From time-to-time, IdenTrust will provide information that may interest you or have an impact on the certificate program you use. Check back often for interesting updates.
Impacts of Big Sur on Digital Certificate Retrieval and Usage
Apple’s recent major system update has substantially altered the Cryptographic Token software interface, which impacts the manner in which digital certificates stored in a hardware device will function. For this reason if you have purchased or are using a hardware-based certificate, IdenTrust recommends that you delay upgrading to macOS 11.0 (Big Sur), if at all possible.
The Big Sur upgrade will affect the use of ActivClient, which is the software that is required to use and manage your HID hardware device and to access the certificate stored on the device. As such, only IdenTrust hardware-based certificates (HID USB tokens and Smart cards) are impacted when using Big Sur.
You will be able to retrieve your certificate using any browser, however when testing and using your certificate, it will only be compatible with Firefox. Unfortunately due to the changes introduced with Big Sur, you will not be able to use your hardware-based certificate with Safari, Chrome or Apple Mail.
Some of you may have already upgraded or purchased a new Mac that is running Big Sur. In this case, if you have purchased an IdenTrust certificate that is stored in an HID USB token or Smart card, we recommend that you install Firefox prior to installing the ActivClient software.
Please know we are working with HID to provide a new version of ActivClient that will be fully compatible with Big Sur.
If you require additional assistance, please contact IdenTrust Customer Support.
Final Decommission of GSA ACES Program
For over twenty years, IdenTrust acted as a primary provider of GSA ACES certificates that have been used to provide secure access to multiple online government agency applications.
As of July 31, 2020, based on a GSA mandate to decommission the ACES program, IdenTrust will terminate the issuance and support of all ACES certificates. The GSA has approved IdenTrust-issued IGC Federal Bridge Certified certificates and DoD ECA certificates to replace ACES certificates.
TLS/SSL: One Year Maximum Validity Period
Starting on September 1, 2020 TLS/SSL certificates cannot be issued for a validity period greater than 398 days (13 months). This change was first announced by Apple and we anticipate that other major browser providers will follow suit. In order to comply with browser guidelines, effective August 14, 2020 IdenTrust will no longer accept applications for TLS/SSL certificates with a two-year validity period.
TLS/SSL Security Update
Following up with our 2017 Enhanced Security Notification, and in line with ecosystem security driven trends, effective June 14, 2020 IdenTrust will only accept communications to its systems via TLS 1.2 or higher protocols, such as the recently approved TLS 1.3 standard communications protocol.
Please let us know via Support@IdenTrust.com if you have any concerns about the supported TLS/SSL communications protocols.
Browser's TLS/SSL Notifications:
TLS/SSL Certificates for U.S. Government Trust
The Federal PKI Policy Authority (FPKIPA) has communicated a change that affects the way that browsers handle TLS/SSL certificates. The FPKIPA has requested that the Federal Common Root be removed from all browsers. This means that government-trusted certificates issued under a Federal Common Root chain, such as those issued under the DoD ECA programs, are no longer automatically trusted in standard browsers (public-trust).
Learn more about FPKIPA announcement and recommendations regarding this change.
Learn more about the difference between government-trusted and public-trusted TLS/SSL certificates