Before You Apply | Certificate Offerings | Apply Now | Certificate Management | Support | Downloads  
 Protecting Your Digital Certificate

1. Why do I need to protect my private key?
2. How does the way I store my certificate affect security?
3. What can I do to protect my Private Key?

1. Why do I need to protect my private key?

When you accepted the Subscriber Agreement during the certificate application process, you agreed to protect your private key and to revoke it immediately if you know or suspect it has become compromised. Your digital certificate represents your identity on all transactions where you use your private key. You should protect your private key in the same way you would protect other vital information that impacts your identity, such as the PIN number you use to access an automated teller machine. You should also make a backup copy of your private key to protect yourself from loss through a hardware failure. If the hard drive on your computer failed and your private key was lost, you would no longer be able to decrypt information that was encrypted with your certificate.

< Back to top

2. How does the way I store my certificate affect security?

The State of Washington issues three types of personal certificates: High Assurance, Intermediate Assurance and Standard Assurance. You are able to use different storage mechanisms depending on which one you use.

High Assurance and Intermediate Assurance certificates can be securely stored using:

  • Smart Cards
  • USB Tokens

Standard Assurance certificates can be securely stored using:

  • Roaming Client
  • Web Browsers

Storing a certificate in a Web browser program such as Netscape or Internet Explorer is a lower security method of storage. Other users of your computer can potentially access your certificate when you are away, and your certificate can be easily lost if something happens to your computer. You should always protect your browser certificate with a password, preferably an alpha-numeric password with at least 8 characters. You should also make sure you remove your certificate from an old computer if you get a new computer.

With a Roaming Certificate, the private key is not stored on a particular computer. Instead, it is accessible temporarily during an online session facilitated by the Roaming Client. Your private key is split into two parts. Every time you log on, the Roaming Client software uses the two parts of the private key to create a digital signature or perform user authentication into a secure website. Since the private key does not exist in a usable form on the client workstation, there is no need for additional security methods traditionally used to protect private keys in browsers or hardware. It is impossible to gain access to the private key without employing the Roaming Password.

A smart card is an electronic device that looks like a standard credit card, but actually stores data including certificates. Smart cards offer enhanced security since you can remove the card from the card reader and take the certificate with you when you leave your computer. Smart cards are also password protected. Smart cards require a card reader to be installed on your computer.

USB tokens are electronic devices small enough to attach to a key chain that store digital certificates. Several different manufacturers of USB tokens exist, but all USB tokens work the same way. USB tokens offer enhanced security since you can remove the device from the USB port on your computer and take the certificate with you when you leave. USB tokens are also password protected. USB tokens require USB token reader software to be installed on your computer, and your computer must have a USB port. NOTE: If you are running windows NT you must have also installed Service Pack 4 or higher to successfully use your USB token. Because USB isn't supported natively by your operating system, your computer may limit the number of USB devices it operates. Installing USB token drivers may disable other USB devices you may have.

< Back to top

3. What can I do to protect my private key?

Certificate passwords protect your certificate while it is stored in your browser. When a password is enabled on a certificate, the browser requires you to enter the password every time you use your certificate. By default, Netscape provides password protection to stored certificates. If you use the Internet Explorer browser, you must manually enable certificate password protection.

You can enable password protection at the certificate retrieval process. When the certificate retrieval process is complete you will see a screen saying, "Your certificate information has been published to our directory. Thank you for choosing IdenTrust Inc." At this point your certificate is installed, but not yet password protected. To password protect your certificate perform the following steps:

  1. In Internet Explorer, click on Tools, then Internet Options. The system displays the Internet Options screen.
  2. Click the Content tab then click the Certificates button in the Certificates section of the screen. The system will display the Certificates screen.
  3. Highlight the certificate you want to password protect by clicking it once, then click the Export button.
  4. The system will display the Certificate Export Wizard window. Click Next.
  5. Place the radio button in Yes, Export the Private Key then click Next.
  6. Remove check marks from all check boxes and click Next.
  7. Enter a certificate export password in both password fields, and then click Next.
  8. Click the Browse button. Navigate to your desktop then choose and enter a filename for the exported certificate, and then click Save.
  9. Click Next then click Finish. You should receive a message stating, "The export was successful". Click OK. The system will re-display the Certificates screen.
  10. Highlight the certificate you just exported and click Remove. The system will prompt you to confirm that you want to delete the certificates, click Yes. The system will delete the certificate and re-display the Certificates screen.
  11. Click the Import button. The system will display the Certificate Import Wizard window. Click Next.
  12. Click the Browse button, navigate to your desktop, select the certificate you just exported, click Open, then click Next.
  13. Enter in the certificate export password you chose earlier, place check marks in BOTH check boxes, then click Next.
  14. Click the Next button twice, and then click the Finish button. The system will display the Importing a New Private Exchange Key window. Click Set Security Level. Select the High option and then click on the Next button.
  15. The system will prompt you to enter the password information you will use to access your certificate.
  16. In the Password for: box, type in a name that Internet Explorer will use when prompting for a password to use with your certificate. In the Password: and Confirm: boxes enter the password you will use to protect your certificate. Click on the Finish button.
  17. Click on the OK Button. You should receive a message saying, "The import was successful".

Your certificate is now password protected. Every time you use it, you will be prompted to enter the password you chose in step 16. You may safely delete the certificate file on your desktop or move it onto backup media for recovery purposes.

< Back to top



RELATED CONTENT
Help Desk
Frequently Asked Questions
Glossary
General Information
Digital Certificate Holder Information
Roaming Software Information
Protecting Your Digital Certificate
Contact Us
Certificate Coordinator Information
© 2008 IdenTrust Inc. All Rights Reserved - Home | Who is IdenTrust | Contact Us | Site Map | Legal Policies | Policies & Agreements IdenTrust