steps to set your preferred email address for contacting:

cPanel:

• Go to Domain Names
• Open DNS Zone Editor
• Filter for TXT records
• Add a new TXT record
• Name: _validation-contactemail.domainname.hu
• Record content: example@domainname.hu
• Add the record

Domain owners can publish their contact details via DNS, and CAs can use this information to verify domain control. A confirmation email containing a unique "Confirmation" link can be requested to the provided address(es), which can be used to verify domain control. Clicking on the link will confirm your ability to control the domain.

During the technical verification, emails will be sent to the following addresses associated with the domain name(s) in the application: "admin@", "administrator@", "webmaster@", "hostmaster@", and "postmaster@".

Forwarding Administrator Emails:

• Visit the email redirection settings associated with your domain.
• Select the option to add a new email redirect.
• Specify the administrator addresses (admin, administrator, webmaster, hostmaster, and postmaster) that you want to redirect.
• Enter your preferred email address to which you want the emails redirected.
• Save the changes.

From now on, emails sent to the administrator addresses will automatically arrive at the email address you have specified.

Request domain validation for the administrator address in your client menu (when you apply for your first certificate or renew your certificate) to complete the domain control with one click. The confirmation email used to verify the domain will contain a unique "Confirmation" link.

The GDPR regulation has brought some challenges with domain email verification. Technical email addresses have been removed from the WHOIS system and providers can no longer use these addresses for verification.

The email verification method has basically been limited to the use of generic addresses such as admin, administrator, hostmaster, postmaster and webmaster. Many organisations do not use these addresses and this made domain verification more difficult.

CA/BROWSER FORUM recommendation

Set up administrator addresses to control domain control.

Before issuing an SSL certificate, providers should verify the right and ability to control the domain name(s) to be included in the certificate. The control of the domain(s) is technically verified!

IMPORTANT!  Certificate can only be issued after the domain has been validated!