Skip to main content

Learn

What browsers are compatible with my certificate?

Browser compatibility will depend on the type of certificate you are using. 

 

Browser Compatibility Matrix by Digital Certificate Type

 

 

What do I need to do before I apply for my certificate? 

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate. 

 

Here is a list of what you will need to provide: 


An official Photo ID: Driver’s license or State ID Card 
A Credit Card: In your name for address verification (not necessarily for payment) 
Personal Information: Your FULL name (no nicknames or abbreviations), home address, and Social Security Number 
Payment Information: Credit Card number or Payment Voucher number

 

If you are requesting a certificate that asserts affiliation with an organization, you will also need to submit forms that demonstrate that your organization is authorizing you to obtain a certificate that includes the organization name.

What information will my digital certificate actually display?

Your digital certificate will display several pieces of information:

 

  •  It will be signed by the private key of the issuing CA
  •  Unique identifier (distinguished name) of the certificate issuer
  •  Period of time for which certificate is valid (validity period)
  •  Unique identifier (distinguished name) of the certified subject
  •  Public key of the certified subject
  •  The issuer's signature

Different certificate types may also normally contain items such as:

 

  •  Email address
  •  Company name

 

Please note that the certificate will NEVER contain or display your personal information. The information that we collect during the application process is only used to validate your identity. 

 

You can also view your certificate in your browser.  The following is an example of what your certificate looks like in Internet Explorer:

 

View Certificate in Internet Explorer

What is the difference between an account password and a certificate password?

Account Password

 

The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).

 

Within the CMC you can:

 

  • Revoke your certificate
  • Replace your certificate
  • Renew your certificate
  • Update your account information
  • Update Account Password & security questions

 

The rules for creating your Account Password are:

 

  • Account Password must be between 8-30 characters in length
  • It can consist of letters, numbers and some special characters
  • Cannot contain ( ) \ / " *.
  • The Account Password is case sensitive (UPPER & lower case)


Certificate Password

 

The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password. This is referred to as the Certificate Password

 

The Certificate Password is used each time the certificate is accessed:

 

  • Signing emails
  • Signing documents (Adobe, Word, Excel, etc..)
  • Accessing a secure website

 

When creating your Certificate Password we recommend you use the following guidelines:

 

  • Between 8-30 characters
  • At least 1 lower case letter
  • At least 1 upper case letter
  • At least 1 special characters
  • Create a Certificate Password that is not easily guessed, but something that you will not forget

Who can use or have access to my digital certificate?

Your private key (which is sometimes password protected in your web browser) is literally the key that opens your digital certificate.  It allows you to digitally sign documents and decrypt information that was only meant for you.  You should safeguard your private key just as you would any other form of identification. Just as you would not allow someone else to sign your name to something, or to use your social security number, you would not allow others to use your digital certificate.

Will my personal information be shared or sold to a third party?

IdenTrust holds applicants' personal information in the strictest confidence. In compliance with the Gramm-Leach-Bliley Act of 1999 (GLBA), we do not share personal information with outside third parties. 

Why do I need a digital certificate?

A digital certificate provides an electronic means of proving your identity in order to securely conduct business online. You can use certificates to: 

 

  1. Encrypt information so that only the intended recipient can read it;
  2. Identify yourself in electronic transactions; 
  3. Digitally sign information to provide assurance to the recipient that it has not been changed in transit; and 
  4. Verify that you actually sent the transmission. 
     

Our Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.

 

There are three general types of digital certificates--Personal, Business, and Server Certificates:

  • Personal certificates authenticate an individual and are used to digitally sign and encrypt electronic documents.
  • Business certificates authenticate the individual to be an employee of a business and are also used to digitally sign and encrypt electronic documents.
  • Server or TLS/SSL certificates are issued for Web servers and are used to authenticate servers to Web browsers. This is used to protect information such as credit card numbers and account information on the Web.

 

The type of certificate may also dictate whether or not the certificate is stored in software or a hardware device, such as a Smart card or USB token.

 

See our document using the IdenTrust Certificate Selection Wizard for more information about choosing your certificate.

Choose

Which is better, a smart card or a USB token?

IdenTrust has selected smart card and USB devices that are FIPS 140 level 2 that comply with the security requirements outlined in the ECA Certificate Policy. Both devices provide 32KB of memory that exceed your storage needs for ECA certificates. Both devices are comparable and you can use either one without any concerns.

 

To make your final decision, you should consider other factors such as portability and your level of comfort using either technology.  

Apply

Can I use a notary to comply with the in-person identity verification requirement?

Yes, you can use a Notary Public to comply with the in-person verification requirement. However, verification by a Notary is valid ONLY for ECA Medium Assurance certificates.  If you need to obtain an ECA Medium Hardware Assurance certificate, you must contact a Trusted Correspondent within your organization or an IdenTrust Registrar (RA Operator or Trusted Correspondent).  

 

Refer to our datasheet Who Can Sign the Part 2 Form for ECA certificates.

How do I schedule an identity verification session with a Trusted Correspondent?

If you require the ECA Hardware Assurance certificate, you can schedule an in-person identification session with one of our Trusted Correspondents. To do so, please call our Helpdesk at (888) 882-1104. 

How long does it take to get a certificate?

Generally, certificate processing time takes 3-5 business days after your application is submitted and/or your required paperwork is received.  If during the validation phase IdenTrust requires additional information, the process may take longer. 

How many citizenships can I include in my application?

You can include multiple citizenships in your application. The citizenships you include will be used by IdenTrust to issue your certificate and Relying Parties will use the citizenship information within the certificate to establish your access to their applications. IdenTrust has designed its registration processes to easily accept up to three citizenships.

 

If you need to include more than three citizenships please contact the IdenTrust Registration Desk directly at 1 (888) 882-1104 or 1 (801) 384-3479 from outside of the U.S.

 

I ordered the ECA Medium Hardware certificate – why can’t I go to a notary?

The certificate policy requires that applicants for Medium Hardware Assurance certificates have their identity validated by a Trusted Correspondent, approved by IdenTrust or the DoD. A notary’s review does not sufficiently meet this requirement.

I am applying for an ECA foreign certificate – how do I find an ADE in my area?

Unfortunately IdenTrust is unable to publish this information that is managed by a government agency. However, please contact our Helpdesk at (888) 882-1104 for further assistance in identifying an ADE.

What if I made a mistake during the online registration?

To maintain the integrity of the information provided to IdenTrust, we are unable to make any alterations to the details entered during the online registration process.  If you do find a mistake that must be corrected, please cancel the application and submit a new application for processing. New paperwork (if required for the certificate type) must match the details of the new application you submit.

 

You may contact our Helpdesk at 1 (888) 248-4447 to request the application be cancelled. 

Can I visit a U.S. Consulate in-person to comply with the identity verification requirement?

Yes.  For ECA foreign certificate applications, U.S. citizens may apply for a digital certificate while in any country with a U.S. Consulate. Upon completion of the online application, identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, U.S. citizens may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established, or where the citizen has access to a Judge Advocate General (JAG).

 

Citizens of Australia, Canada, New Zealand or the United Kingdom, while in any of these four countries, may apply for a digital certificate by completing the online application and retrieving the identity forms. Identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, citizens of these four countries may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established.

 

Citizens of other countries require that identity forms are signed in the presence of an Authorized DoD Employee (ADE). If you do not already have an ADE, one will need to be established before you apply. Please contact the IdenTrust Help Desk for instructions in setting up an Authorized Individual by calling 1(801) 384-3474 or by email to helpdesk@identrust.com.  

 

Refer to our DoD ECA Foreign Countries List for additional information.
  

Can my organization pay with a purchase order?

Yes. After you have submitted a purchase order, IdenTrust will provide Voucher Numbers that you can distribute to applicant(s).  These vouchers are used during the application process as the method of payment.

 

The purchaser order number process requires that you also submit a completed voucher form. 

 

 

Purchase order requests under $500 cannot be accepted

 

Please fax purchase orders for digital certificates and/or hardware to 1 (801) 384-3610.

What is a voucher number?

A voucher is an alpha numeric sequence that is provided by IdenTrust as an alternative payment method to a credit card. You will provide the voucher number during the online registration as a method of payment.


You can obtain a voucher number from IdenTrust using a purchase order or paying with a credit card.

 

  Purchase ECA Vouchers

  Purchase IGC for EPCS Vouchers

  Purchase IGC for Digital Signing and Sealing Vouchers

  Purchase TrustID Vouchers

Where do I find a Trusted Correspondent?

Your Organization might have a Trusted Correspondent and the person who requested that you obtain an ECA Program certificate will know the contact information for that person. If you do not have the means to obtain this information, contact IdenTrust for further details at 1 (888) 882-1104.

Additionally, IdenTrust has made available Trusted Correspondents in Miami (FL) and San Francisco (CA). You can contact IdenTrust to set up an appointment.  

Why do I have to prove my citizenship?

Citizenship is used as part of the criteria for authorizing restricted access to online applications that are hosted by  ECA Relying Parties. The ECA Program is governed by a Certificate Policy requiring that all applicants provide proof of their citizenship in order to be issued an ECA certificate.  

Why would I need to purchase an ECA Medium Hardware certificate instead of a lower assurance certificate?

Most applications require only a Medium Assurance or Medium Token Assurance certificate. There are only a handful of agencies that require the higher assurance Medium Hardware certificate.  Our Certificate Selection Wizard will guide you through the process of selecting the correct assurance level that is required by the agency or agencies with which you will be interacting.   

 

To confirm what certificate type you need, we suggest you select DoD ECA Programs from the Certificate drop down menu which will allow you to initiate the Certificate Selection Wizard.

 

  • Choose the BUY NOW button. 
  • From here, the Certificate Selection Wizard will prompt you to select the agency or agencies that you work with. 
  • Then choose NEXT
  • Step through the wizard and you will be presented with the certificate options that are accepted by the agency or agencies you have selected. 
  • Rarely will you only have an option to select a Medium Hardware Assurance certificate. 
  • Complete the wizard process and purchase your DoD ECA certificate

 

If your relying party does require a Medium Hardware Assurance certificate, you will need to meet with a Trusted Correspondent who will perform the in-person verification process. You can scheduled an in-person identification session with one of our Trusted Correspondents by contacting our Helpdesk at 1 (888) 882-1104.

How do I prove my citizenship in conjunction with applying for an ECA certificate?

According to the ECA Program policy, an applicant can prove his or her citizenship using a valid passport issued by the country of citizenship. You should bring your passport to the in-person identity verification appointment. Either the Trusted Correspondent, the Notary Public, the U.S. consul or an authorized IdenTrust employee will verify your citizenship using your passport.  

 

The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a non-U.S. country and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents:

 

  1. Birth Certificate. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records. 
  2. Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization. 
  3. Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States). 
  4. FS-240 - Consular Report 
  5. DS-1350 - Certification of Report of Birth 
     

I do not have a passport, what can I do to prove my citizenship?

The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a non-U.S. country and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents:

 

  1. Birth Certificate. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records. 
  2. Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization. 
  3. Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States). 
  4. FS-240 - Consular Report 
  5. DS-1350 - Certification of Report of Birth 
     
How long will it take to process my application?
Most applications are completed within 3-5 business days after receiving any required paperwork. If paperwork is not required, then allow 3-5 business days from application submission for processing.

I need multiple certificates.  Can I apply and get them all at once?

Unfortunately not.  Because digital certificates are for a specific person, and it is highly unusual to get multiple certificates for the same person.  Each certificate must be applied for individually by the person who needs it.  However, if you would like to purchase quantities of five (5) or more, certain certificate types may offer a "bulkload" process that is able to submit all applications at once. If you need this many certificates, please Contact Us for additional information.



When applying for a certificate, our Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.

I received an email asking for a copy of my driver’s license, social security card and/or birth certificate – why is this needed?

When IdenTrust is verifying your identity, certain ID information is required such as the driver's license, social security card, or other details. If we are unable to verify those details, you will be asked via email to submit notarized documentation supporting what is listed on your application. Without this information, we cannot approve your certificate application.

 

Please have a copy of the document(s) notarized and mail to: 

 

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116 

I went to the notary and sent you the forms - why do I need to send in a copy of my ID(s)?

Sometimes the required ID fields are missing details, such as the legal name, issue/expire date or document title. A copy of your ID is needed to confirm the missing details and to authenticate your identity.  If the details cannot be authenticated, a new Part 2 form will be requested.



If the serial/unique number is missing from the field, a new Part 2 form must be completed and sent in for processing. The original or notarized copy of the original document(s) should be sent to:



 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116 

If you aren’t able to verify my home address or evening phone number, what documents do you need me to provide?

Address and phone verification are a necessary part of the identity verification required to obtain a digital certificate. If you receive an email requesting documentation, be sure to send either the original, or a notarized copy of the document.



Accepted documents are:

 

  • Driver's license or state ID
  • Utility bill dated in the last 30 days
  • Phone bill dated in the last 30 days
  • Rental agreement
  • Other documents can be reviewed on a case by case basis.


Please mail the original or notarized copy of the confirming document to:


 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116


Please contact Registration@IdenTrust.com for more information on the document you would like to submit. 

What do I do if something was missing from my forms?

Part 1:

 

Forms sent to IdenTrust are sometimes missing required information such as the organization officer’s signature, title, email and/or phone number, as well as the date it was signed. It’s also possible the form does not show the organization name and/or address that was listed on the online application.

 

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 1 form.

 

Part 2:

 

Forms require a number of fields to be filled out, some of which sometimes get missed. Most common fields are the signatures of the applicant and/or notary, specific details about the IDs presented for verification, and the email address either missing or not matching that listed on the application. There can be other errors with the form as well.

 

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 2 form.

 

Please send the complete, original form(s) to: 

 

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116

What forms of ID should I present for verification?

The certificate policy requires certain forms of ID be provided at the time of in-person identification with the notary, Trusted Correspondent or ADE. Please be certain that all fields in your application form are completed to avoid delays in the approval process.

 

View our pdf document Identity Verification Requirements DoD ECA Certificate Policy for detailed instructions.

 

View our pdf document Identity Verification Who Can Sign the Part 2: In-Person Identification Form DoD ECA Certificate Policy for detailed instructions.

What happens after I submit my application for an ECA certificate?

Once you hit ‘submit’, there are a few things that you need to do before IdenTrust can process the application:

.

1.  Please verify your email.

An email from Helpdesk@IdenTrust.com will be sent to the email address you listed in your application asking you to verify your email address. This email contains a unique verification code which you will use in addition to your account password to verify the email address. This verification is only done electronically. Please check your inbox, junk and spam folders to locate the email.

 

2.  Complete your forms packet.

You were directed to print a copy of the forms packet at the end of your online registration. Complete both the Part 1 and Part 2 forms, following the instructions listed on the 2nd page of the packet.

 

3.  Send the completed form to:


   IdenTrust Registration
   5225 Wiley Post Way, Ste 450
   Salt Lake City, UT 84116

If you no longer have your forms packet available, you can find the appropriate packet in our ECA Document Library.

 

4.  IdenTrust reviews your application.

Once IdenTrust receives the completed forms packet, it will be reviewed and authenticated for accuracy. IdenTrust will validate your association with the organization listed on your application and will verify the details included on the application, as well as on the forms. Since this is a legal form of ID, the process may take 3-5 business days on average to be approved. 


After these validation steps have been completed, your certificate request will be approved. An activation kit will be sent to you, including the approval letter and any applicable hardware ordered. Unless you requested expediting shipping during the online registration, the kit will be sent via standard mail (for letters), and FedEx Ground (for hardware orders). Please allow 5-7 days for delivery of your kit.


5.  Retrieve your certificate.

After you receive your activation kit, please complete the steps outlined in the approval letter to retrieve your certificate. 

What if my personal information changes after my certificate application is approved?

Once your application has been approved the information cannot be updated in your certificate.  However, certain information provided during your initial application can be updated via our Certificate Management Center.  Some information can be updated immediately, while others will have to wait for the renewal process. Some changes will require you submit a new certificate application.  A few examples of changes include:

 

My mailing address has changed.

You can update the mailing address on your account at any time through the Certificate Management Center.

  1. In the section titled 'Manage Your Account Information', select 'View/Update Account Information'.
  2. Make the needed changes and select 'Finish'.

 

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address.  A new application will have to be submitted with the new organization information.

If you use the certificate to gain access to a federal or state agency, you may have to re-register with the new company information prior to being able to use the new certificate. Please contact the appropriate agency for further clarification.


My email address has changed. 

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.

 

My name has changed.

You will be asked to confirm your name during the renewal process, at which time you can update to your current legal name.  You may be asked to send in proof of the name change if our Registration Department is unable to verify it.

  • Marriage Certificate
  • Divorce Decree (1st, last and page showing the name change)
  • Other court-issued documentation

 

If you require a certificate with your new name, you will need to purchase a new certificate.
 

You may access your account through the Certificate Management Center by logging in with your certificate. 

What is the process to obtain a digital certificate?

The application process for a digital certificate is generally a 4-step process.

1.  Apply for Your Certificate

  • Use the My Buying Community menu or the Certificates menu to select the category that is most comparable to your situation.  Here you can learn more about the types of certificates that are offered under these programs. 
  • Once you are ready to initiate a purchase, you can select any BUY button to launch our Certificate Selection Wizard.  The wizard will assist you in selecting the certificate that is appropriate to your situation. 
  • Verify your selections in your "shopping cart" and submit using the BUY NOW button.
  • You will be directed to the "checkout" process where you will provide your personal information and provide payment information.

Note: You will also be asked to enter a Password when you apply. Please record this Password and store it in a safe place. You will need this Password to retrieve your digital certificate.

Notary Form: In addition to the online application, some certificate applications require that you complete a notary form and submit it to IdenTrust.  If required, the form will be provided for you to download at the end of the online application process.

2.  Wait for Processing

Wait for approval - typically 3-5 business days to approve your application.  If forms are required, the timeline starts after your forms are received.

3.  Receive Your Approval Notification

Once approved, you will receive notification from IdenTrust.  The method will vary based on the type of certificate you have purchased:

  • Notification for some lower assurance certificates may be provided via email.
  • Notification for higher assurance certificates will be provided via an IdenTrust Welcome Letter - please allow up to five (5) days for the letter to arrive in the mail.
  • In cases where you have purchased a hardware device for certificate storage, such as a Smart Card, USB or OTP Token, then you will also receive a kit containing the purchased hardware and software.

4. Retrieve Your Certificate:

Follow the instructions in the approval notification, which will include:

  • Retrieval and installation of your certificate via the secure IdenTrust website.
  • Installation of storage hardware and software, if applicable.
  • Testing your certificate.

Are there specific deadlines associated with applying for and retrieving a certificate?

Your initial application will remain open for 45 days which will give you time to complete your forms packet and send the original, valid forms to IdenTrust for processing. After 45 days has elapsed without usable paperwork being submitted, the application will close and you will need to complete a new application.
 

in the case of IGC and ECA certificates, as soon as the notary / Trusted Correspondent / ADE (depending on the certificate you apply for) signs the Part 2 form verifying your ID documents, a 30-day countdown begins. This means that you have 30 days from that date to send in your forms, be approved for the certificate and to retrieve the certificate. This is a requirement of the certificate policy and as such, once the 30 day window has passed a new application and forms packet will need to be completed.
 

Once an application has closed, it cannot be reopened.

What paperwork do I need to submit for my certificate application?

You may select the appropriate required forms packet in our Document Library.

 


Please be sure to select the correct forms packet. If you are unsure, please contact our Helpdesk at Helpdesk@IdenTrust.com for assistance.

As required by the governing certificate policy, you may be asked to provide additional documentation needed to process your application. If necessary, this additional document request will be sent via email. Please read the full email to identify what document is being requested and follow the steps outlined to provide requested documentation.
 

Why can’t I email or fax the forms packet?

The certificate policy requires the confirmation of identity be signed with a handwritten signature.

 

  • The organization officer's signature on the Part 1 form must be original and dated.
  • The signatures (both yours and the notary's) must also be original.


IdenTrust must receive the original wet-ink signature to confirm the signatures are original and not a stamp or photocopy.
 

We advise making a photocopy of the forms for your records, but the original, wet signature (pen to paper) forms must be submitted for processing.  Please send the signed, original forms to:

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116
 

Why can't I apply for an ACES certificate?

The General Services Administration (GSA) has announced the discontinuation of the Access Certificates for Electronic Services program. Based on this announcement, IdenTrust can no longer issue ACES certificates; however, we will continue to support all outstanding ACES certificates until they expire between now and 2020. If needed, you will be allowed to replace your existing ACES certificate via our Certificate Management Center, but you will not be able to renew your ACES certificate prior to expiration.

 

IdenTrust has worked with the GSA to gain approval to issue Federal Bridge Certified IdenTrust Global Common (IGC) certificates and DoD ECA certificates to replace your expiring ACES certificate.  Use the following guidelines to choose your new IdenTrust certificate:

 

For Digital Signing and Sealing:

If you are using your certificate to digitally sign and/or seal documents that are submitted to state and/or local government agencies (such as Departments of Transportation or eNotary services), use our Digital Signing & Sealing Certificate Selection Wizard to assist you in choosing an IGC certificate.

 

For State and Local Government Agencies

If you are affiliated with a State or Local government agency that is using for digital signing, sealing or access to secure government websites, use our State and Local Government Agencies Certificate Selection Wizard to assist you in choosing an IGC certificate.

 

For Federal Agencies

If you are using your certificate to access U.S. federal government websites, you can use either DoD ECA or IdenTrust IGC certificates.  Use our DoD ECA Certificate Selection Wizard where you can select the agency/agencies that you interact with and our wizard will offer you the DoD and IGC certificate(s) that are accepted by the agency/agencies you have chosen.

 

If you have further questions about the ACES transition, please feel free to Contact Us for assistance.

Who do I contact to purchase Order Numbers for certificate applicants?

Order Numbers are pre-purchased and can be used for initial certificate issuance or for certificate renewal. Use these procedures to obtain Order Numbers:

 

1.  Prepare a Purchase Order (PO) form and include the following information:

 

  • Purchase Order number
  • Organization name
  • Billing address (including city, state/province and postal code)
  • Billing contact name
  • Billing contact phone number
  • Billing contact email address
  • Signature of authorized individual
  • Number of certificates
  • Type of certificates
  • Total dollar amount of Purchase Order
  • Expiration date of Purchase Order (if any)
  • Any optional instruction

 

2.  Fax the Purchase Order (PO) to IdenTrust at 1 (801) 384-3610.

 

3.  Wait for IdenTrust to contact you.

 

After IdenTrust has processed and approved your Purchase Order, we will email you the IdenTrust Order Number(s) and instructions for using your Order Number(s) to apply for or renew digital certificates.

Retrieve

How do I install my server certificate?

Installation instructions will vary depending the OS that is used.  Please visit our How Do I library for detailed instructions for installing your server certificate and the associated root chain.

Use

How do I protect my identity as a certificate holder? 

The best way to protect your identity, as a certificate holder, is to ensure that only you are using your digital certificate. Allowing others to use your certificate through sharing your password, Smart card or USB token password, or your private key weakens the security of the system and presents a security danger to you. A digital certificate is a credential, just like a driver's license or passport, which you would not allow others to share. Certificate holders found to have shared this confidential information will be notified that their certificates are subject to revocation.

How do I reach the IdenTrust Help Desk? 

The IdenTrust Customer Support team is available to assist certificate subscribers in applying, retrieving and managing their certificates. Visit our Contact Us page for more details about how to reach us and the hours that our team is available.

Should I protect my certificate with a password?

Yes, your certificate is stored along with the private key in your cryptographic module: your browser, your smart card or USB token.

According the ECA Certificate Policy and the Subscriber Agreement you accepted, it is your obligation to protect the private key with reasonable security, including a password. The password should be FIPS 112 compliant.

You can also search for FIPS112 to learn more about this topic.  

What happens if I forget my CryptoAPI Private Key (certificate) password?

IdenTrust never has access to your CryptoAPI Private Key (certificate) password, so we are unable to help you retrieve it if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate and will need to replace it. This process will take approximately 3-5 business days, and will be done without charge to you.

 

For more information about replacing a certificate, please see our How Do I library for instructions to replace your certificate.

What happens if I forget my Master Password?

 

The Master Password or certificate password is the password that protects your certificate. IdenTrust never has access to your master/certificate password, so we are unable to help you retrieve this password if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate (if it is password protected) and will need to replace your certificate. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library.

What if I bought the wrong type of certificate? 

If you have used the IdenTrust Certificate Selection to make your buying decision, it is unlikely that you have purchased the wrong type of certificate; however, if you have concerns about this, please feel free to contact our Customer Support team and they can help to assess the product you have selected. Please have your IdenTrust Account Number readily available when you call. View our Contact Us page to see our Customer Support hours and phone numbers.

What is a passcode or passphrase?

This is the security code that you create when you retrieve your hardware-based certificate. We recommend that the passcode or passphrase be at least 6 characters in length, and it may be as long as 20 characters. It can consist of letters, numbers, and/or special characters.

 

The passphrase is case-sensitive (UPPER CASE and lower case letters are not the same thing). You will use this passcode or passphrase each time you access the certificate on your smart card or USB token.

What is the Master Password?

The master or certificate password is the password that you created during the retrieval process.  The certificate password is used to protect your certificate and is requested when you use or back up your certificate.  This password should be at least 6 characters in length, and can be as long as 20 characters. It can consist of letters, numbers, and special characters. The certificate password is case-sensitive (be aware that UPPER CASE and lower case letters are not the same thing).  The certificate password is created and stored in the browser on your computer, so IdenTrust does not store or have access to it.

Where do I locate the ECA policies and forms for applying for a certificate?

Visit our ECA Document Library to locate all the forms you need to do business within the IdenTrust.

How do I sign a digital document?

Most PDF documents that you will receive will come pre-made with a signing box. If this is the case, follow these directions:

 

1.  Complete any required fields that are in the PDF document.

 

2.  When you are ready to digitally sign, simply click on the signing box.

 

3.  This will open the signing documents window where you can select the certificate you wish to use to sign the PDF document.

 

     Note:  If you have more than one certificate, you can select the one you wish to use by clicking on the Sign As dropdown box. 

 

4.  Once you have selected the certificate you will use to sign the PDF document, select Sign.

 

5.  The Save As dialogue box will appear.

 

6.  Select the location you would like to save the signed PDF document, then click Save. 

 

7.  Your digital signature has now been applied.  

 

Visit our How Do I pages to learn more about digital signing and how to create a signing box in a pdf document.

 
  

I can’t access my certificate. What should I do?

If you have an ACES, IGC or TrustID certificate that you cannot use, you may need to replace the certificate. Visit our How Do I library for instructions to replace your certificate.

 

If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase, you can reset your password thru the Certificate Management Center. You do not need to replace the certificate in this case. 

 

If you have a DOD ECA s-Certificate or t-Certificate, a key recovery will need to be done. These certificates cannot be replaced.   Visit our How Do I library for instructions to request a Key Recovery.

What are the rules for creating an IdenTrust account password?

You will create your account password when you register for an IdenTrust certificate.  You will also use your account password when you retrieve your approved certificate.  When selecting your account password, be aware that it:

 

  • Must be between 8 – 30 characters in length
  • Can consist of letters, numbers, and any special characters except ( ) \ / “ *
  • Is case-sensitive (UPPER CASE and lower case letters are not the same thing)
  • Should be something that you will be able to remember, but that others will find difficult to guess 

 

Please note that your account password is different than your certificate password (although you may wish to choose a password that is the same for both).  Your certificate password is used only when you use your certificate for signing or to access a secure site. 

 

What happens if I forget my account password?

For reasons of security and non-repudiation, no person or equipment has access to your unencrypted account password, so there is no mechanism for IdenTrust to look up your account password if you forget it. However, you do have the option to reset you account password through our Certificate Management Center.  You will need to have your IdenTrust account number in order to complete these instructions.  Your account number was provided to you when you were approved for your certificate.

 

1.  Access the Certificate Management Center (CMC).

 

2.  Click LOGIN to launch the CMC session. 

 

3.  When presented with the Choose a digital certificate dialog screen, click Cancel. This will allow you proceed by using your account information.

 

4.  On the Certificate Management Center Login screen, enter your account number, and then choose the I forgot my password link.

 

5.  You will receive a confirmation screen, indicating that the password assistance instructions have been sent to you email address.

 

6. Follow the instructions provided in the email to allow you to reset your account password. Please note that if you cannot remember the answers to your secret questions, you will need to apply for a new certificate.

Which Web browsers are able to support the use of digital certificates? 

Browser compatibility will depend on the type of certificate you are using:

Browser Compatibility Matrix by Digital Certificate Type

Visit our How Do I pages for specific information about exporting and importing your digital certificate using a particular browser. 

What happens if I forget my USB token password?

If you forget the password to access your USB token, you will not be able to use your certificate until you re-initialize the token and do a key recovery. This process usually takes 3-5 business days to complete.  If your organization has a Certificate Coordinator, Trusted Internal Correspondent, or Local Registration Agent registered with IdenTrust, you can contact that person to initiate a key recovery.  Otherwise, please contact the IdenTrust Help Desk at 1 (888) 248-4447 for assistance.

 

Your request will then be processed by our Registration department. Once the request has been approved, you will be sent a letter (via US mail) with new retrieval information. You may then retrieve the new certificate by following the same process you used when initially retrieving it. You can check the status of your key recovery application by visiting our Certificate Management Center.

 

If you have a Smart Card or USB token for an ECA certificate, you will need to initiate an ECA Program Key recovery.

What is a FIPS112-compliant password?

A FIPS 112-compliant password requires the following characteristics: 

 

Composition: Password should contain both upper and lower case characters (e.g., a-z, A-Z) and have digits and punctuation characters as well as letters. Example: 0-9, !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./

 

Length: The minimum length is 8 characters. Longer passwords will provide stronger security. Passwords are more easily remembered as a passphrase. Example: Don’tUseMyExactExample2

 

Lifetime: The maximum life is one (1) year and a change is recommended every three (3) months where practical. "Passwords shall be replaced as quickly as possible, but at least within one (1) working day from the time that a compromise of the password is suspected or confirmed"

 

Source: Users should not select a password that can be found in a dictionary or name list

 

Ownership: Passwords should not be shared

 

Distribution: Passwords should not be shared in email

 

Storage: Passwords should not be stored insecurely

 

Entry: Passwords should be entered in a way that others cannot observe entry 

 

Transmission: Passwords should never be transmitted in clear text 

 

Authentication Period: Users are recommended to lock their screen when leaving their area and to have an inactivity, auto-lock, password-protected screensaver set to protect unauthorized use of their token and system.

What is the difference between an Account Password and a Certificate Password?

Account Password

 

The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).

 

Within the CMC you can:

 

  • Revoke your certificate
  • Replace your certificate
  • Renew your certificate
  • Update your account information
  • Update Account Password & security questions

 

The rules for creating your Account Password are:

 

  • Account Password must be between 8-30 characters in length
  • It can consist of letters, numbers and some special characters
  • Cannot contain ( ) \ / " *.
  • The Account Password is case sensitive (UPPER & lower case)


Certificate Password

 

The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password.   This is referred to as the Certificate Password

 

The Certificate Password is used each time the certificate is accessed:

 

  • Signing emails
  • Signing documents (Adobe, Word, Excel, etc..)
  • Accessing a secure website

 

When creating your Certificate Password we recommend you use the following guidelines:

 

  • Between 8-30 characters
  • At least 1 lower case letter
  • At least 1 upper case letter
  • At least 1 special characters
  • Create a Certificate Password that is not easily guessed, but something that you will not forget

What are the differences between the various types of passwords?

There are multiple passwords associated with your account and hardware. Please note IdenTrust does not have access to view, confirm or reset your passwords. 

 

Account Password

This password is created during the online application.  You do have the ability to update your password if you can correctly answer the three security questions you chose when you applied for your certificate.  Every account has an account password, but your account can be associated with multiple certificates.


USB Token and Smart Card Password

This password is created when you initially setup your token. Before the retrieval of your certificate, you are prompted by the token software to create password that will protect your token. This password can only be changed if you know the current passcode. Both the USB and the OTP tokens have a token passcode. 


One-Time Use (OTP) Password

This password is only used with an OTP token and is created at the end of the certificate retrieval process. This password can be changed at any time by logging into the CMC and following the prompts to change it. The OTP password is used in conjunction with an OTP Token Code.

 

OTP Token Code:

This is the number generated on the OTP token and displayed in the OTP token window. The OTP token code is used in conjunction with an OTP Password.
 

Maintain

I lost my encryption certificate, how do I get a copy from you?

You need to contact a Key Recovery Officer (KRO) within your organization to initiate a Key Recovery request. He or she will assist you in filling out the appropriate form. After the form is submitted to IdenTrust and is approved, you will receive a copy of your recovered key in the mail. If your organization does not have a KRO, you can contact specific individuals within your organization who can submit a request to IdenTrust on behalf of your organization.  Those individuals are mentioned in the Subscribing Organization Authorization Agreement. Contact your supervisor or your HR department to find out who can request key recoveries from IdenTrust.

Why does IdenTrust need my marriage certificate or other name change documentation?

While IdenTrust will make every attempt to verify any name discrepancies between IDs due to marriage, divorce or other, there are instances where names cannot be verified.  When this occurs, our Registration Department will reach out to you and request that you provide a notarized copy of the document confirming the name change. Examples of documents accepted include:

 

  • Marriage Certificate or License
  • Divorce Decree (1st, last and page showing reinstating of name)
  • Court-issued documentation

 

Please send the notarized copy of the name-changing document to: 

 

      IdenTrust Registration
      5225 Wiley Post Way, Ste 450
      Salt Lake City, UT 84116 

IDES requires my certificate file to have a .pem (Base64) or .der (Binary) file extension, how can I do that?

You can identify a file with a certificate in .pem format when it has the string -----BEGIN CERTIFICATE----- at the top of the sequence; and the string -----END NEW CERTIFICATE REQUEST----- at the end.  For SSL certificates, at the time of initial installation the certificate is already provided in .pem format and you can save it to a file with the .pem extension.  Alternatively, you can access the IdenTrust Certificate Management Center (CMC) using your account number and password where you can view and save the certificate in .pem format.

 

1.  Log into the CMC.

2.  Locate the prompt labeled For this Certificate, Would You Like to:

3.  Select View Your Certificate PEM and click Continue.

4.  Here you will have access to the information in .pem format and you can save it to a file with the .pem extension. 

 

For a FATCA Organization certificate, you will be able to export the certificate from your browser in the .pem format. The extension of this file will be .cer. For specific instructions for supported browsers, visit our How Do I library.  

What are the reasons that IdenTrust must revoke my certificate?

If at any time IdenTrust has been made aware of or has a belief that a certificate/private key has been compromised, we are required by all governing certificate policies to protect the integrity of the certificate by executing a revocation. Once a compromise is identified, IdenTrust must perform a revocation within a specific timeframe as defined by the governing certificate policy. 

 

Examples where revocation is required include:

 

  • Evidence that the certificate owner is not the individual who completed the certificate application, but is calling in for technical support. This situation is typically identified when the caller is the account owner, but they cannot answer questions about information contained in the application.
  • Someone other than the certificate holder is calling in for assistance with installation of the certificate and has access to the password and activation code.
  • You are no longer employed by the organization named in your certificate.

What if my personal information changes after I have received my certificate?

Certain pieces of information provided during your initial application may change during the certificate's lifetime. Some of these pieces of information can be updated immediately, others will have to wait for the renewal process and some changes will require you submit a new application.  Examples of common changes include:

 

My mailing address has changed.

You can update the mailing address on your account at any time by logging into the Certificate Management Center (CMC).

Once you  have access the CMC, locate the prompt labeled Manage Your Account Information and select View/Update Account Information. Make the necessary changes and select Finish.

 

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address. This is because organization information is included in your certificate and can only be used in conjunction with conducting business on behalf of that specific organization.  In order to update an organization, you must obtain a new certificate.  Be aware that if you currently use your certificate to gain access to a federal or state agency, you may also need to re-register with the new company information prior to being able to use the new certificate with the agency system.  We suggest that you contact the appropriate agency for further clarification.

 

My email address has changed.

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.  If you must have your current email included in your certificate, you will need to purchase a new certificate.

 

My name has changed.

You cannot change your name except at when you renew your certificate.  During the renewal process , you will be asked to confirm your name.  At that time you can update to your current legal name, which will be included in your new certificate . If the IdenTrust Registration Department is unable to verify the requested changes, you may be asked to send in proof of the name change by providing additional documentation such as:

  • Marriage Certificate
  • Divorce Decree (1st, last and page showing the name change)
  • Other court-issued documentation

If you must have a certificate that includes your new name prior to certificate renewal, you will need to purchase a new certificate.

What is revocation and how can I do it?

Revocation is the action of making your certificate unusable. This is necessary when you believe that your certificate/private key has been compromised.  Revocation prevents anyone from using your certificate to create digital signatures or from accessing secure sites.  It is your obligation, based on the Subscriber Agreement you accepted, to request that your certificate be revoked in the case that you believe it has been compromised.  You can revoke your certificate via the Certificate Management Center (CMC).  Use the following procedure to revoke your certificate: 

 

Visit our How Do I library for instructions to replace your certificate.

 

Visit our Document Library to view Subscriber Agreements for each certificate policy type.

How do I replace my digital certificate?

Please visit our How Do I for detailed instructions to replace your certificate.

Can I update the personal information in my certificate?

In most cases, the personal information included in your certificate is your name and your email address. The only time you can change this information is when you renew your certificate.  If any of the person information that is included in your certificate has changed (or will change soon), you can update the information while renewing; however, if you need to update this information and your certificate is not eligible for renewal (within 90 days of expiration), you will need to apply for a new certificate.   Information that is not included in your certificate can be updated at any time via the Certificate Management Center (CMC).

 

Find more information about managing your certificate in our How Do I library.

 

Renew

How long will it take to renew my certificate?

The renewal process usually takes 3-5 business days. Once we receive your renewal request, our Registration team will review and approve the account. Once approved, a notification with instructions for retrieving the renewed certificate will be sent to you. 

I can’t login to the Certificate Management Center (CMC).

If you are having trouble logging in to the Certificate Management Center (CMC), make sure that your browser is not blocking pop-ups for this site. If you are unable to login because you have forgotten your Account Password, you have the option to reset your password via the CMC. This option is available by clicking the link I forgot my account password in the CMC login page. Once you have reset your account password you should be able to access the CMC.

Can I renew my certificate after the expiration date?

ECA (DOD) and IGC certificates cannot be renewed after they expire. If your certificate has expired, you will need to apply for a new certificate. 

TrustID certificates can be renewed up to 30 days beyond the expiration date.

 

Can I change my IdenTrust account password during renewal?

You will be asked whether you want to change your Account Password during the renewal process. Please be aware that this is not the same as the Certificate Password you use with your digital certificate (although you may have chosen the same code for both Account Password and Certificate Password).  Unless you are confident that you will remember a new Account Password, we suggest that you do not change it. As a reminder, changing the Account Password will not change the Certificate Password you use with your certificate. 

 

Learn more about the differences between Account and Certificate passwords

I’m trying to renew and I get a message that says I need to login to the Certificate Management System with my certificate. What does this mean?

In order to renew your certificate before it expires, if you have a software certificate you must be on the computer where your certificate is currently stored.  If your certificate is stored in a Smart Card or USB Token you must have the device attached to the computer that has the Smart Card or USB Token software .  When you login to the Certificate Management Center, a window will appear with your name in it. You must highlight your name and click "OK". If your name is not in the box, it means that your certificate is not on the computer you are using. Other suggestions:

 

  • If your certificate is on another computer, please renew it from that computer. 
  • If your certificate is no longer on any computer, you will need to replace your certificate first and then renew it. 

 

For additional information about managing your certificate, visit our How Do I library.

When and how can I renew my certificate?

You can renew a certificate within 90 days from expiration. The IdenTrust system will automatically notify you by email at 90, 60, 30, 14, 7 and 1 day intervals prior to your certificate expiration date. If you have not received renewal notification emails and you are within 90 days of expiration, please access the Certificate Management Center (CMC) and perform the following steps:

 

1.  Use either your certificate or your account number and account password to sign into the CMC

2.  Locate the label For this Certificate, Would You Like to:

3.  In the corresponding drop down menu, select Renew Your Certificate and click Continue.

4. Follow the instructions provided to renew your certificate. 

 

Please note that if you are planning to pay with a purchase order, you should obtain a voucher number for renewal prior to initiating your renewal.  You can purchase vouchers by selecting from one of the following voucher product links below:

 

  Purchase ECA Vouchers

  Purchase IGC for EPCS Vouchers

  Purchase IGC for Digital Signing and Sealing Vouchers

  Purchase TrustID Vouchers

 

When does my certificate expire?

Depending on the type of certificate you purchased and the validity period you selected, your certificate will expire one, two or three years after it was issued.  You can check the expiration date of your certificate by logging into the Certificate Management Center.  Once you have logged in, locate your certificate listed under the Manage Your Certificates heading. Your certificate, along with the current status and expiration (“valid through”) date is displayed.

 

You will also receive email notifications at 90, 60, 30, 15, 7 and 1 day(s) prior to your certificate expiration.