ECA FAQ | IdenTrust

After I am approved for my digital certificate, how do I retrieve it?

You will be provided with a retrieval kit and instructions for using our online website to retrieve your certificate, found HERE. You will need to provide the Account Password that you chose when you applied for your certificate.

Can I retrieve my certificate a second time?

As a security measure, your activation code is valid for only one use. If your computer has had hardware or software problems and your certificate has been lost or corrupted, you will need to replace your certificate. If you wish to use your certificate on another computer, you will need to export your existing certificate to that computer.

Visit our How Do I library for information about how to replace or export your certificate.

Are there specific deadlines associated with applying for and retrieving an ECA certificate?

Your initial application will remain open for 45 days which will give you time to complete your forms packet and send the original, valid forms to IdenTrust for processing. After 45 days has elapsed without usable paperwork being submitted, the application will close and you will need to complete a new application.

Once the notary / Trusted Agent / ADE (depending on the certificate you apply for) signs the Part 2 form verifying your ID documents, a 30-day countdown begins. This means that you have 30 days from that date to send in your forms, be approved for the certificate and to retrieve the certificate. This is a requirement of the certificate policy and as such, once the 30 day window has passed a new application and forms packet will need to be completed.

Once an application has closed, it cannot be reopened.

Can I use a notary to comply with the in-person identity verification requirement?

Yes, you can use a Notary Public to comply with the in-person verification requirement. However, verification by a Notary is valid ONLY for ECA | Medium Assurance and ECA | Medium Token Assurance certificates.

If you need to obtain an ECA | Medium Hardware Assurance certificate, you must contact a Trusted Agent within your organization or an IdenTrust Registrar (RA Operator or Trusted Agent).

Refer to our datasheet Who Can Sign the Part 2 Form for ECA certificates.

Can I visit a U.S. Consulate in-person to comply with the identity verification requirement?

Yes. For ECA | Medium Assurance | Software Storage | Non-U.S. and ECA | Medium Token Assurance | Hardware Storage | Non-U.S. certificate applications, U.S. citizens may apply for a digital certificate while in any country with a U.S. Consulate. Upon completion of the online application, identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, U.S. citizens may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established, or where the citizen has access to a Judge Advocate General (JAG).

Citizens of Australia, Canada, New Zealand or the United Kingdom, while in any of these four countries, may apply for a digital certificate by completing the online application and retrieving the identity forms. Identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, citizens of these four countries may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established.

Citizens of other countries require that identity forms are signed in the presence of an Authorized DoD Employee (ADE). If you do not already have an ADE, one will need to be established before you apply. Please contact the IdenTrust Help Desk for instructions in setting up an Authorized Individual by calling 1(801) 384-3474 or by email to [email protected].

Learn more about Non-U.S. ECA certificates.

Can my organization pay with a purchase order?

Yes. After you have submitted a purchase order, IdenTrust will provide Voucher Numbers that you can distribute to applicant(s). These vouchers are used during the application process as the method of payment.

The purchase order process requires that you also submit a completed voucher form.

Purchase order requests under $500 cannot be accepted.

Please fax purchase orders for digital certificates and/or hardware to 1 (801) 415-7083.

How do I prove my citizenship in conjunction with applying for an ECA certificate?

According to the ECA Program policy, an applicant can prove their citizenship using a valid passport issued by the country of citizenship. You should bring your passport to the in-person identity verification appointment. Either the Trusted Agent, the Notary Public, the U.S. consul or an authorized IdenTrust employee will verify your citizenship using your passport.

The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a non-U.S. country and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents:

Birth Certificate. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records.
Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization.
Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States).
FS-240 - Consular Report
DS-1350 - Certification of Report of Birth

What forms of ID should I present for verification?

The certificate policy requires certain forms of ID be provided at the time of in-person identification with the notary, Trusted Agent or ADE. Please be certain that all fields in your application form are completed to avoid delays in the approval process.

View our pdf document Identity Verification Requirements DoD ECA Certificate Policy for detailed instructions.

View our pdf document Identity Verification Who Can Sign the Part 2: In-Person Identification Form DoD ECA Certificate Policy for detailed instructions.

What happens after I submit my application for an ECA certificate?

Once you hit ‘submit’, there are a few things that you need to do before IdenTrust can process the application:

1. Please verify your email.

An email from [email protected] will be sent to the email address you listed in your application asking you to verify your email address. This email contains a unique verification code which you will use in addition to your account password to verify the email address. This verification is only done electronically. Please check your inbox, junk and spam folders to locate the email.

2. Complete your forms packet.

You were directed to print a copy of the forms packet at the end of your online registration. Complete both the Part 1 and Part 2 forms, following the instructions listed on the 2nd page of the packet.

3. Send the completed form to:

   IdenTrust Registration
   5225 Wiley Post Way, Ste 450
   Salt Lake City, UT 84116

If you no longer have your forms packet available, you can find the appropriate packet in our ECA Document Library.

4. IdenTrust reviews your application.

Once IdenTrust receives the completed forms packet, it will be reviewed and authenticated for accuracy. IdenTrust will validate your association with the organization listed on your application and will verify the details included on the application, as well as on the forms.

After these validation steps have been completed, your certificate request will be approved. An activation kit will be sent to you, including the approval letter and any applicable hardware ordered. Unless you requested expediting shipping during the online registration, the kit will be sent via standard mail (for letters), and FedEx Ground (for hardware orders).

5. Retrieve your certificate.

After you receive your activation kit, please complete the steps outlined in the approval letter to retrieve your certificate.

What if my personal information changes after my certificate application is approved?

Once your application has been approved the information cannot be updated in your certificate. However, certain information provided during your initial application can be updated via our Certificate Management Center. Some information can be updated immediately, while others will have to wait for the renewal process. Some changes will require you submit a new certificate application. A few examples of changes include:

My mailing address has changed.

You can update the mailing address on your account at any time through the Certificate Management Center.

In the section titled 'Manage Your Account Information', select 'View/Update Account Information'.
Make the needed changes and select 'Finish'.

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address. A new application will have to be submitted with the new organization information.

If you use the certificate to gain access to a federal or state agency, you may have to re-register with the new company information prior to being able to use the new certificate. Please contact the appropriate agency for further clarification.

My email address has changed.

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.

My name has changed.

You will be asked to confirm your name during the renewal process, at which time you can update to your current legal name. You may be asked to send in proof of the name change if our Registration Department is unable to verify it.

Marriage Certificate
Divorce Decree (1st, last and page showing the name change)
Other court-issued documentation

If you require a certificate with your new name, you will need to purchase a new certificate.

You may access your account through the Certificate Management Center by logging in with your certificate.

What is the process to obtain a digital certificate?

The application process for a digital certificate is generally a 4-step process.

1. Apply for Your Certificate

Use the My Buying Community menu or the Certificates menu to select the category that is most comparable to your situation. Here you can learn more about the types of certificates that are offered under these programs.
Once you are ready to initiate a purchase, you can select any BUY button to launch our Certificate Selection Wizard. The wizard will assist you in selecting the certificate that is appropriate to your situation.
Verify your selections in your "shopping cart" and submit using the BUY NOW button.
You will be directed to the "checkout" process where you will provide your personal information and provide payment information.

Note: You will also be asked to enter a Password when you apply. Please record this Password and store it in a secure place. You will need this Password to retrieve your digital certificate.

Notary Form: In addition to the online application, some certificate applications require that you complete a notary form and submit it to IdenTrust. If required, the form will be provided for you to download at the end of the online application process.

2. Certificate Application Processing

Your application will undergo the approval process which can include authenticating identity information, authenticating paperwork, verifying organization information, and verifying organization affiliation.

3. Receive Your Approval Notification

Once approved, you will receive notification from IdenTrust. The method will vary based on the type of certificate you have purchased:

Notification with with the activation code will be emailed to the verified email listed during registration.
In cases where you have purchased a hardware device for certificate storage, such as a Smart Card, USB token, then you will also receive a kit containing the purchased hardware and software.

4. Retrieve Your Certificate:

Follow the instructions in the approval notification, which will include:

Retrieval and installation of your certificate via the secure IdenTrust website.
Installation of storage hardware and software, if applicable.
Testing your certificate.

Where do I find a Trusted Agent?

Your Organization may have a Trusted Agent. The individual who requested that you obtain an ECA Program certificate should know the contact information for that person. If you do not have the means to obtain this information, contact IdenTrust for further details at 1 (888) 882-1104.

Additionally, IdenTrust has made available Trusted Agent in the following areas:

San Antonio, TX
Clermont, FL
Fremont, CA
Salt Lake City, UT
Virginia

IdenTrust Trusted Agents may travel up to one hour to complete Identity Verification (I&A) for ECA | Medium Hardware Assurance | Trusted Agent Identity-Proofing certificate requests.

If requesting an ECA | Medium Assurance or ECA | Medium Token Assurance, please make arrangement meet with a notary instead.

You may contact IdenTrust to set up an appointment.

Why can’t I email or fax the forms packet?

The certificate policy requires the confirmation of identity be signed with a handwritten signature.

The organization officer's signature on the Part 1 form must be original and dated.
The signatures (both yours and the notary's) must also be original.

IdenTrust must receive the original wet-ink signature to confirm the signatures are original and not a stamp or photocopy.

We advise making a photocopy of the forms for your records, but the original, wet signature (pen to paper) forms must be submitted for processing. Please send the signed, original forms to:

IdenTrust Registration
5225 Wiley Post Way, Ste 450
Salt Lake City, UT 84116

What is the definition of a Non-U.S. applicant?

A Non-U.S. applicant is anyone residing and/or working outside of the United States. Non-U.S. applicants are eligible to apply for the following certificate types:

ECA | Certificates - Applications accepted in a limited number of approved countries.
TrustID | Business Identity Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
TrustID | Secure Email Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
TrustID | FATCA Certificates - Applications accepted in all countries except for those restricted by the U.S. Federal Government.
IGC | Business Identity Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
IGC | Device Certificates - Applications accepted in a limited number of approved countries.

View our Supported Countries list.

Can I change my IdenTrust account password during renewal?

You will be asked whether you want to change your Account Password during the renewal process. Please be aware that this is not the same as the Certificate Password you use with your digital certificate (although you may have chosen the same code for both Account Password and Certificate Password). Unless you are confident that you will remember a new Account Password, we suggest that you do not change it. As a reminder, changing the Account Password will not change the Certificate Password you use with your certificate.

Learn more about the differences between Account and Certificate passwords.

I can’t login to the Certificate Management Center (CMC).

If you are having trouble logging in to the Certificate Management Center (CMC), make sure that your browser is not blocking pop-ups for this site. If you are unable to login because you have forgotten your Account Password, you have the option to reset your password via the CMC. This option is available by clicking the link I forgot my account password in the CMC login page. Once you have reset your account password you should be able to access the CMC.

I’m trying to renew and I get a message that says I need to login to the Certificate Management System with my certificate. What does this mean?

In order to renew your certificate before it expires, if you have a software certificate you must be on the computer where your certificate is currently stored. If your certificate is stored in a Smart Card or USB Token you must have the device attached to the computer that has the Smart Card or USB Token software . When you login to the Certificate Management Center, a window will appear with your name in it. You must highlight your name and click "OK". If your name is not in the box, it means that your certificate is not on the computer you are using. Other suggestions:

If your certificate is on another computer, please renew it from that computer.
If your certificate is no longer on any computer, you will need to replace your certificate first and then renew it.

For additional information about managing your certificate, visit our How Do I library.

When and how can I renew my certificate?

You can renew a certificate within 30 days from expiration. The IdenTrust system will automatically notify you by email at 90, 60, 30, 14, 7 and 1 day intervals prior to your certificate expiration date. If you have not received renewal notification emails and you are within 30 days of expiration, please access the Certificate Management Center (CMC) and perform the following steps:

1. Using your certificate, sign into the CMC

2. Locate the label For this Certificate, Would You Like to:

3. In the corresponding drop down menu, select Renew Your Certificate and click Continue.

4. Follow the instructions provided to renew your certificate.

Please note that if you are planning to pay with a purchase order, you should obtain a voucher number for renewal prior to initiating your renewal. You can purchase vouchers by selecting voucher ECA Vouchers

Can I get a refund?

IdenTrust begins processing the application for a certificate as soon as the form of payment (credit card or voucher number) is provided. As soon as your application has been approved, IdenTrust will process the credit card or voucher number charge. Once processed, no refunds will be provided by IdenTrust. If your application has not been approved, you may cancel it without the credit card or voucher number being billed.

Can I use my certificate with Office 365?

Your digital signature can be imported to Office 365 easily, following these instructions:

For Office 365 subscriber, and on build 16.19.18110915 and higher,

If you don't see the Sign / Encrypt Message button, you might not have a digital ID configured to digitally sign messages and you need to do the following to install a digital signature.

On the File menu, click Options > Trust Center.
Under Microsoft Outlook Trust Center, click Trust Center Settings > Email Security
Click Import/Export to import a digital ID from a file on your computer,
If you have both a signing and an encryption certificate you will import both.

A digital signature on an e-mail message helps the recipient verify that you are the authentic sender and not an impostor. To use digital signatures, both the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.

If you are an Office 365 subscriber, and on build 16.19.18110402 and higher,

In an email message, choose Options, select both the Sign and Encrypt buttons. Pick the encryption option that has the restrictions you'd like to enforce, such as Do Not Forward or Encrypt-Only.

Note: Office 365 Message Encryption is part of the O365 E3 license. Additionally, the Encrypt-Only feature (the option under the Encrypt button) is only enabled for subscribers (Office ProPlus users) that also use Exchange Online.

I can’t access my certificate. What should I do?

If you have an IGC or TrustID certificate that you cannot use, you may need to replace the certificate. Visit our How Do I library for instructions to replace your certificate.

If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase, you can reset your password thru the Certificate Management Center. You do not need to replace the certificate in this case.

If you have a DOD ECA s-Certificate or t-Certificate, a key recovery will need to be done. These certificates cannot be replaced. Visit our How Do I library for instructions to request a Key Recovery.

What do I do if I've lost my USB token or Smart card?

If no longer in possession of the USB token or Smart card housing your digital certificate, the certificate is deemed 'compromised' and must be revoked. To Revoke a Certificate/Account where the digital certificate is no longer accessible, a request must be submitted officially via one of two ways:

Signed email from an Organization Officer/Representative.
- An organization’s representative (i.e., personnel office representative) can request revocation directly via a signed e-mail and a call to the Support, or mail to Registration on company letterhead containing a notarized signature.
- The communication should include the information about the Subscriber’s certificate to be revoked, including Subscriber name, email, and if possible the account number and/or application ID number, both available in email previously sent to the Subscriber.
- If the revocation is being requested for reason of key compromise or suspected fraudulent use of the private key, or if the smart card or USB token could not be collected and zeroed out, then the revocation request must indicate key compromise.
Company Letterhead
- Signed and notarized on the company letterhead, please provide the following:
  - Account number of certificate holder to Revoke (if available)
  - Certificate holder name
  - Certificate holder Email Address
  - Reason for Revocation
- Sign the request and have this request signed/notarized by any licensed Notary Public.
- Mail completed letter to:
  - ECA Registration IdenTrust Services
  - 5225 Wiley Post Way, Suite 450
  - Salt Lake City, Utah 84116

What happens if I forget my account password?

For reasons of security and non-repudiation, no person or equipment has access to your unencrypted account password, so there is no mechanism for IdenTrust to look up your account password if you forget it. However, you do have the option to reset you account password through our Certificate Management Center. You will need to have your IdenTrust account number in order to complete these instructions. Your account number was provided to you when you were approved for your certificate.

1. Access the Certificate Management Center (CMC).

2. Click LOGIN to launch the CMC session.

3. When presented with the Choose a digital certificate dialog screen, click Cancel. This will allow you proceed by using your account information.

4. On the Certificate Management Center Login screen, enter your account number, and then choose the I forgot my password link.

5. You will receive a confirmation screen, indicating that the password assistance instructions have been sent to you email address.

6. Follow the instructions provided in the email to allow you to reset your account password. Please note that if you cannot remember the answers to your secret questions, you will need to apply for a new certificate.

What happens if I forget my CryptoAPI Private Key (certificate) password?

IdenTrust never has access to your CryptoAPI Private Key (certificate) password, so we are unable to help you retrieve it if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate and will need to replace it. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library for instructions to replace your certificate.

What happens if I forget my Master Password?

The Master Password or certificate password is the password that protects your certificate. IdenTrust never has access to your master/certificate password, so we are unable to help you retrieve this password if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate (if it is password protected) and will need to replace your certificate. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library.

What happens if I forget my USB token password?

If you forget the password to access your USB token, you will not be able to use your certificate until you re-initialize the token and do a key recovery. If your organization has a Certificate Coordinator, Trusted Internal Agent, or Local Registration Agent registered with IdenTrust, you can contact that person to initiate a key recovery. Otherwise, please contact the IdenTrust Support team at 1 (888) 248-4447 for assistance.

Your request will then be processed by our Registration team. Once the request has been approved, you will be sent a letter (via US mail) with new retrieval information. You may then retrieve the new certificate by following the same process you used when initially retrieving it. You can check the status of your key recovery application by visiting our Certificate Management Center.

If you have a Smart card or USB token for an ECA certificate, you will need to initiate an ECA Program Key recovery.

What are the differences between the various types of passwords?

There are multiple passwords associated with your account and hardware. Please note IdenTrust does not have access to view, confirm or reset your passwords.

Account Password

This password is created during the online application. You do have the ability to update your password if you can correctly answer the three security questions you chose when you applied for your certificate. Every account has an account password, but your account can be associated with multiple certificates.

USB Token and Smart Card Password

This password is created when you initially setup your token. Before the retrieval of your certificate, you are prompted by the token software to create password that will protect your token. This password can only be changed if you know the current passcode. Both the USB and the OTP tokens have a token passcode.

How do I get a copy of an SSAE-18 SOC 2 Type II audit report?

IdenTrust does undergo an SSAE-18 SOC 2 Type II audit every year. However, since the detailed information in the audit report is company-confidential, we require an NDA to be in place.

An alternative that does not require an NDA:
As a Certificate Authority, IdenTrust undergoes a WebTrust for Certificate Authorities audit, and the attestation letter for this audit is publicly available without the need for an NDA. The WebTrust for CA audit examines not only the same general information security practices as the SOC 2 criteria does, but also certificate life cycle practices including proper handling of applicant information. The link for the WebTrust for CA audit is at the bottom of our home page. You may also be interested in examining our Privacy Policy.

What browsers are compatible with my certificate?

Browser compatibility will depend on the type of certificate and the operating system you are using.

Microsoft® Windows® OS
Software Certficates	Microsoft® Edge	Google® Chrome	Mozilla® Firefox	Android® OS
Certificates can be retrieved using these browsers	X	X	X
Certificates can be imported to these browsers	X	X	X	X

Hardware Certificates	Microsoft® Edge	Google® Chrome	Mozilla® Firefox	Android® OS
Certificates can be retrieved using these browsers	X	X	X
Certificates can be imported using these browsers	X	X	X

Apple® Mac® OS
Software Certificates	Google® Chrome	Mozilla® Firefox	Apple® Safari	iOS (iPhone/iPad)
Certificates can be retrieved using these browsers	X	X	X
Certificates can be imported using these browsers	Accessible Via Keychain	X	Accessible Via Keychain	X

Hardware Certificates	Google® Chrome	Mozilla® Firefox	Apple® Safari	iOS (iPhone/iPad)
Certificates can be retrieved using these browsers	X	X	X
Certificates can be imported using these browsers	Accessible Via Keychain	X	Accessible Via Keychain

TLS/SSL Certificates Are Interoperable With:
Apple® Safari (for OSX and iOS) Blackberry® Google® Chrome (for Windows®, Apple®, OSX®, and Android®) IBM® Microsoft® Edge Mozilla® Firefox (in Windows®, Apple®, OSX®, and Linux® Environments) Oracle® Java

What is the difference between an account password and a certificate password?

Account Password

The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).

Within the CMC you can:

Revoke your certificate
Replace your certificate
Renew your certificate
Update your account information
Update Account Password & security questions

The rules for creating your Account Password are:

Account Password must be between 8-30 characters in length
It can consist of letters, numbers and some special characters
Cannot contain ( ) \ / " *.
The Account Password is case sensitive (UPPER & lower case)

Certificate Password

The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password. This is referred to as the Certificate Password.

The Certificate Password is used each time the certificate is accessed:

Signing emails
Signing documents (Adobe, Word, Excel, etc..)
Accessing a secure website

When creating your Certificate Password we recommend you use the following guidelines:

Between 8-30 characters
At least 1 lower case letter
At least 1 upper case letter
At least 1 special characters
Create a Certificate Password that is not easily guessed, but something that you will not forget

What do I need to do before I apply for my certificate?

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate.

Here is a list of what you will need to provide:
• Two forms of approved, valid (unexpired) ID, one of which must be a photo ID. Examples include a Passport, Certificate of Naturalization, Drivers License or State ID, CAC Card, and U.S. issued Birth Certificate. View our PDF document Identity Verification Requirements DoD ECA Certificate Policy for details.
• The Headquarters' address for your organization.
• The name of the agency or agencies you will use your certificate to interact with.
• Voucher Number: The voucher code you have been provided.

I lost my encryption certificate, how do I get a copy from you?

You need to contact a Key Recovery Officer (KRO) within your organization to initiate a Key Recovery request. The KRO will assist you in filling out the appropriate form. After the form is submitted to IdenTrust and is approved, you will receive a copy of your recovered key in the mail. If your organization does not have a KRO, you can contact specific individuals within your organization who can submit a request to IdenTrust on behalf of your organization. Those individuals are mentioned in the Subscribing Organization Authorization Agreement. Contact your supervisor or your HR department to find out who can request key recoveries from IdenTrust.

IDES requires my certificate file to have a .pem (Base64) or .der (Binary) file extension, how can I do that?

You can identify a file with a certificate in .pem format when it has the string -----BEGIN CERTIFICATE----- at the top of the sequence; and the string -----END NEW CERTIFICATE REQUEST----- at the end. For SSL certificates, at the time of initial installation the certificate is already provided in .pem format and you can save it to a file with the .pem extension. Alternatively, you can access the IdenTrust Certificate Management Center (CMC) using your account number and password where you can view and save the certificate in .pem format.

1. Log into the CMC.

2. Locate the prompt labeled For this Certificate, Would You Like to:

3. Select View Your Certificate PEM and click Continue.

4. Here you will have access to the information in .pem format and you can save it to a file with the .pem extension.

For a FATCA Organization certificate, you will be able to export the certificate from your browser in the .pem format. The extension of this file will be .cer. For specific instructions for supported browsers, visit our How Do I library.

There was a Mac OS update and my token or smart card isn't working with Firefox

Sometimes Mac OS updates break the connection between the hardware and Firefox. This can be easily remedied by uninstalling, then reinstalling the ActivClient middleware.

Please uninstall the ActivClient middleware from your Mac, then reinstall by following instructions found HERE.

What if my personal information changes after I have received my certificate?

Certain pieces of information provided during your initial application may change during the certificate's lifetime. Some of these pieces of information can be updated immediately, others will have to wait for the renewal process and some changes will require you submit a new application. Examples of common changes include:

My mailing address has changed.

You can update the mailing address on your account at any time by logging into the Certificate Management Center (CMC).

Once you have access the CMC, locate the prompt labeled Manage Your Account Information and select View/Update Account Information. Make the necessary changes and select Finish.

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address. This is because organization information is included in your certificate and can only be used in conjunction with conducting business on behalf of that specific organization. In order to update an organization, you must obtain a new certificate. Be aware that if you currently use your certificate to gain access to a federal or state agency, you may also need to re-register with the new company information prior to being able to use the new certificate with the agency system. We suggest that you contact the appropriate agency for further clarification.

My email address has changed.

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal. If you must have your current email included in your certificate, you will need to purchase a new certificate.

My name has changed.

You cannot change your name except at when you renew your certificate. During the renewal process , you will be asked to confirm your name. At that time you can update to your current legal name, which will be included in your new certificate . If the IdenTrust Registration Department is unable to verify the requested changes, you may be asked to send in proof of the name change by providing additional documentation such as:

Marriage Certificate
Divorce Decree (1st, last and page showing the name change)
Other court-issued documentation

If you must have a certificate that includes your new name prior to certificate renewal, you will need to purchase a new certificate.

What is revocation and how can I do it?

Revocation is the action of making your certificate unusable. This is necessary when you believe that your certificate/private key has been compromised. Revocation prevents anyone from using your certificate to create digital signatures or from accessing secure sites. It is your obligation, based on the Subscriber Agreement you accepted, to request that your certificate be revoked in the case that you believe it has been compromised. Use the following procedure to revoke your certificate:

Visit our How Do I library for instructions to replace your certificate.

Visit our Document Library to view Subscriber Agreements for each certificate policy type.

FAQ (ECA)

Microsoft® Windows® OS

Apple® Mac® OS