From time-to-time, IdenTrust will provide information that may interest you or have an impact on the certificate program you use. Check back often for interesting updates.
IdenTrust DST Root CA X3 Expiration (September 2021)
Please be aware that the "IdenTrust DST Root CA X3" root expiring on 9/30/2021 has been replaced with the "IdenTrust Commercial Root CA 1" self-signed root which is also trusted by the major browsers and root stores since 1/16/2014. You may download the IdenTrust Commercial Root CA 1 at this link: Root Certificate Download.
If you have appliances that are not dynamically updating the root trust chain, they need to be manually updated with the self-signed "IdenTrust Commercial Root CA 1" which can be downloaded at this link: Root Certificate Download.
Change to Federal Common Policy CA Root Certificate
Effective in April 2021 the Federal PKI will begin using a new Federal Common root CA certificate to replace the current root CA certificate, revoked on April 22, 2021. The currently active Federal Common root CA certificate is named Federal Common Policy CA and it has been used to issue CA certificates that are allowable under various Federal PKI policies
Although this certificate does not expire until December 2030, in order for the Federal PKI to continue to issue subordinate CA certificates that will have a validity period of more than 10 years, it is necessary for the Federal PKI to replace the original Federal Common Policy CA certificate, and issue a new Federal Common root CA certificate named Federal Common Policy CA G2, that will replace the Federal Common Policy CA certificate. The new certificate will not expire until October 2040, allowing the Federal PKI to continue issuing CA certificates with extended validity periods. IdenTrust will not need to reissue any CA certificate to support this change.
Please refer to
If you experience any issues or need assistance with this change, please contact IdenTrust Support.
Impacts of Big Sur on Digital Certificate Retrieval and Usage
This issue is now resolved
Apple’s recent major system update has substantially altered the Cryptographic Token software interface, which impacts the manner in which digital certificates stored in a hardware device will function. For this reason if you have purchased or are using a hardware-based certificate, IdenTrust recommends that you delay upgrading to macOS 11.0 (Big Sur), if at all possible.
The Big Sur upgrade will affect the use of ActivClient, which is the software that is required to use and manage your HID hardware device and to access the certificate stored on the device. As such, only IdenTrust hardware-based certificates (HID USB tokens and Smart cards) are impacted when using Big Sur.
You will be able to retrieve your certificate using any browser, however when testing and using your certificate, it will only be compatible with Firefox. Unfortunately due to the changes introduced with Big Sur, you will not be able to use your hardware-based certificate with Safari, Chrome or Apple Mail.
Some of you may have already upgraded or purchased a new Mac that is running Big Sur. In this case, if you have purchased an IdenTrust certificate that is stored in an HID USB token or Smart card, we recommend that you install Firefox prior to installing the ActivClient software.
Please know we are working with HID to provide a new version of ActivClient that will be fully compatible with Big Sur.
If you require additional assistance, please contact IdenTrust Customer Support.
Final Decommission of GSA ACES Program
For over twenty years, IdenTrust acted as a primary provider of GSA ACES certificates that have been used to provide secure access to multiple online government agency applications.
As of July 31, 2020, based on a GSA mandate to decommission the ACES program, IdenTrust will terminate the issuance and support of all ACES certificates. The GSA has approved IdenTrust-issued IGC Federal Bridge Certified certificates and DoD ECA certificates to replace ACES certificates.
TLS/SSL: One Year Maximum Validity Period
Starting on September 1, 2020 TLS/SSL certificates cannot be issued for a validity period greater than 398 days (13 months). This change was first announced by Apple and we anticipate that other major browser providers will follow suit. In order to comply with browser guidelines, effective August 14, 2020 IdenTrust will no longer accept applications for TLS/SSL certificates with a two-year validity period.
TLS/SSL Security Update
Following up with our 2017 Enhanced Security Notification, and in line with ecosystem security driven trends, effective June 14, 2020 IdenTrust will only accept communications to its systems via TLS 1.2 or higher protocols, such as the recently approved TLS 1.3 standard communications protocol.
Please let us know via Support@IdenTrust.com if you have any concerns about the supported TLS/SSL communications protocols.
Browser's TLS/SSL Notifications:
TLS/SSL Certificates for U.S. Government Trust
The Federal PKI Policy Authority (FPKIPA) has communicated a change that affects the way that browsers handle TLS/SSL certificates. The FPKIPA has requested that the Federal Common Root be removed from all browsers. This means that government-trusted certificates issued under a Federal Common Root chain, such as those issued under the DoD ECA programs, are no longer automatically trusted in standard browsers (public-trust).
Learn more about FPKIPA announcement and recommendations regarding this change.
Learn more about the difference between government-trusted and public-trusted TLS/SSL certificates