From time-to-time, IdenTrust will provide information that may interest you or have an impact on the certificate program you use. Check back often for interesting updates.
the certificate program you use. Check back often for interesting updates.
New S/MIME Standards Go Into Effect on September 1, 2023
IdenTrust Publicly TrustID Digital Certificates allow you to digitally sign your emails so the recipient knows for certain that the email came from you. When signing an email with the TrustID certificate, the content of the message is locked to prevent tampering during transit, which provides additional security and preserves the integrity of your message. For added protection, your TrustID certificate can also be used to exchange encrypted email messages.
The CA/Browser Forum (CA/B) adopted a ballot on January 1, 2023 to create the Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates (Version 1.0.0) This document describes the technologies, protocols, identity-proofing, lifecycle management, and auditing requirements to be adhered to when issuing Publicly-Trusted S/MIME Certificates.
What does this mean for you?
Beginning September 1, 2023:
- Your current TrustID S/MIME certificate will not be affected.
- 3-year certificates will no longer be issued. Instead, IdenTrust is now offering both 1-year and 2-year certificates.
- Renewing your certificate will include a step to re-verify your email address.
- Automatic retrievals of renewed certificates will no longer be available.
IGC Device Subordinate CA Resign Announcement
IdenTrust will be issuing a new Subordinate CA (SubCA), "IGC Device CA 2" on October 17, 2022 in order to remain compliant with all Federal Public Key Infrastructure Policy Authority (FPKIPA) requirements. The new "IGC Device CA 2" will replace the current "IGC Device CA 1" SubCA.
The "IGC Device CA 1" SubCA has 2048 bit RSA keys and is valid until March 5, 2031. However, the FPKIPA requirement states that after December 31, 2030, all IGC SubCAs must have at least 3072 bit RSA keys. The new "IGC Device CA 2" SubCA will exceed this requirement and have 4096 bit RSA keys.
Current IGC Device certificate subscribers should not be impacted by this update. Beginning October 17, 2022, certificate replacements and certificate renewal requests will be automatically updated to the new "IGC Device CA 2" SubCA.
Microsoft's withdrawal of support for Internet Explorer 11
Microsoft® announced that it will no longer support the Internet Explorer version 11 (IE 11) after June 15, 2022. This means that security patches and other updates from Microsoft will cease after that time, and in some versions of Windows, IE 11 may stop working. Here is the link to the Microsoft announcement.
Many IdenTrust customers have already stopped using IE 11 and use other IdenTrust supported browsers - Mozilla® Firefox, Google® Chrome, Microsoft Edge, Apple® Safari - and are not affected by this action.
However, if you still use IE 11, then Microsoft Edge includes a feature called Internet Explorer Mode. Instructions for this can be found on this link.
IdenTrust DST Root CA X3 Expiration (September 2021)
Please be aware that the "IdenTrust DST Root CA X3" root expiring on September 30, 2021 has been replaced with the "IdenTrust Commercial Root CA 1" self-signed root which is also trusted by the major browsers and root stores since January 16, 2014. You may download the IdenTrust Commercial Root CA 1 at this link: Root Certificate Download.
If you have appliances that are not dynamically updating the root trust chain, they need to be manually updated with the self-signed "IdenTrust Commercial Root CA 1" which can be downloaded at this link: Root Certificate Download.
Change to Federal Common Policy CA Root Certificate
Effective in April 2021 the Federal PKI will begin using a new Federal Common root CA certificate to replace the current root CA certificate, revoked on April 22, 2021. The currently active Federal Common root CA certificate is named Federal Common Policy CA and it has been used to issue CA certificates that are allowable under various Federal PKI policies
Although this certificate does not expire until December 2030, in order for the Federal PKI to continue to issue subordinate CA certificates that will have a validity period of more than 10 years, it is necessary for the Federal PKI to replace the original Federal Common Policy CA certificate, and issue a new Federal Common root CA certificate named Federal Common Policy CA G2, that will replace the Federal Common Policy CA certificate. The new certificate will not expire until October 2040, allowing the Federal PKI to continue issuing CA certificates with extended validity periods. IdenTrust will not need to reissue any CA certificate to support this change.
Please refer to
If you experience any issues or need assistance with this change, please contact IdenTrust Support.
Impacts of Big Sur and Monterey on Digital Certificate Retrieval and Usage
Apple’s recent major system update has substantially altered the Cryptographic Token software interface, which impacts the manner in which digital certificates stored in a hardware device will function. For this reason if you have purchased or are using a hardware-based certificate, IdenTrust recommends that you delay upgrading to macOS 11.0 (Big Sur) and macOS 12.0 (Monterey), if at all possible.
The Big Sur and Monterey upgrades will affect the use of ActivClient, which is the software that is required to use and manage your HID hardware device and to access the certificate stored on the device. As such, only IdenTrust hardware-based certificates (HID USB tokens and Smart cards) are impacted when using Big Sur or Monterey.
You will be able to retrieve your certificate using any browser, however when testing and using your certificate, it will only be compatible with Firefox. Unfortunately due to the changes introduced with Big Sur, you will not be able to use your hardware-based certificate with Safari, Chrome or Apple Mail. You will also be prevented from using Adobe and Bluebeam.
Some of you may have already upgraded or purchased a new Mac that is running Big Sur. In this case, if you have purchased an IdenTrust certificate that is stored in an HID USB token or Smart card, we recommend that you install Firefox prior to installing the ActivClient software.
Please know we are working with HID to provide a new version of ActivClient that will be fully compatible with Big Sur and Monterey.
If you require additional assistance, please Submit a Question to our Support Staff.