Before You Apply | Certificate Offerings | Apply Now | Certificate Management | Support | Downloads  
 General Information

1. What is a digital certificate?
2. What types of State of Washington certificates does IdenTrust offer and what are they used for?
3. What type of information do I need to provide to be approved for the different certificates?
4. Which Web browsers can support digital certificates?
5. Who can apply for a State of Washington certificate?
6. How do I get a hardware token and what types are available?
7. Why should I get a State of Washington certificate?
8. How long is a State of Washington digital certificate valid?
9. What information will my certificate actually hold and display?
10. How long does it take to get a State of Washington certificate?
11. Where can I find a notary to sign my application form?
12. Why do I need more than one passphrase?
13. What are the rules that my Roaming Password must follow?
14. How do I reach the IdenTrust Help Desk?
15. If I have one year certificate, will I be able to renew to a two year certificate via Certificate Management Center (CMC), or will I have to reapply?
16. If I have a one year certificate, what will the cost be when I renew that one year certificate?
17. If I have a one year certificate and need to replace a certificate, will I get one year or two year certificate? What will it cost, if anything?

1. What are digital signatures and digital certificates?

A digital signature is a mathematical representation of a message, using public key cryptography which identifies - in a non-forgeable manner - the originator of the message. Public key cryptography requires the use of two mathematically related keys - a public key and a private key. The private key is kept private by a single owner, and is not distributed to anyone else. The owner uses his or her private key, in conjunction with cryptographic algorithms, to digitally sign a message. The public key is made public, and can be used by anyone to verify the digital signature on a message. The fact that these two keys are mathematically related ensures that only a single private key can generate a digital signature that is verifiable by the corresponding public key, making the digital signature unforgeable.

The challenge now becomes binding a public/private key pair, in a reliable fashion, to an owner. This is where the digital certificate comes in. A digital certificate binds a person's identity to his or her public key, and consequently to his or her private key, and is used to verify digital signatures. Digital certificates and digital signatures then provide the foundation for secure e-business.

< Back to top

 2. What types of State of Washington certificates does IdenTrust offer and what are they used for? IdenTrust offers the following certificate types to the participants in the State of Washington PKI:

High Assurance Level Certificates
This certificate requires:
  • In-person presentment to an approved notary
    • Affiliated with a financial institution
    • An employee of your company that works in a notary capacity
  • Online application (notary form available for download through this process)
  • Generation and storage of private key in a hardware module that requires a password.
    • SmartCard (with reader)
    • USB Token (plugs into USB port)
  • Reliance limit of $50,000.00
Intermediate Assurance Level Certificates:
This certificate requires:
  • Online application
  • Generation and storage of private key in a hardware module that requires a password.
    • SmartCard (with reader)
    • USB Token (plugs into USB port)
  • Reliance limit of $10,000.00
Standard Assurance Level Certificates:
This certificate requires:
  • Online application
  • Generation and storage of private key in an appropriate browser
    • Microsoft Internet Explorer, v5.0 or later, 128-bit
    • Netscape Navigator or Communicator, v4.0 or later, 128-bit
  • Reliance limit of $1,000.00

High and Intermediate Assuance certificates are issued to individuals and can be used to digitally sign and encrypt e-mail sent via Secure Multipurpose Internet Mail Extensions (S/MIME). With the appropriate tools, they can also be used to sign documents and forms. Additionally, the secure sockets layer client (SSL Client) functionality is used to authenticate the certificate holder to a server for controlled access to Web pages or confidential information, such as in the case of the Transact Washington application.

All Certificates issued under this program will adhere to the requirements listed below:
  • Applicant information is sent through a third party proofing process
  • Notary forms are required for High Assurance Level Certificates
  • Activation codes are sent out-of-band (US Mail)
  • Renewal notices are sent out to Subscribers
< Back to top

 3. What type of information do I need to provide to be approved for the different certificates? For all certificates the following information is required: name, former last name (if changed in last twelve months), home address, social security number, date of birth, driver's license number, e-mail address, work phone and home phone.

< Back to top

 4. Which Web browsers can support digital certificates? You must have a browser that supports 128-bit encryption before you can apply for a certificate. If you are not sure if your browser supports 128-bit encryption, please see "Getting Started" for instructions.
  • Netscape Navigator 4.0 and higher with 128-bit encryption
  • Netscape Communicator 4.0 and higher with 128-bit encryption
  • Microsoft Internet Explorer 5.0 and higher with 128-bit encryption
< Back to top

 5. Who can apply for a State of Washington digital certificate? Anyone with a 128-bit Web browser can apply for a State of Washington digital certificate.

< Back to top

 6. How do I get a hardware token and what are the types available? IdenTrust will offer two different hardware solutions that meet the requirements of the State of Washington PKI. You must select which type of hardware token you plan to use (SmartCard or USB token) and it will be shipped to you, along with the reader (if appropriate) and software drivers.

A smartcard is a credit card-sized hardware token that allows you to generate your key pair(s) and store them, as well as your certificate(s). Once generated onto a smartcard, your private key cannot be exported, providing a very high level of security. As long as you don't give away your smartcard (and the token passphrase associated with it), no one else can use it. The reader plugs into the serial port of any computer.

A USB token is a small hardware token that plugs into the USB port on your computer. It has the same characteristics of a smartcard with regard to generating and storing your private key(s) and certificate(s), but doesn't require a special reader. Most computers built in the last 2-3 years have a USB port on them. All USB tokens will be shipped with an extension cable.

< Back to top

 7. Why should I get a State of Washington certificate? A certificate provides an electronic means of proving your identity. It also provides you with a high level of security in your online transactions. You can use certificates to encrypt information so that only the intended recipient can read it, to identify yourself in electronic transactions, and to digitally sign information. A digital signature assures the recipient that a message has not been changed in transit and verifies your identity as the sender.

< Back to top

 8. How long is a State of Washington digital certificate valid? State of Washington Standard Roaming certificates are valid for one year from the date of issuance. State of Washington High, Intermediate and Standard (Non Roaming) certificates are valid for two years from the date of issuance. Within that period, you must renew your certificate or you'll have to go through the application process again. Check your certificate to see the specific expiration date. IdenTrust will send a notification to you, via email, warning you that your certificate will expire soon along with instructions on how to renew it.

< Back to top

 9. What information will my certificate actually hold and display? A certificate is an electronic document containing information stored in a standardized format (this standard format is known as X.509). This document is digitally signed by the private key of the issuing CA. The only personal information published in a State of Washington certificate is your name and your e-mail address. You certificate also contains your public key, which is used by others to verify your identity when accessing a system (such as Transact Washington), to verify your digital signature, and to send secure messages to you. Other information contained in your certificate is the validity period, including the expiration date of your certificate, the name of the CA that issued your certificate (IdenTrust Inc.), and a unique identifier (a combination of letters, numbers and symbols appended to your name) used by systems such as Transact Washington to distinguish between people who may have the same name.

< Back to top

 10. How long does it take to get a State of Washington certificate? A certificate takes three business days to be processed. Once approved, a Welcome Kit with instructions will be sent to the applicant along with the appropriate software or hardware equipment if necessary.

Your agency may also distribute software and/or hardware so please check with your agency personnel ahead of time.

< Back to top

 11. Where can I find a notary to sign my application form? Approved notaries are notaries that are licensed and affiliated with a financial institution or employed by your company.

< Back to top

 12. Why do I need more than one passphrase?
You use one passphrase in activities you conduct on IdenTrust's website. All Subscribers will be required to select a passphrase during the certificate application process. This passphrase protects your certificate application. It allows you to retrieve your certificate and identify yourself to IdenTrust in case you should require assistance or encounter problems with your certificate.

You create a second passphrase to protect your private key in whichever storage mechanism you use. The private key storage mechanisms used for Intermediate and High Assurance Level Certificates (Smartcard, USB token) will require you to select a password that is stored only on your hardware device or computer. This password protects your private keys and certificates, preventing unauthorized use by others.

If you use a Standard Assurance Level Certificate, you will create a password in your Roaming Client software or in your browser. Your Roaming Client will always prompt you to enter your password before your Roaming Certificate and private key can be used. Your browser should be automatically configured to prompt you for your password whenever you use your browser certificate. If your browser certificate becomes accessible without prompting for a password, you should contact IdenTrust Customer Support immediately for assistance in resetting your password protection.

Keeping your key storage password secret is very important. As a certificate subscriber, you are legally obligated to protect your private key from use by others, which includes the obligation to prevent disclosure of your passphrase and your key storage password. They should never be disclosed to another person or written down in an open area.

< Back to top
13. What are the rules that my Roaming Password must follow?
When creating your Roaming Password during certificate activation, it must comply with the following rules:
  • The password must be at least 8 characters in length
  • The password must contain at least one alphabetic character
  • The password must contain at least one numeric character
  • The password may contain special characters (for example, / * ! & >)
< Back to top

14. How do I reach the IdenTrust Help Desk? Help Desk representatives are available to assist you with your questions Monday through Friday, 5 a.m. to 5 p.m. Pacific Time at 1-888-294-7831, or via e-mail at helpdesk@IdenTrust.com>.

< Back to top

 15. If I have one year certificate, will I be able to renew to a two year certificate via Certificate Management Center (CMC), or will I have to reapply? When your certificate is due for renewal, you will be renewing for a 2 year certificate. IdenTrust is handling the conversion on your behalf. You will simply need to renew the certificate.

< Back to top

 16. If I have a one year certificate, what will the cost be when I renew that one year certificate? This cost depends on the current certificate type. You will be presented with the new certificate cost during the renewal process. Additionally, you can preview the 2 year certificate costs by visiting our web site: www.identrust.com/wa/swa-support-apply3.html.

< Back to top
17. If I have a one year certificate and need to replace a certificate, will I get one year or two year certificate? What will it cost, if anything?
When creating your Roaming Password during certificate activation, it must comply with the following rules:
  1. If you have to replace your certificate prior to the current expiration date (or certificate life cycle), the replacement (or key recovery) will not extend past your current expiration date.
  2. Certificate replacements for signing certificates are no cost items, and are accomplished by visiting the Certificate Management Center. Please visit the certificate replacement "How-To" page by visiting: www.identrust.com/support/howto/ht_replace.html
  3. Certificate replacements for encryption certificates are call key recoveries. The cost for a key recovery is $20.00. Please visit the key recovery "How-To" page by visiting: www.identrust.com/support/howto/ht_key-recovery.html
< Back to top



RELATED CONTENT
Help Desk
Frequently Asked Questions
Glossary
General Information
Digital Certificate Holder Information
Roaming Software Information
Protecting Your Digital Certificate
Contact Us
Certificate Coordinator Information
© 2008 IdenTrust Inc. All Rights Reserved - Home | Who is IdenTrust | Contact Us | Site Map | Legal Policies | Policies & Agreements IdenTrust