FAQ By Certificate Lifecycle (Learn)

Public Key Infrastructure Certificate Authorities (PKI-CA’s) such IdenTrust must follow a strict process validated via the PKI-CA’s audited Certificate Policy (CP) and Certification Practices Statement (CPS). After initial validation of compliance with Adobe’s AATL technical requirements, the CA is added to Adobe’s AATL. Once in the AATL, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products.

AATL, short for Adobe Approved Trusted List, is a program that allows users to create digital signatures that are trusted instantly whenever the signed document is opened in Adobe® Acrobat® or Reader® software. IdenTrust is a member of AATL  via the commercial public trust root.

1. Open Adobe® Acrobat® or Adobe Reader® and click on Edit | Preferences
2. Select Signatures and click on 'More' in the Document Timestamping section
3. Click on 'New' to add a new Timestamping CA Server Authority
4. For name, type 'IdenTrust Timestamping CA Server Authority'
5. For Server URL, type ‘http://timestamp.identrust.com’
6. Do not check the option 'This Server Requires me to Log on'
7. Click [OK] to save the configuration

After ‘http://timestamp.identrust.com’ is configured, any new signatures on PDF files will get automatically time-stamped by IdenTrust TSA.

Timestamping binds the TrustID | EV Code Signing | Organization Identity | Hardware Storage digital signature, the signed code, and an accurate date and time. Upon execution, timestamped files are automatically validated for integrity, alerting the user if the file is no longer in the same state as when it was timestamped. Timestamping adds long term integrity and non-repudiation validation for up to 10 years after the TrustID | EV Code Signing | Organization Identity | Hardware Storage certificate has expired or has been revoked.

http://timestamp.identrust.com

To use it, post an RFC 3161 compliant message or configure it within applications supporting it.

The TrustID® Certificate Policy that governs this type of certificate establishes that TrustID | EV Code Signing | Organization Identity | Hardware Storage Certificates must be issued on hardware devices compliant with FIPS 140-2 Level 2 or higher security assurance. IdenTrust offers USB tokens for this purpose. This additional security requirement not only offers two-factor authentication but also prohibits the private key from being exported, thus offering additional assurance to relying parties on the ownership of the certificate holder.

IdenTrust also offers a EV Code Signing | Organization Identity | Hardware Storage (HSM) certificate for those who have their own storage device.

Yes - Microsoft® does not have a built-in user interface for a Timestamping Authority, but the IdenTrust TSA can be manually configured. You may view our PDF document How Do I Apply IdenTrust Timestamping Authority (TSA) to Microsoft® Office (MS-Office) Digitally Signed Documents to learn more. 

​​​​​​Yes, you may submit forms for your IGC certificate request by email. Follow these steps:

1. Take the Part 1 – Subscribing Organization Authorization Form to an organization officer to have it filled out, including signed by the organization officer.
   • All fields must be filled in. Missing information will lead to the submission being rejected.
2. Take the Part 2 – ID Form to a notary or Trusted Agent (TA) and present the accepted forms of identity required, either one valid federal ID (must be valid and contain a photo) or two valid state or local government IDs, one of which must contain a photo.
   • All fields must be filled in. Missing information will lead to the submission being rejected.
3. Sign the Part 2 form in the presence of the notary or TA.
4. Have the notary or TA sign the Part 2 form.
5. Scan the completed Part 1 and Part 2 forms and email to [email protected].

To avoid delays or rejection of the submission, confirm the following prior to electronic submission:

• All fields are filled in.
• All signatures are either handwritten or digital.
  • Stamp signatures and electronic signatures (i.e. DocuSign) are not accepted.
• All information is legible.

The standard method of submitting original signature forms is also accepted. Originals may be mailed to:

IdenTrust Registration
5225 W. Wiley Post Way
Suite 450
Salt Lake City, UT 84116

Yes! You may find a copy of the IdenTrust Secured TLS Seal Agreement here.

The original Federal Bridge cross certified version of the IdenTrust Global Common Root CA certificate utilized by IdenTrust to participate in the Federal Bridge Program expired on August 21, 2021. IdenTrust has obtained a re-signed certificate from the Federal PKI and has replaced the expiring certificate with the re-signed certificate.

This change should not impact your operation or certificate validations; however, if you would like to download the new root chains for both IGC human certificates and IGC device certificates at https://www.identrust.com/support/downloads, IdenTrust Global Common (IGC), for your availability and distribution as needed. 

IdenTrust does undergo an SSAE-18 SOC 2 Type II audit every year. However, since the detailed information in the audit report is company-confidential, we require an NDA to be in place.

An alternative that does not require an NDA:
As a Certificate Authority, IdenTrust undergoes a WebTrust for Certificate Authorities audit, and the attestation letter for this audit is publicly available without the need for an NDA. The WebTrust for CA audit examines not only the same general information security practices as the SOC 2 criteria does, but also certificate life cycle practices including proper handling of applicant information. The link for the WebTrust for CA audit is at the bottom of our home page. You may also be interested in examining our Privacy Policy.

IdenTrust as a Certificate Authority issues Digital Certificates to digitally sign electronic documents. eNotary individuals can customize the appearance of the Digital Signature with their own Electronic Seal and /or facsimile of a wet signature, while keeping data integrity and non-repudiation of the signed document.
 
Please use our helpful “How do I” pages to learn more:
Customize the appearance of a Digital Signature in Adobe®
Use Digital Certificate to Sign & Seal Documents

IdenTrust does not assist with the creation of the Electronic Seal but there are multiple companies online who provide this type service of service; here are some samples:
https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/appearances.html
https://www.designfreelogoonline.com/logoshop/free-logo-maker-notary-logo-templates/

IGC certificates are valid for a period of one, two, or three years. They can then be renewed as early as 90 days prior to expiration. Renewal notifications are sent to account owner's email address at 90, 60, 30, 15, 7 and 1 day intervals. 

NOTE: Digital certificates are non-transferable to another person or business. 

Yes you can purchase a FATCA certificate without having a GIIN.   If you do have a GIIN number, IdenTrust may use it to facilitate the approval process for your certificate. 

Yes - the "IdenTrust DST Root CA X3" root is expiring on 9/30/2021 has been replaced with the "IdenTrust Commercial Root CA 1" self-signed root which is also trusted by the major browsers and root stores since 1/16/2014. You may download the IdenTrust Commercial Root CA 1 at this link: Root Certificate Download.

If you have appliances that are not dynamically updating the root trust chain, they need to be manually updated with the self-signed "IdenTrust Commercial Root CA 1" which can be downloaded at this link: Root Certificate Download. 

Digital certificates retrieved into a browser, also known as software storage certificates, are intended to be used mainly from a single computer. As no additional device is required, software storage certificates are relatively inexpensive.

Digital certificates retrieved into a portable hardware device such as USB token or Smart card, not only can be used from multiple computers, but also offer additional security via the built-in second factor authentication feature. Certificates stored in hardware devices can also be configured for Client Authentication for faster secure login sessions.

The decision to opt for a software storage or a hardware storage certificate is mainly predefined by the sponsoring organization (business); at an individual level, the applicant should weigh-in if the additional security and portability benefits are worth the hardware expense. 

Note: Be sure to check with your relying party or program to determine if it requires a specific type of storage:

• Software
• USB token
• Smart card 

Browser compatibility will depend on the type of certificate and the operating system you are using.

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate. 

Here is a list of what you will need to provide: 

• An official Photo ID: Driver’s license or State ID Card 
• A Credit Card: In your name for address verification (not necessarily for payment) 
• Personal Information: Your FULL name (no nicknames or abbreviations), home address, and Social Security Number 
• Payment Information: Credit Card number or Payment Voucher number

If you are requesting a certificate that asserts affiliation with an organization, you will also need to submit forms that demonstrate that your organization is authorizing you to obtain a certificate that includes the organization name.

Your digital certificate will display several pieces of information:

•  It will be signed by the private key of the issuing CA
•  Unique identifier (distinguished name) of the certificate issuer
•  Period of time for which certificate is valid (validity period)
•  Unique identifier (distinguished name) of the certified subject
•  Public key of the certified subject
•  The issuer's signature

Different certificate types may also normally contain items such as:

•  Email address
•  Company name

Please note that the certificate will NEVER contain or display your personal information. The information that we collect during the application process is only used to validate your identity. 

You can also view your certificate in your browser.  The following is an example of what your certificate looks like in Microsoft® Edge:

IdenTrust Global Common (IGC) Certificates are cross-certified with the U.S. Federal Bridge Certification Authority, enabling trust by U.S. Federal, State and local governments, along with commercial entities or applications wishing to rely only Certificates proven to be issued in a standards-compliant manner.  

IGC Certificates available:

• Basic Assurance | Individual Identity | Software Storage
• Basic Assurance | Individual Identity | Hardware Storage
• Medium Assurance | Business Identity | Software Storage
• Medium Assurance | Business Identity | Hardware Storage | Trusted By Adobe®
• Medium Assurance | Individual Identity | Hardware Storage | Trusted By Adobe®
• Medium Assurance | Organization Identity | Device

Use cases for IGC Certificates include authentication to networks and applications, digital signing of email, transactions and documents, and encryption of email. Our Certificate Selection Wizard will help you to determine the best certificate to suit your business or personal needs.  Learn more about IGC Federal Bridge Certified certificates.

Account Password

The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).

Within the CMC you can:

• Revoke your certificate
• Replace your certificate
• Renew your certificate
• Update your account information
• Update Account Password & security questions

The rules for creating your Account Password are:

• Account Password must be between 8-30 characters in length
• It can consist of letters, numbers and some special characters
• Cannot contain ( ) \ / " *.
• The Account Password is case sensitive (UPPER & lower case)

Certificate Password

The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password. This is referred to as the Certificate Password. 

The Certificate Password is used each time the certificate is accessed:

• Signing emails
• Signing documents (Adobe, Word, Excel, etc..)
• Accessing a secure website

When creating your Certificate Password we recommend you use the following guidelines:

• Between 8-30 characters
• At least 1 lower case letter
• At least 1 upper case letter
• At least 1 special characters
• Create a Certificate Password that is not easily guessed, but something that you will not forget

Adobe Approved Trusted List or AATL, is a program that enables people to sign documents in Adobe Document Cloud solutions and have that signature trusted globally. When a document is signed with an AATL-approved certificate, the recipient of the signed document will be able to trust the certificate* automatically and avoid the time-consuming process of manually downloading the certificate root chain locally required to authenticate the signature.

In short, AATL certificates allow anyone to validate a digital signature, on any device, at any time!

IdenTrust CA is a current AATL Member and authorized to issue AATL-enabled certificates.

AATL certificates must be issued on password protected devices that are FIPS 142-2 L2+ compliant, such as HID Global USB tokens and HID Global Smart cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device; thereby eliminating the potential of key compromise by bad actors. Due to this requirement, only hardware certificates which are stored on a token or smartcard, are included on the AATL.

 

Software Certificates, that are stored directly on the computer itself, do not meet the requirements for inclusion on the AATL.

 

*AATL signatures are only auto-trusted when using other Adobe products. Should the recipient use another product, they will need to follow the manual process to trust the signature.

Storage devices such as the USB token and Smart card have limited space available to store certificates. Different certificate types have different file sizes, meaning a storage device will likely only be able to hold 3–4 certificate pairs, depending on the device being used.

We recommend purchasing a new HID USB token or HID Smart card after three renewals, or after three certificates have been stored on the device to ensure the device doesn't run out of storage space when retrieving another certificate. If you do run out of storage space, you will need to purchase a new device or remove old certificates that are no longer needed.*

You will be able to purchase new hardware when renewing your certificate, or you may purchase one by contacting our Support Team at +1 (888) 339-8904.

*Removing old certificates may impact your ability to decrypt email messages encrypted with that certificate. Whenever possible, we suggest removing old signing certificates only.

Both IGC and TrustID have AATL certificates available. Learn more about AATL Enabled Digital Certificates.

IGC certificates may be purchased directly from the IdenTrust website where both credit card and voucher payment is accepted.  In some cases a participating agency may cover the costs for people under that agency or for those who are required to obtain an IGC certificate necessary to interact with that agency.  If you would like to find out if your certificate costs are covered by a participating agency, please contact that agency directly, as IdenTrust does not directly participate in these certificate cost concessions.

Your private key (which is sometimes password protected in your web browser) is literally the key that opens your digital certificate.  It allows you to digitally sign documents and decrypt information that was only meant for you.  You should safeguard your private key just as you would any other form of identification. Just as you would not allow someone else to sign your name to something, or to use your social security number, you would not allow others to use your digital certificate.

There are many uses for IGC certificates.  Because IGC certificates are certified under the Federal Bridge policy, they are accepted and/or used by:

• Government agencies
• Healthcare organizations
• Professionals for digital signing and sealing
• Individuals for digital signing and email protection

Visit our Federal Bridge Certified page to learn more about IGC certificates or to purchase an IGC certificate. 

A digital certificate provides an electronic means of proving your identity in order to securely conduct business online. You can use certificates to: 

1. Encrypt information so that only the intended recipient can read it;
2. Identify yourself in electronic transactions; 
3. Digitally sign information to provide assurance to the recipient that it has not been changed in transit; and 
4. Verify that you actually sent the transmission. 
    

Our Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.

There are three general types of digital certificates--Individual Identity, Business Identity, and TLS/SSL Certificates:

• Individual Identity certificates authenticate an individual and are used to digitally sign and encrypt electronic documents.
• Business Identity certificates authenticate the individual to be an employee of a business and are also used to digitally sign and encrypt electronic documents.
• TLS/SSL, or Server certificates are issued for Web servers and are used to authenticate servers to Web browsers. This is used to protect information such as credit card numbers and account information on the Web.

The type of certificate may also dictate whether or not the certificate is stored in software or a hardware device, such as a Smart card or USB token.

See our document using the IdenTrust Certificate Selection Wizard for more information about choosing your certificate.

Certificates are stored on cryptographic hardware devices for additional security and as an option to use them from multiple computers. 

For AATL Enabled certificates TrustID Medium Assurance | Business Identity | Hardware Storage | Trusted By Adobe® and TrustID Medium Assurance | Individual Identity | Hardware Storage | Trusted By Adobe®, Adobe®'s technical requirements specify that the issuing Certification Authority must generate them is cryptographic devices with at least FIPS 140-2 Level 2 security. This security feature disable exportation and duplication of the private keys. For this purpose, IdenTrust supports only HID smart cards and HID USB Tokens compliant with the AATL requirement.  

IGC certificates are cross-certificated under the Federal Bridge which means that they are accepted for use in government applications such as the Electronic Prescriptions for Controlled Substances (EPCS) program.  IGC certificates can also be used by professionals who submit signed and sealed documents to state and local agencies, such as Departments of Transportation (DOTs) and individuals who perform eNotary services. 

IGC certificates offer multiple benefits:

• Using an IGC certificate allows individuals online access to information and services, such as state and local agencies for digital signing and sealing.
• Deployment of IGC certificates can also reduce cycle time and increase the efficiency of transactions between online entities. This is accomplished through converting paper-based to electronic transactions and processes.
• IGC certificates enable organizations to authenticate individuals initiating electronic transactions and gain assurance of an individual’s identity prior to granting access to confidential information.
• IGC certificates can be used to create non-repudiation via digital signatures.

Learn more about IGC Federal Bridge Certified certificates and use our Certificate Selection Wizard to assist you in selecting the IGC certificate for your specific application. .

IdenTrust holds applicants' personal information in the strictest confidence. In compliance with the Gramm-Leach-Bliley Act of 1999 (GLBA), we do not share personal information with outside third parties. 

IdenTrust hardware-based Digital Certificates (both ECA and IGC) used to encrypt e-mail satisfy the DoD CMMC requirements.

DoD CMMC require use of FIPS-validated cryptography to protect sensitive information in an e-mail. IdenTrust Digital Certificates used to encrypt e-mail are generated and stored in FIPS-validated cryptographic modules.

Browser-based certificates do not meet this requirement.

Yes. All IGC certificates meet the Category II NFI PKI requirements because the IGC Root CA is cross-certified with the Federal Bridge – which is part of the definition of Category II NFI PKI.

“Category II: Non-Federal Agency PKIs cross certified with the Federal Bridge Certification Authority (FBCA) or PKIs from other PKI Bridges that are cross certified with the FBCA”

We are also listed on https://public.cyber.mil/pki-pke/interoperability/ Table in the last section of the page lists us as Category II with PIV-I being the highest assurance level (which means all of the lower assurance levels like Basic and Medium and Medium Hardware are implied to be part of that)

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate.

Here is a list of what you will need to provide:
• Two forms of approved, valid (unexpired) ID, one of which must be a photo ID. Examples include a Passport, Certificate of Naturalization, Drivers License or State ID, CAC Card, and U.S. issued Birth Certificate. View our PDF document Identity Verification Requirements DoD ECA Certificate Policy for details.
• The Headquarters' address for your organization.
• The name of the agency or agencies you will use your certificate to interact with.
• Voucher Number: The voucher code you have been provided.

In order to handle this task you need to install the latest Microsoft® SignTool.

Please refer to this Microsoft® website for details:
https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool?redirectedfrom=MSDN

Use this URL as the IdenTrust Timestamping Server Authority: 
http://timestamp.identrust.com

Part 1:

Forms sent to IdenTrust are sometimes missing required information such as the organization officer’s signature, title, email and/or phone number, as well as the date it was signed. It’s also possible the form does not show the organization name and/or address that was listed on the online application.

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 1 form.

Part 2:

Forms require a number of fields to be filled out, some of which sometimes get missed. Most common fields are the signatures of the applicant and/or notary, specific details about the IDs presented for verification, and the email address either missing or not matching that listed on the application. There can be other errors with the form as well.

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 2 form.

Please send the complete, original form(s) to: 

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116

You may also email the completed form to [email protected], from the email address provided during your online application. 

Your new or renewal application for the IdenTrust TrustID digital certificate will remain open for 45 days which will give you time to complete the application, any forms required, and email verification. After 45 days has elapsed without usable paperwork or email verification being submitted, the application will close and you will need to complete a new application.

Once you have electronically verified the email address provided on your application, and regardless of when any paperwork is provided or application is approved, a 30-day countdown begins. This means that you have 30 days from that date to complete registration, approval and retrieval the certificate. This is a requirement of the certificate policy and the CA/B Forum S/MIME Baseline Requirements and as such, once the 30 day window has passed a new application.

When an application has closed, it cannot be reopened.

Note: The 30-day countdown does not apply to IdenTrust TrustID EV SSL, EV Code Signing, and OV certificates.

Your initial application will remain open for 45 days which will give you time to complete your forms packet and send the original, valid forms to IdenTrust for processing. After 45 days has elapsed without usable paperwork being submitted, the application will close and you will need to complete a new application.

 

Once the notary / Trusted Agent / ADE (depending on the certificate you apply for) signs the Part 2 form verifying your ID documents, a 30-day countdown begins. This means that you have 30 days from that date to send in your forms, be approved for the certificate and to retrieve the certificate. This is a requirement of the certificate policy and as such, once the 30 day window has passed a new application and forms packet will need to be completed.

 

Once an application has closed, it cannot be reopened.

Your initial application for the IdenTrust Global Common (IGC) digital certificate will remain open for 45 days which will give you time to complete and submit your forms packet if required, and electronically verify your email. When 45 days has elapsed without usable paperwork being submitted or email verification, the application will close and you will need to complete a new application.

For Medium Assurance Certificates:
Once the notary or Trusted Agent signs the Part 2 form verifying your ID documents, a 90-day countdown begins. This means that you have 90 days from that date to send in your forms, be approved for the certificate and to retrieve the certificate. This is a requirement of the certificate policy and as such, once the 90 day window has passed a new application and forms packet will need to be completed.

For Basic Assurance Certificates:
Once you have completed email verification and been approved for the digital certificate, a 90-day countdown begin. This means that you have 90 days to retrieve the certificate. This is a requirement of the certificate policy and as such, once the 90 day window has passed a new application and forms packet will need to be completed.

Once an application has closed, it cannot be reopened.

The application requires that multiple verification steps be completed before it can be approved. Because of this, the approval process cannot be expedited. 
You do have the option to request expedited shipping of the activation kit once the application has been approved. You may select expedited shipping during the application process, or you may contact our Support team at (888) 339-8904 to request and pay for expedited shipping with either a FedEx account number, or your credit card. 

Please note: Once your application is approved, it will take up to 24 business hours for the activation kit to ship. 

Yes, you can use a Notary Public to comply with the in-person verification requirement. However, verification by a Notary is valid ONLY for ECA | Medium Assurance and ECA | Medium Token Assurance certificates. 

If you need to obtain an ECA | Medium Hardware Assurance certificate, you must contact a Trusted Agent within your organization or an IdenTrust Registrar (RA Operator or Trusted Agent).  

Refer to our datasheet Who Can Sign the Part 2 Form for ECA certificates.

Yes.  For ECA | Medium Assurance | Software Storage | Non-U.S. and ECA | Medium Token Assurance | Hardware Storage | Non-U.S. certificate applications, U.S. citizens may apply for a digital certificate while in any country with a U.S. Consulate. Upon completion of the online application, identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, U.S. citizens may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established, or where the citizen has access to a Judge Advocate General (JAG).

Citizens of Australia, Canada, New Zealand or the United Kingdom, while in any of these four countries, may apply for a digital certificate by completing the online application and retrieving the identity forms. Identity forms must be signed in the presence of a U.S. Consular Officer who is authorized to provide notarial services. Alternatively, citizens of these four countries may apply for a digital certificate in a country where an Authorized DoD Employee (ADE) has been established.

Citizens of other countries require that identity forms are signed in the presence of an Authorized DoD Employee (ADE). If you do not already have an ADE, one will need to be established before you apply. Please contact the IdenTrust Help Desk for instructions in setting up an Authorized Individual by calling 1(801) 384-3474 or by email to [email protected].  

Learn more about Non-U.S. ECA certificates.
  

Yes. After you have submitted a purchase order, IdenTrust will provide Voucher Numbers that you can distribute to applicant(s).  These vouchers are used during the application process as the method of payment.

The purchase order process requires that you also submit a completed voucher form. 

• ECA Certificates Voucher Order Form
• IGC Certificates Voucher Order Form
• TrustID Certificates Voucher Order Form

Purchase order requests under $500 cannot be accepted.

Please fax purchase orders for digital certificates and/or hardware to 1 (801) 415-7083.

You may check the status of your order by logging into your account with your application ID and account password. 
To check your status, click here: Application Status

According to the ECA Program policy, an applicant can prove their citizenship using a valid passport issued by the country of citizenship. You should bring your passport to the in-person identity verification appointment. Either the Trusted Agent, the Notary Public, the U.S. consul or an authorized IdenTrust employee will verify your citizenship using your passport.  

The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a non-U.S. country and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents:

1. Birth Certificate. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records. 
2. Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization. 
3. Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States). 
4. FS-240 - Consular Report 
5. DS-1350 - Certification of Report of Birth 
    

If you require the ECA Hardware Assurance certificate, you can schedule an in-person identification session with one of our Trusted Agent. To do so, please call our Support team at (888) 882-1104. 

Certificates are processed in the order each request is submitted, and the required paperwork is received. If during the validation phase IdenTrust requires additional information, the process may take longer. 

Any hardware requested will be shipped to the mailing address on the application once the application has been approved. Unless expedited shipping was purchased, the package will deliver 3-5 days after shipping.

Certificates are processed in the order each request is submitted, and the required paperwork is received. Once approved, an email is sent to the certificate requestor which will allow immediate certificate retrieval. If the certificate request includes a USB Token or Smart card, the hardware will be shipped to the mailing address provided during the online registration.

You can include multiple citizenships in your application. The citizenships you include will be used by IdenTrust to issue your certificate and Relying Parties will use the citizenship information within the certificate to establish your access to their applications. IdenTrust has designed its registration processes to easily accept up to three citizenships.

If you need to include more than three citizenships please contact the IdenTrust Registration Desk directly at 1 (888) 882-1104 within the U.S., or 1 (801) 384-3474 outside of the U.S.

Unfortunately IdenTrust is unable to publish this information that is managed by a government agency. However, please contact our Support team at (888) 882-1104 for further assistance in identifying an ADE.

The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a non-U.S. country and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents:

1. Birth Certificate. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records. 
2. Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization. 
3. Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States). 
4. FS-240 - Consular Report 
5. DS-1350 - Certification of Report of Birth 
    

Unfortunately, no. Each certificate must be applied for individually by the person who needs it. 

When applying for a certificate, our Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.

The certificate policy requires that applicants for ECA | Medium Hardware Assurance | Trusted Agent Identity-Proofing Required certificates have their identity validated by a Trusted Agent, approved by IdenTrust or the DoD. A notary’s review does not sufficiently meet this requirement.

When IdenTrust is verifying your identity, certain ID information is required such as the driver's license, social security card, or other details. If we are unable to verify those details, you will be asked via email to submit notarized documentation supporting what is listed on your application. Without this information, we cannot approve your certificate application.

Please have a copy of the document(s) notarized and mail to: 

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116 

Sometimes the required ID fields are missing details, such as the legal name, issue/expire date or document title. A copy of your ID is needed to confirm the missing details and to authenticate your identity.  If the details cannot be authenticated, a new Part 2 form will be requested.

If the serial/unique number is missing from the field, a new Part 2 form must be completed and sent in for processing. The original or notarized copy of the original document(s) should be sent to:

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116 

Address and phone verification are a necessary part of the identity verification required to obtain a digital certificate. If you receive an email requesting documentation, be sure to send either the original, or a notarized copy of the document.

Accepted documents are:

• Driver's license or state ID
• Utility bill dated in the last 30 days
• Phone bill dated in the last 30 days
• Rental agreement
• Other documents can be reviewed on a case by case basis.

Please mail the original or notarized copy of the confirming document to:

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116


Please contact [email protected] for more information on the document you would like to submit. 

Digital certificates retrieved into a browser, also known as software certificates, are intended to be used mainly from a single computer. As no additional device is required, software certificates are relatively inexpensive.

Digital certificates retrieved into a portable hardware device such as USB token or Smart card, not only can be used from multiple computers, but also offer additional security via the built-in second factor authentication feature. Certificates stored in hardware devices can also be configured for Client Authentication for faster secure login sessions.

The decision to opt for a software or a hardware certificate is mainly predefined by the sponsoring organization (business); at an individual level, the applicant should weigh-in if the additional security and portability benefits are worth the hardware expense. 

Note: Be sure to check with your relying party or program to determine if it requires a specific type of storage:

• Software
• USB token
• Smart card 

Part 1:

Forms sent to IdenTrust are sometimes missing required information such as the organization officer’s signature, title, email and/or phone number, as well as the date it was signed. It’s also possible the form does not show the organization name and/or address that was listed on the online application.

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 1 form.

Part 2:

Forms require a number of fields to be filled out, some of which sometimes get missed. Most common fields are the signatures of the applicant and/or notary, specific details about the IDs presented for verification, and the email address either missing or not matching that listed on the application. There can be other errors with the form as well.

If information is missing, you will receive an email outlining what was missing on the form, as well as a copy of a blank Part 2 form.

Please send the complete, original form(s) to: 

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116

The IGC certificate policy requires certain forms of ID be provided at the time of in-person identification with the notary. Please be certain that all fields in your application form are completed to avoid delays in the approval process.

View our pdf document Identity Verification for IGC Certificates for detailed instructions.

The TrustID certificate policy requires certain forms of ID be provided at the time of in-person identification with the notary. Please be certain that all fields in your application form are completed to avoid delays in the approval process.

View our pdf document TrustID | Identity Verification Requirements for detailed instructions.

The certificate policy requires certain forms of ID be provided at the time of in-person identification with the notary, Trusted Agent or ADE. Please be certain that all fields in your application form are completed to avoid delays in the approval process.

View our pdf document Identity Verification Requirements DoD ECA Certificate Policy for detailed instructions.

View our pdf document Identity Verification Who Can Sign the Part 2: In-Person Identification Form DoD ECA Certificate Policy for detailed instructions.

The FATCA program does not provide guidance on the FQDN you should use; therefore you may choose any Fully Qualified Domain name.  However, IdenTrust requires that the FQDN is owned or controlled by your organization and that is not an internal name. You can choose a subdomain name from a domain name you own/control. For example, if you own the domain name “mydomain.com”, you could choose “fatca.mydomain.com”.

You must not use an internal name such as: myorganization.internal, myorganization.localhost, or myorganization.example. 

Once you hit ‘submit’, there are a few things that you need to do before IdenTrust can process the application:

.

1.  Please verify your email.

An email from [email protected] will be sent to the email address you listed in your application asking you to verify your email address. This email contains a unique verification code which you will use in addition to your account password to verify the email address. This verification is only done electronically. Please check your inbox, junk and spam folders to locate the email.

2.  Complete your forms packet.

You were directed to print a copy of the forms packet at the end of your online registration. Complete both the Part 1 and Part 2 forms, following the instructions listed on the 2nd page of the packet.

3.  Send the completed form to:

   IdenTrust Registration
   5225 Wiley Post Way, Ste 450
   Salt Lake City, UT 84116

If you no longer have your forms packet available, you can find the appropriate packet in our ECA Document Library.

4.  IdenTrust reviews your application.

Once IdenTrust receives the completed forms packet, it will be reviewed and authenticated for accuracy. IdenTrust will validate your association with the organization listed on your application and will verify the details included on the application, as well as on the forms. 

After these validation steps have been completed, your certificate request will be approved. An activation kit will be sent to you, including the approval letter and any applicable hardware ordered. Unless you requested expediting shipping during the online registration, the kit will be sent via standard mail (for letters), and FedEx Ground (for hardware orders). 

5.  Retrieve your certificate.

After you receive your activation kit, please complete the steps outlined in the approval letter to retrieve your certificate. 

To maintain the integrity of the information provided to IdenTrust, we are unable to make any alterations to the details entered during the online registration process.  If you do find a mistake that must be corrected, please cancel the application and submit a new application for processing. New paperwork (if required for the certificate type) must match the details of the new application you submit.

You may contact our Support team at 1 (888) 248-4447 to request the application be cancelled. 

Once your application has been approved the information cannot be updated in your certificate.  However, certain information provided during your initial application can be updated via our Certificate Management Center.  Some information can be updated immediately, while others will have to wait for the renewal process. Some changes will require you submit a new certificate application.  A few examples of changes include:

My mailing address has changed.

You can update the mailing address on your account at any time through the Certificate Management Center.

1. In the section titled 'Manage Your Account Information', select 'View/Update Account Information'.
2. Make the needed changes and select 'Finish'.

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address.  A new application will have to be submitted with the new organization information.

If you use the certificate to gain access to a federal or state agency, you may have to re-register with the new company information prior to being able to use the new certificate. Please contact the appropriate agency for further clarification.

My email address has changed. 

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.

 

My name has changed.

You will be asked to confirm your name during the renewal process, at which time you can update to your current legal name.  You may be asked to send in proof of the name change if our Registration Department is unable to verify it.

• Marriage Certificate
• Divorce Decree (1st, last and page showing the name change)
• Other court-issued documentation

If you require a certificate with your new name, you will need to purchase a new certificate.
 

You may access your account through the Certificate Management Center by logging in with your certificate. 

A voucher is an alpha numeric sequence that is provided by IdenTrust as an alternative payment method to a credit card. You will provide the voucher number during the online registration as a method of payment.

You can obtain a voucher number from IdenTrust using a purchase order or paying with a credit card.

Purchase ECA | Vouchers

Purchase IGC Standard | Vouchers

Purchase IGC Prescribing | Vouchers

Purchase IGC Agencies | Vouchers

Purchase IGC Notaries | Vouchers

Purchase TrustID Vouchers

The application process for a digital certificate is generally a 4-step process.

1.  Apply for Your Certificate
 

• Use the My Buying Community menu or the Certificates menu to select the category that is most comparable to your situation.  Here you can learn more about the types of certificates that are offered under these programs. 
• Once you are ready to initiate a purchase, you can select any BUY button to launch our Certificate Selection Wizard.  The wizard will assist you in selecting the certificate that is appropriate to your situation. 
• Verify your selections in your "shopping cart" and submit using the BUY NOW button.
• You will be directed to the "checkout" process where you will provide your personal information and provide payment information.

Note: You will also be asked to enter a Password when you apply. Please record this Password and store it in a secure place. You will need this Password to retrieve your digital certificate.

Notary Form: In addition to the online application, some certificate applications require that you complete a notary form and submit it to IdenTrust.  If required, the form will be provided for you to download at the end of the online application process.

2.  Certificate Application Processing

Your application will undergo the approval process which can include authenticating identity information, authenticating paperwork, verifying organization information, and verifying organization affiliation.

3.  Receive Your Approval Notification

Once approved, you will receive notification from IdenTrust.  The method will vary based on the type of certificate you have purchased:

• Notification with with the activation code will be emailed to the verified email listed during registration.
• In cases where you have purchased a hardware device for certificate storage, such as a Smart Card, USB token, then you will also receive a kit containing the purchased hardware and software.

4. Retrieve Your Certificate:

Follow the instructions in the approval notification, which will include:

• Retrieval and installation of your certificate via the secure IdenTrust website.
• Installation of storage hardware and software, if applicable.
• Testing your certificate.

The application process for a digital certificate is generally a 4-step process.

1.  Apply for Your Certificate
 

• Use the My Buying Community menu or the Certificates menu to select the category that is most comparable to your situation.  Here you can learn more about the types of certificates that are offered under these programs. 
• Once you are ready to initiate a purchase, you can select any BUY button to launch our Certificate Selection Wizard.  The wizard will assist you in selecting the certificate that is appropriate to your situation. 
• Verify your selections in your "shopping cart" and submit using the BUY NOW button.
• You will be directed to the "checkout" process where you will provide your personal information and provide payment information.

Note: You will also be asked to enter a Password when you apply. Please record this Password and store it in a secure place. You will need this Password to retrieve your digital certificate.

Notary Form: In addition to the online application, some certificate applications require that you complete a notary form and submit it to IdenTrust.  If required, the form will be provided for you to download at the end of the online application process.

2.  Certificate Application Processing

Your application will undergo the approval process which can include authenticating identity information, authenticating paperwork, verifying organization information, and verifying organization affiliation.

3.  Receive Your Approval Notification

Once approved, you will receive notification from IdenTrust.  The method will vary based on the type of certificate you have purchased:

• Notification with with the activation code will be emailed to the verified email listed during registration.
• In cases where you have purchased a hardware device for certificate storage, such as a Smart Card, USB token, then you will also receive a kit containing the purchased hardware and software.

4. Retrieve Your Certificate:

Follow the instructions in the approval notification, which will include:

• Retrieval and installation of your certificate via the secure IdenTrust website.
• Installation of storage hardware and software, if applicable.
• Testing your certificate.

You may select the appropriate required forms packet in our Document Library.

• ECA | Forms
• IGC | Forms
• TrustID | Forms

Please be sure to select the correct forms packet. If you are unsure, please contact our Support team at [email protected] for assistance.

As required by the governing certificate policy, you may be asked to provide additional documentation needed to process your application. If necessary, this additional document request will be sent via email. Please read the full email to identify what document is being requested and follow the steps outlined to provide requested documentation.
 

When applying for a digital certificate, you will be asked to select your payment method. You will have the following options for payment: 

Credit Card 
 
You will be asked to enter your credit card information during the online application process. 
Make sure that you have the correct billing address for your credit card; this will be entered during the online payment process. 
 

Voucher Number 

• Voucher numbers are issued by IdenTrust to allow the purchase of a single digital certificate with each voucher number. These voucher numbers are used as the form of payment during the online application. 
• You can order a set of voucher numbers to distribute to employees within your organization or to business partners. 
• Voucher numbers are issued to specify the purchase of a particular certificate type, and are valid for one year. 
• Voucher numbers may be purchased with a credit card or a Purchase Order. If using a Purchase Order, the minimum order requirement is $500 and the following applies:

             - IdenTrust must receive your Purchase Order before the issuance of voucher numbers.

             - Purchase Orders must include a completed Voucher Order Form with the order.

             - Requests must be submitted to IdenTrust Registration at [email protected] or fax to 1 (801) 415-7083.

To purchase using a credit card, simply select from the list of products below and you will be directed to our online purchasing system:

  Purchase ECA Vouchers

  Purchase IGC for EPCS Vouchers

  Purchase IGC for Digital Signing and Sealing Vouchers

  Purchase TrustID Vouchers

When applying for a certificate where you are asked to list an Organization, you should identify exactly which Organization you need to enter.
Usually the Organization you list when applying is the Organization you work for, but there are scenarios where you may need to consider something else. If you are a contractor applying for the certificate needed for another company, you may need to list that Organization instead of your own. Be sure to check with your organization if you are unsure what you should list on your application.

Your Organization may have a Trusted Agent. The individual who requested that you obtain an ECA Program certificate should know the contact information for that person. If you do not have the means to obtain this information, contact IdenTrust for further details at 1 (888) 882-1104.

Additionally, IdenTrust has made available Trusted Agent in the following areas:

• San Antonio, TX
• Clermont, FL
• Fremont, CA
• Salt Lake City, UT
• Virginia

IdenTrust Trusted Agents may travel up to one hour to complete Identity Verification (I&A) for ECA | Medium Hardware Assurance | Trusted Agent Identity-Proofing certificate requests. 

If requesting an ECA | Medium Assurance or ECA | Medium Token Assurance, please make arrangement meet with a notary instead. 

You may contact IdenTrust to set up an appointment.  

The identity proofing for the Part 2 - ID Form can be completed in-person by either a notary, your organization's Trusted Agent, or an IdenTrust Registration Analyst.

If you are in the Salt Lake City, UT area, you may schedule an in-person session with our Registration team. Please contact our Support team at (800) 748-5360.

Order Numbers are a good solution for organizations that would like to purchase a large quantity of certificates, but do not want to have to manage multiple voucher numbers. 

When an Order Number is requested and approved, the organization's Order Number administrator will receive the Order Number as well as a custom URL which can then be distributed to those who need to obtain the digital certificate. 

To request an Order Number, please send an email to <a href="mailto:[email protected]">[email protected]</a> and provide the following:

• Which certificate you would like to order
• For hardware-based certificates, if you would like the USB token or a Smart card
• How many certificates are needed
• With which program do you plan to use the certificate

Payment is not collected until the application for the certificate has been approved; however, the credit card is authorized and funds are placed on hold. Certificates that are not affiliated with a business have an additional authorization hold placed:

• As part of the identity verification process the credit card has a $1.00 authorization hold placed on it. This authorization hold will remain on the card for 3-5 business days, dependent on the bank. 
• An additional hold, in the amount of the certificate cost is also placed on the credit card when entered on the payment page of the application. This authorization hold will also remain on the card for 3-5 business days. Once the certificate application is approved the card will be charged and the funds will be collected by IdenTrust.

The certificate policy requires the confirmation of identity be signed with a handwritten signature.

• The organization officer's signature on the Part 1 form must be original and dated.
• The signatures (both yours and the notary's) must also be original.

IdenTrust must receive the original wet-ink signature to confirm the signatures are original and not a stamp or photocopy.
 

We advise making a photocopy of the forms for your records, but the original, wet signature (pen to paper) forms must be submitted for processing.  Please send the signed, original forms to:

 IdenTrust Registration
 5225 Wiley Post Way, Ste 450
 Salt Lake City, UT 84116
 

IdenTrust is required by policy to verify the details listed in your application including the organization name, address, city, state, zip code as well as to independently verify a phone number registered to the organization. We attempt to verify this information using trusted third-party databases that contain corporate information. However, if detail cannot be verified, we will send an email requesting additional documentation.

Why can't you just look up the address or phone number online?

The policy requires that IdenTrust use trusted databases that contain the organization information to be verified. IdenTrust uses multiple data-sources that have been pre-approved and cannot use corporate websites or other websites that have not been approved.

 

What forms of documentation can I provide to confirm my organization's identity or phone number?

Registration documents from a secretary of state or other government registry are accepted.

Government issued documents that attest to the organization's legal existence, certificate of good-standing, or other approved documents attesting to the organization's existence are also accepted.

Please provide the original document or a notarized copy of the original. This is to ensure authenticity of the document and that there is no indication of forgery, fraud, tampering, etc.

Send the original or notarized copy of the original document(s) to:

   IdenTrust Registration
   5225 Wiley Post Way, Ste 450
   Salt Lake City, UT 84116 

Citizenship is used as part of the criteria for authorizing restricted access to online applications that are hosted by  ECA Relying Parties. The ECA Program is governed by a Certificate Policy requiring that all applicants provide proof of their citizenship in order to be issued an ECA certificate.  

Most applications require only an ECA | Medium Assurance or an ECA | Medium Token Assurance certificate. There are only a handful of agencies that require the higher assurance ECA | Medium Hardware Assurance certificate.  Our Certificate Selection Wizard will guide you through the process of selecting the correct assurance level that is required by the agency or agencies with which you will be interacting.   

To confirm what certificate type you need, we suggest you select DoD ECA Programs from the Certificate drop down menu which will allow you to initiate the Certificate Selection Wizard.

• Choose the BUY NOW button. 
• From here, the Certificate Selection Wizard will prompt you to select the agency or agencies that you work with. 
• Then choose NEXT. 
• Step through the wizard and you will be presented with the certificate options that are accepted by the agency or agencies you have selected. 
• Complete the wizard process and purchase your DoD ECA certificate

If your relying party does require a ECA | Medium Hardware Assurance certificate, you will need to meet with a Trusted Agent to obtain the required in-person identity-proofing for the certificate. You can scheduled an in-person identification session with one of our Trusted Agents by contacting our Support team at 1 (888) 882-1104.

A Non-U.S. applicant is anyone residing and/or working outside of the United States. Non-U.S. applicants are eligible to apply for the following certificate types:

• ECA | Certificates - Applications accepted in a limited number of approved countries.
• TrustID | Business Identity Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
• TrustID | Secure Email Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
• TrustID | FATCA Certificates - Applications accepted in all countries except for those restricted by the U.S. Federal Government.
• IGC | Business Identity Certificates - Applications accepted in all countries except those restricted by the U.S. Federal Government.
• IGC | Device Certificates - Applications accepted in a limited number of approved countries.

View our Supported Countries list.

You will be provided with a retrieval kit and instructions for using our online website to retrieve your certificate, found HERE. You will need to provide the Account Password that you chose when you applied for your certificate. 

As a security measure, your activation code is valid for only one use.  If your computer has had hardware or software problems and your certificate has been lost or corrupted, you will need to replace your certificate. If you wish to use your certificate on another computer, you will need to export your existing certificate to that computer.

Visit our How Do I library for information about how to replace or export your certificate.

Installation instructions will vary depending the OS that is used.  Please visit our How Do I library for detailed instructions for installing your server certificate and the associated root chain.

To ensure there is no confusion about this: a key recovery, when initiated by the end-user, is a process where your previous signing certificate is revoked, new keys for it are created, and a new signing certificate is created (with the same information and expiration as before). It also allows for the same/original encryption certificate and keys to be retrieved again.

This process is normally only needed if your current certificate keys are currently unusable for some reason (deleted, forgotten private key password, etc.).

A key recovery can only be performed where IdenTrust stores a copy of (or escrows) the encryption certificate private key. (Please note that we NEVER have a copy of your signing-certificate private key). In some cases, depending on the type of certificate, we cannot recover your encryption keys.

For accounts where we do not escrow the encryption private key, or accounts that do not have encryption capability, a key recovery is not an option; however, you may be able to initiate a certificate replacement instead.  Visit our How Do I library to learn more about certificate replacement.

To Initiate a Key Recovery:

If your organization has set up a "Certificate Coordinator" or "Local Registration Agent" with us, you can contact them to initiate the key recovery. Otherwise, please follow these steps to initiate the key recovery: 

  1. Access the Certificate Management Center. If you are prompted to choose a certificate to log in, click Cancel.

  2. Enter your account number and your account password.

      -  The account number was sent to you in a physical letter after your account was approved.
      -  The account password is the one that you provided online when you applied for your certificate.

  3. In the section showing your Valid Certificates make sure your current encryption certificate is selected.

  4. In the drop-down box under Valid Certificates, select I would like to request recovery of my certificate

  5. Click the Continue button.

  6. Follow the onscreen instructions to complete the key recovery request.

Note: This request needs to be processed and approved by a member of our Registration department. A new notification with new retrieval information will need to be sent before your new certificate can be retrieved.

You will be asked whether you want to change your Account Password during the renewal process. Please be aware that this is not the same as the Certificate Password you use with your digital certificate (although you may have chosen the same code for both Account Password and Certificate Password).  Unless you are confident that you will remember a new Account Password, we suggest that you do not change it. As a reminder, changing the Account Password will not change the Certificate Password you use with your certificate. 

Learn more about the differences between Account and Certificate passwords. 

ECA (DOD), IGC and TrustID certificates cannot be renewed after they expire. If your certificate has expired, you will need to apply for a new certificate. 

Once we receive your renewal request, our Registration team will review and determine if new forms are required. If no additional documents are needed your request will be approved and you will receive an email notification with instructions to retrieve the renewed certificate.

If new forms or other supporting documentation is needed to approve the request you will be notified by email. Your renewal request will be processed once the documentation is provided. to you. 

If you are having trouble logging in to the Certificate Management Center (CMC), make sure that your browser is not blocking pop-ups for this site. If you are unable to login because you have forgotten your Account Password, you have the option to reset your password via the CMC. This option is available by clicking the link I forgot my account password in the CMC login page. Once you have reset your account password you should be able to access the CMC.

If you have received a request to submit new notarized forms it is because your name, your company name, the company headquarters address, or your email address has changed and we need your application forms to match your certificate application.  Please submit the forms as soon as possible as not to delay your certificate renewal. 

In order to renew your certificate before it expires, if you have a software certificate you must be on the computer where your certificate is currently stored.  If your certificate is stored in a Smart Card or USB Token you must have the device attached to the computer that has the Smart Card or USB Token software .  When you login to the Certificate Management Center, a window will appear with your name in it. You must highlight your name and click "OK". If your name is not in the box, it means that your certificate is not on the computer you are using. Other suggestions:

• If your certificate is on another computer, please renew it from that computer. 
• If your certificate is no longer on any computer, you will need to replace your certificate first and then renew it. 

For additional information about managing your certificate, visit our How Do I library.

You can renew a certificate within 30 days from expiration. The IdenTrust system will automatically notify you by email at 90, 60, 30, 14, 7 and 1 day intervals prior to your certificate expiration date. If you have not received renewal notification emails and you are within 30 days of expiration, please access the Certificate Management Center (CMC) and perform the following steps:

1.  Using your certificate, sign into the CMC

2.  Locate the label For this Certificate, Would You Like to:

3.  In the corresponding drop down menu, select Renew Your Certificate and click Continue.

4. Follow the instructions provided to renew your certificate. 

Please note that if you are planning to pay with a purchase order, you should obtain a voucher number for renewal prior to initiating your renewal.  You can purchase vouchers by selecting voucher ECA Vouchers 

You can renew a certificate within 90 days from expiration. The IdenTrust system will automatically notify you by email at 90, 60, 30, 14, 7 and 1 day intervals prior to your certificate expiration date. If you have not received renewal notification emails and you are within 90 days of expiration, please access the Certificate Management Center (CMC) and perform the following steps:

1.  Using your certificate, sign into the CMC

2.  Locate the label For this Certificate, Would You Like to:

3.  In the corresponding drop down menu, select Renew Your Certificate and click Continue.

4. Follow the instructions provided to renew your certificate. 

Please note that if you are planning to pay with a purchase order, you should obtain a voucher number for renewal prior to initiating your renewal.  You can purchase vouchers by selecting from one of the following voucher product links below:

  Purchase IGC Prescribing | Vouchers

  Purchase IGC Agencies | Vouchers

  Purchase TrustID | Vouchers

Depending on the type of certificate you purchased and the validity period you selected, your certificate will expire one, two or three years after it was issued.  You can check the expiration date of your certificate by logging into the Certificate Management Center.  Once you have logged in, locate your certificate listed under the Manage Your Certificates heading. Your certificate, along with the current status and expiration (“valid through”) date is displayed.

You will also receive email notifications at 90, 60, 30, 15, 7 and 1 day(s) prior to your certificate expiration. 

IdenTrust begins processing the application for a certificate as soon as the form of payment (credit card or voucher number) is provided. As soon as your application has been approved, IdenTrust will process the credit card or voucher number charge. Once processed, no refunds will be provided by IdenTrust.  If your application has not been approved, you may cancel it without the credit card or voucher number being billed.

If you open an Adobe® PDF document with a TrustID Business Affiliate Hardware certificate and do not receive an immediate validation, your local AATL may not be up to date.
Adobe® Acrobat and Adobe® Reader will automatically update the AATL list once every 14 days, with the update being triggered by the opening of a signed PDF file.
To manually update the AATL on your PC, please follow these instructions:

• Open any PDF document
• Select the Edit > Preference (Windows) or, Acrobat/Reader > Preferences (Mac) menu item
• Select Trust Manager from the Categories list box on the Preferences dialog
• Click the Update Now button in the Automatic Adobe Approved Trust List (AATL) updates group box 

IdenTrust provides a secure, but very simple web services interface for integration with the IdenTrust Certification Authority (CA) and Registration Authority (RA) services. DirectTrust certificates issued by IdenTrust are part of the service provided by you to your customers. Patient certificates inclusive of required identity proofing are offered at a very low price, overcoming the cost barrier for providing patient level Direct Addresses. IdenTrust partners in the DirectTrust Partnership for Patients Program are expected to pass on these cost savings to patients with minimal markup to achieve program goals.

Electronic Healthcare/Medical Record (eHR/eMR), Patient Healthcare Record (PHR) and Healthcare Information Service Providers (HISPs) can retain control of customer/patient relationships to the extent desired, while making the identity proofing and certificate issuance process easy and painless for providers or patients. IdenTrust does not provide Direct Addresses, so involving an EHNAC accredited DirectTrust HISP for assignment of addresses is crucial.

1. No. You can use one certificate for multiple states. You’ll need to create multiple customized signature template to incorporate the appropriate state seal into the signature block. Instructions can be found here.

Identity-Proofing Level of Assurance (LOA) is defined by the U.S. National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-63-2. Depending on the type of certificate selected, IGC Certificates include LOA3 or LOA4 identity-proofing as follows:

LOA3 identity-proofing is generally automated; however, in some cases, in-person identity-proofing may be used

LOA4 identity-proofing requires an in-person appearance before an authorized agent for identity verification

Lesser assurance credentials based on LOA1 or LOA2 identity proofing are not offered under IGC.

IdenTrust offers multiple types of IGC certificates that are issued to individuals representing himself or herself (unaffiliated) or representing himself or herself as an individual who is affiliated with an organization (affiliated). Some IGC certificates can also be issued to individuals who reside outside of the U.S.

IdenTrust also offers medium assurance device certificates to secure your hardware and communications.

Visit our IGC Product page for product profiles and current pricing.

IGC Basic Assurance Certificates and IGC Medium Software Certificates may be retrieved through your browser, which stores the certificate private key in your local operating system certificate store. When retrieving software certificates, they should always be configured for high security, which means a password will be always be required to access the locally stored private key.

IGC Basic Assurance on Hardware and IGC Medium Hardware Certificates require certificate private key storage in an IdenTrust-provided hardware device (i.e., smart card or USB token) separate from your local operating system/browser. The certificates are retrieved through your browser and appear in your local operating system certificate store; however, the private key is installed onto the hardware device. To use a hardware certificate, the device must be inserted into your system (unless you are using an OTP device) and you must provide the device password before any application may make use of your certificate private key. All IdenTrust provided hardware devices are certified at FIPS 140-2 Level 2 or higher for cryptographic functions.

IGC PIV-I Certificates are stored on a special type of smart card called a PIV card. PIV cards are required to meet NIST specifications created specifically for PIV, and must be on a U.S. Federal Government Approved Product List APL. IdenTrust supplies only APL-approved PIV cards for storage of IGC PIV-I certificates.

Yes! IdenTrust has standardized our product names to include:

• Program
• Assurance level
• Type of identity verification
• Storage
• Misc., product specific identifiers

This matrix shows the 'old' product name, and the 'new' product name. The certificates themselves have not changed and there will be no interruption to your ability to use your certificate. 

ECA Program

Yes! IdenTrust has standardized our product names to include:

• Program
• Assurance level
• Type of identity verification
• Storage
• Misc., product specific identifiers

This matrix shows the 'old' product name, and the 'new' product name. The certificates themselves have not changed and there will be no interruption to your ability to use your certificate. 

IGC Programs

IdenTrust leverages more than two (2) decades of individual identity proofing experience to make the process easy and affordable for patients. The IdenTrust goal is to eliminate the previous barriers of cost and complexity associated with allowing patients to control their own healthcare data and share it only as needed with healthcare professionals.

Very simply, your healthcare or patient portal provider will:

• Provide a method to collect information from you that allows IdenTrust to complete an automated identity proofing process;
• Request that you provide a secret code generated by IdenTrust and provided directly to you, ensuring that the address assigned and associated certificate is bound to you, the identity proofed patient; and
• Securely protect the certificate associated with your assigned address and ensure health information sent to you and shared by you with healthcare professionals is handled securely.

Depending on your healthcare provider and their implementation, you may be provided a certificate to be stored in your home computer browser or mobile phone, a token with a certificate or even a token or authenticator used to authenticate you and allow use of your certificate for health information exchange. No matter the implementation method, it is important that you do not share your password or authenticator with others.

While this process has often cost as much as $75 to $100 to complete, IdenTrust is able to offer ID proofing starting at far less per year, inclusive of NIST 800-63 LOA3 identity proofing and an IdenTrust DirectTrust Patient Certificate.

Your healthcare provider likely already participates in DirectTrust for communication with other providers. Let them know you are interested in receiving your healthcare information electronically and (if desired) that you would like to share healthcare information with other healthcare providers within the DirectTrust community.

Direct Messaging is built on a transport technology similar to email with an embedded and proven security technology called public key infrastructure (PKI). Certificates are used to ensure secure, encrypted communication between designated addresses in the DirectTrust community, analogous to a sealed envelope sent via registered mail with signature required in the paper world. All participants in DirectTrust undergo identity verification, ensuring healthcare information shared is only between the intended physicians, provider organizations and patients. DirectTrust participants do not generally see this underlying technology, which is managed by accredited Healthcare Information Service Providers (HISPs). Rest assured, information exchanged within the DirectTrust community is authenticated, secure and encrypted.

IGC certificates can be issued to the following:

• Unaffiliated individuals: Persons who will use an IGC certificate to transact business on his or her own behalf. These certificates only assert the identity of an individual and have no affiliation with an organization.
   
• Affiliated individuals: Persons who will use an IGC certificate to transact business as an authorized representative of the business with which he or she is affiliated. These certificates assert the identity of an individual and confirm that the individual is associated in some manner with an organization as an employee or contractor.
   

Some use cases, such as Electronic Prescriptions for Controlled Substances (EPCS,) typically require only the identity of the individual to be asserted. Other uses cases, such as when an individual is acting on behalf of their employer, may require the individual’s identity and association with an organization to be asserted as an attribute within the certificate.

Learn More about the status of my certificate application

In most cases, the personal information included in your certificate is your name and your email address. The only time you can change this information is when you renew your certificate.  If any of the person information that is included in your certificate has changed (or will change soon), you can update the information while renewing; however, if you need to update this information and your certificate is not eligible for renewal (within 90 days of expiration), you will need to apply for a new certificate.   Information that is not included in your certificate can be updated at any time via the Certificate Management Center (CMC).

Find more information about managing your certificate in our How Do I library.

The International Data Exchange Service (IDES) is an electronic delivery point where Financial Institutions (FI) and Host Country Tax Authorities (HCTA) can transmit and exchange FATCA data with the United States.

When purchasing a FATCA certificate to interact with the IRS, you do not need to provide the private key to IDES.

You can determine whether your certificate needs to be replaced by trying to export the certificate. The instructions for exporting your certificate may vary based on the browser that you use.  Locate the export instructions for your browser in our How Do I library.  If you are able to export your certificate, then there is no need to replace it.  If you cannot locate your certificate or you cannot successfully export it, then you will need to obtain a replacement certificate.  Instructions for certificate replacement are also available in the How Do I library. 

It is important to remember that your digital certificate is a credential that is similar to a driver's license or passport, and that when information contained in your certificate changes, you may need to obtain a new updated credential (certificate).  The information contained in your certificate is stored and managed in your IdenTrust account along with other non-certificate related information, which means that some information in your account can be updated and some information is not updatable without renewing or purchase a new certificate. 

You can manage your account information via the Certificate Management Center (CMC).  You will use your certificate or your account number and account password to access the CMC. 

1.  After logging into the CMC locate the drop down box next to the prompt For Your Account, Would You Like to:

2.  Select Update Your Account Information.

3.  Click Continue.

4.  Based on the type of certificate there are different options for updates.  Follow the instructions to make allowable updates.

If the information that you need to change is not updateable, you will need to purchase a new certificate.

Please visit our How Do I for detailed instructions to replace your certificate.

You need to contact a Key Recovery Officer (KRO) within your organization to initiate a Key Recovery request. The KRO will assist you in filling out the appropriate form. After the form is submitted to IdenTrust and is approved, you will receive a copy of your recovered key in the mail. If your organization does not have a KRO, you can contact specific individuals within your organization who can submit a request to IdenTrust on behalf of your organization.  Those individuals are mentioned in the Subscribing Organization Authorization Agreement. Contact your supervisor or your HR department to find out who can request key recoveries from IdenTrust.

You can identify a file with a certificate in .pem format when it has the string -----BEGIN CERTIFICATE----- at the top of the sequence; and the string -----END NEW CERTIFICATE REQUEST----- at the end.  For SSL certificates, at the time of initial installation the certificate is already provided in .pem format and you can save it to a file with the .pem extension.  Alternatively, you can access the IdenTrust Certificate Management Center (CMC) using your account number and password where you can view and save the certificate in .pem format.

1.  Log into the CMC.

2.  Locate the prompt labeled For this Certificate, Would You Like to:

3.  Select View Your Certificate PEM and click Continue.

4.  Here you will have access to the information in .pem format and you can save it to a file with the .pem extension. 

For a FATCA Organization certificate, you will be able to export the certificate from your browser in the .pem format. The extension of this file will be .cer. For specific instructions for supported browsers, visit our How Do I library.  

If at any time IdenTrust has been made aware of or has a belief that a certificate/private key has been compromised, we are required by all governing certificate policies to protect the integrity of the certificate by executing a revocation. Once a compromise is identified, IdenTrust must perform a revocation within a specific timeframe as defined by the governing certificate policy. 

Examples where revocation is required include:

• Evidence that the certificate owner is not the individual who completed the certificate application, but is calling in for technical support. This situation is typically identified when the caller is the account owner, but they cannot answer questions about information contained in the application.
• Someone other than the certificate holder is calling in for assistance with installation of the certificate and has access to the password and activation code.
• You are no longer employed by the organization named in your certificate.

Certain pieces of information provided during your initial application may change during the certificate's lifetime. Some of these pieces of information can be updated immediately, others will have to wait for the renewal process and some changes will require you submit a new application.  Examples of common changes include:

My mailing address has changed.

You can update the mailing address on your account at any time by logging into the Certificate Management Center (CMC).

Once you  have access the CMC, locate the prompt labeled Manage Your Account Information and select View/Update Account Information. Make the necessary changes and select Finish.

My headquarters address has changed, or my company's name has changed.

Unfortunately, you are unable to make changes regarding your organization name and/or address. This is because organization information is included in your certificate and can only be used in conjunction with conducting business on behalf of that specific organization.  In order to update an organization, you must obtain a new certificate.  Be aware that if you currently use your certificate to gain access to a federal or state agency, you may also need to re-register with the new company information prior to being able to use the new certificate with the agency system.  We suggest that you contact the appropriate agency for further clarification.

My email address has changed.

You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.  If you must have your current email included in your certificate, you will need to purchase a new certificate.

My name has changed.

You cannot change your name except at when you renew your certificate.  During the renewal process , you will be asked to confirm your name.  At that time you can update to your current legal name, which will be included in your new certificate . If the IdenTrust Registration Department is unable to verify the requested changes, you may be asked to send in proof of the name change by providing additional documentation such as:

• Marriage Certificate
• Divorce Decree (1st, last and page showing the name change)
• Other court-issued documentation

If you must have a certificate that includes your new name prior to certificate renewal, you will need to purchase a new certificate.

Revocation is the action of making your certificate unusable. This is necessary when you believe that your certificate/private key has been compromised. Revocation prevents anyone from using your certificate to create digital signatures or from accessing secure sites.  It is your obligation, based on the Subscriber Agreement you accepted, to request that your certificate be revoked in the case that you believe it has been compromised. Use the following procedure to revoke your certificate: 

Visit our How Do I library for instructions to replace your certificate.

Visit our Document Library to view Subscriber Agreements for each certificate policy type.

While IdenTrust will make every attempt to verify any name discrepancies between IDs due to marriage, divorce or other, there are instances where names cannot be verified.  When this occurs, our Registration Department will reach out to you and request that you provide a notarized copy of the document confirming the name change. Examples of documents accepted include:

• Marriage Certificate or License
• Divorce Decree (1st, last and page showing reinstating of name)
• Court-issued documentation

Please send the notarized copy of the name-changing document to: 

      IdenTrust Registration
      5225 Wiley Post Way, Ste 450
      Salt Lake City, UT 84116 

You create the certificate in a browser on your computer when you retrieved it. It can only be used on that computer (in that browser) unless you export it to another computer (or browser).  If you have retrieved your certificate on one computer and would like to use it on another computer (or browser) as well, you will need to export the certificate and then import it to the other computer or browser.

Visit our How Do I library to learn more about how to import and export your certificate.

Your digital signature can be imported to Office 365 easily, following these instructions:

For Office 365 subscriber, and on build 16.19.18110915 and higher,

If you don't see the Sign / Encrypt Message button, you might not have a digital ID configured to digitally sign messages and you need to do the following to install a digital signature.

• On the File menu, click Options > Trust Center.
• Under Microsoft Outlook Trust Center, click Trust Center Settings > Email Security
• Click Import/Export to import a digital ID from a file on your computer,
• If you have both a signing and an encryption certificate you will import both.

A digital signature on an e-mail message helps the recipient verify that you are the authentic sender and not an impostor. To use digital signatures, both the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.

If you are an Office 365 subscriber, and on build 16.19.18110402 and higher,

In an email message, choose Options, select both the Sign and Encrypt buttons. Pick the encryption option that has the restrictions you'd like to enforce, such as Do Not Forward or Encrypt-Only.

Note: Office 365 Message Encryption is part of the O365 E3 license. Additionally, the Encrypt-Only feature (the option under the Encrypt button) is only enabled for subscribers (Office ProPlus users) that also use Exchange Online.

You should not use your personal email in the FATCA certificate. You should provide a business email during the application. Ideally, you will provide a generic email that is associated with the organization. 

Example of emails that will not be accepted include: [email protected], [email protected]. 

Example of acceptable emails include: [email protected], [email protected]. 

Visit our FATCA IRS Reporting pages for additional information.

SmartScreen® is a security feature that protects users from malicious software. Microsoft doesn't share how it calculates the reputation of an application, but it does consider how many times the application has been downloaded and whether the certificate was issued by a trusted certificate authority like IdenTrust. Microsoft is constantly updating the SmartScreen filter attributes, so how the reputation of an application is calculated may change over time.

Signing an application with an EV code signing certificate doesn't guarantee that it will have a good reputation with SmartScreen®, but it does give the application's publisher a higher level of trust.

With the increase of Cybersecurity awareness, the DoD requires that “Data in Transit” such as email, needs to be secured if it contains sensitive data.

The three main capabilities for ECA certificates are: 

1. Authentication: ECA Digital Certificates enable you to virtually authenticate yourself online and gain access into a secure DoD system that is PKI enabled and requires a DoD approved Digital Certificate.
2. Digital Signing: ECA certificates can be used to digitally sign documents and emails which verifies the identity of the sender or signer and also ensures that the integrity of the document has not been compromised since the time that it was signed.
3. Encryption: ECA certificates also has the capability of encrypting emails. This ensures that only the intended authorized recipients will be able to open and view the document.

When items 2 and 3 above are used in combination this signing and encrypting process meets the DoD’s requirements for securing DoD “Data in Transit”.

Learn more about DoD cybersecurity compliance.

If your certificate is stored on a Smart Card or Token, install the software you received with your hardware on the new computer, reboot your machine, and insert the Smart Card or Token. Your certificate is now ready for use on the new machine.

If your certificate is stored in your browser, then depending on the browser that you use, the process of importing and exporting your certificate may vary.  Please see our How Do I section to view the instructions that apply to your situation.

If you no longer have access to your digital certificate, please visit our Certificate Management Center, where you can request a replacement for your certificate.  If you need further instructions for replacement, see our How Do I library, where you can find additional information.

The best way to protect your identity, as a certificate holder, is to ensure that only you are using your digital certificate. Allowing others to use your certificate through sharing your password, Smart card or USB token password, or your private key weakens the security of the system and presents a security danger to you. A digital certificate is a credential, just like a driver's license or passport, which you would not allow others to share. Certificate holders found to have shared this confidential information will be notified that their certificates are subject to revocation.

The IdenTrust Customer Support team is available to assist certificate subscribers in applying, retrieving and managing their certificates. Visit our Contact Us page for more details about how to reach us and the hours that our team is available.

Most PDF documents that you will receive will come pre-made with a signing box. If this is the case, follow these directions:

1.  Complete any required fields that are in the PDF document.

2.  When you are ready to digitally sign, simply click on the signing box.

3.  This will open the signing documents window where you can select the certificate you wish to use to sign the PDF document.

     Note:  If you have more than one certificate, you can select the one you wish to use by clicking on the Sign As dropdown box. 

4.  Once you have selected the certificate you will use to sign the PDF document, select Sign.

5.  The Save As dialogue box will appear.

6.  Select the location you would like to save the signed PDF document, then click Save. 

7.  Your digital signature has now been applied.  

Visit our How Do I pages to learn more about digital signing and how to create a signing box in a pdf document.

IdenTrust as a Certificate Authority issues Digital Certificates to digitally sign electronic documents. eNotary individuals can customize the appearance of the Digital Signature with their own Electronic Seal and /or facsimile of a wet signature, while keeping data integrity and non-repudiation of the signed document.
 
Please use our helpful “How do I” pages to learn more:
Customize the appearance of a Digital Signature in Adobe®
Use Digital Certificate to Sign & Seal Documents

IdenTrust does not assist with the creation of the Electronic Seal but there are multiple companies online who provide this type service of service; here are some samples:
https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/appearances.html
https://www.designfreelogoonline.com/logoshop/free-logo-maker-notary-logo-templates/

If you have an IGC or TrustID certificate that you cannot use, you may need to replace the certificate. Visit our How Do I library for instructions to replace your certificate.

If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase, you can reset your password thru the Certificate Management Center. You do not need to replace the certificate in this case. 

If you have a DOD ECA s-Certificate or t-Certificate, a key recovery will need to be done. These certificates cannot be replaced.   Visit our How Do I library for instructions to request a Key Recovery.

Yes, your certificate is stored along with the private key in your cryptographic module: your browser, your smart card or USB token.

According the ECA Certificate Policy and the Subscriber Agreement you accepted, it is your obligation to protect the private key with reasonable security, including a password. The password should be FIPS 112 compliant.

You can also search for FIPS112 to learn more about this topic.  

You will create your account password when you register for an IdenTrust certificate.  You will also use your account password when you retrieve your approved certificate.  When selecting your account password, be aware that it:

• Must be between 8 – 30 characters in length
• May consist of letters, numbers, and any special characters except ( ) \ / “ *
• Is case-sensitive (UPPER CASE and lower case letters are not the same thing)
• Should be something that you will be able to remember, but that others will find difficult to guess 

Please note that your account password is different than your certificate password (although you may wish to choose a password that is the same for both).  Your certificate password is used only when you use your certificate for signing or to access a secure site. 

If no longer in possession of the USB token or Smart card housing your digital certificate, the certificate is deemed 'compromised' and must be revoked. To Revoke a Certificate/Account where the digital certificate is no longer accessible, a request must be submitted officially via one of two ways:

1. Signed email from an Organization Officer/Representative.
   • An organization’s representative (i.e., personnel office representative) can request revocation directly via a signed e-mail and a call to the Support, or mail to Registration on company letterhead containing a notarized signature.
   • The communication should include the information about the Subscriber’s certificate to be revoked, including Subscriber name, email, and if possible the account number and/or application ID number, both available in email previously sent to the Subscriber. 
   • If the revocation is being requested for reason of key compromise or suspected fraudulent use of the private key, or if the smart card or USB token could not be collected and zeroed out, then the revocation request must indicate key compromise.
2. Company Letterhead
   • Signed and notarized on the company letterhead, please provide the following:
     • Account number of certificate holder to Revoke (if available)
     • Certificate holder name
     • Certificate holder Email Address
     • Reason for Revocation
   • Sign the request and have this request signed/notarized by any licensed Notary Public.
   • Mail completed letter to:
     • ECA Registration IdenTrust Services
     • 5225 Wiley Post Way, Suite 450
     • Salt Lake City, Utah 84116

For reasons of security and non-repudiation, no person or equipment has access to your unencrypted account password, so there is no mechanism for IdenTrust to look up your account password if you forget it. However, you do have the option to reset you account password through our Certificate Management Center.  You will need to have your IdenTrust account number in order to complete these instructions.  Your account number was provided to you when you were approved for your certificate.

1.  Access the Certificate Management Center (CMC).

2.  Click LOGIN to launch the CMC session. 

3.  When presented with the Choose a digital certificate dialog screen, click Cancel. This will allow you proceed by using your account information.

4.  On the Certificate Management Center Login screen, enter your account number, and then choose the I forgot my password link.

5.  You will receive a confirmation screen, indicating that the password assistance instructions have been sent to you email address.

6. Follow the instructions provided in the email to allow you to reset your account password. Please note that if you cannot remember the answers to your secret questions, you will need to apply for a new certificate.

IdenTrust never has access to your CryptoAPI Private Key (certificate) password, so we are unable to help you retrieve it if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate and will need to replace it. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library for instructions to replace your certificate.

The Master Password or certificate password is the password that protects your certificate. IdenTrust never has access to your master/certificate password, so we are unable to help you retrieve this password if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate (if it is password protected) and will need to replace your certificate. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library.

If you forget the password to access your USB token, you will not be able to use your certificate until you re-initialize the token and do a key recovery. If your organization has a Certificate Coordinator, Trusted Internal Agent, or Local Registration Agent registered with IdenTrust, you can contact that person to initiate a key recovery.  Otherwise, please contact the IdenTrust Support team at 1 (888) 248-4447 for assistance.

Your request will then be processed by our Registration team. Once the request has been approved, you will be sent a letter (via US mail) with new retrieval information. You may then retrieve the new certificate by following the same process you used when initially retrieving it. You can check the status of your key recovery application by visiting our Certificate Management Center.

If you have a Smart card or USB token for an ECA certificate, you will need to initiate an ECA Program Key recovery.

If you have used the IdenTrust Certificate Selection to make your buying decision, it is unlikely that you have purchased the wrong type of certificate; however, if you have concerns about this, please feel free to contact our Customer Support team and they can help to assess the product you have selected. Please have your IdenTrust Account Number readily available when you call. View our Contact Us page to see our Customer Support hours and phone numbers.

A FIPS 112-compliant password requires the following characteristics: 

Composition: Password should contain both upper and lower case characters (e.g., a-z, A-Z) and have digits and punctuation characters as well as letters. Example: 0-9, !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./

Length: The minimum length is 8 characters. Longer passwords will provide stronger security. Passwords are more easily remembered as a passphrase. Example: Don’tUseMyExactExample2

Lifetime: The maximum life is one (1) year and a change is recommended every three (3) months where practical. "Passwords shall be replaced as quickly as possible, but at least within one (1) working day from the time that a compromise of the password is suspected or confirmed"

Source: Users should not select a password that can be found in a dictionary or name list

Ownership: Passwords should not be shared

Distribution: Passwords should not be shared in email

Storage: Passwords should not be stored insecurely

Entry: Passwords should be entered in a way that others cannot observe entry 

Transmission: Passwords should never be transmitted in clear text 

Authentication Period: Users are recommended to lock their screen when leaving their area and to have an inactivity, auto-lock, password-protected screensaver set to protect unauthorized use of their token and system.

This is the certificate password that you create during the retrieval process to protect your certificate, and will be used each time you use or export your certificate.   The CryptoAPI Private Key password is stored in the browser within your computer and IdenTrust never has access to it. It allows you to encrypt and decrypt data and to authenticate transactions using your digital certificate.

We recommend that your certificate password be at least 6 characters in length and it may be as long as 30 characters. It can consist of letters, numbers, and special characters. The certificate password is case-sensitive (UPPER CASE and lower case letters are not the same thing). To protect your certificate, we recommend that you do not check the Remember password box.

There are multiple passwords associated with your account and hardware. Please note IdenTrust does not have access to view, confirm or reset your passwords. 

Account Password

This password is created during the online application.  You do have the ability to update your password if you can correctly answer the three security questions you chose when you applied for your certificate.  Every account has an account password, but your account can be associated with multiple certificates.

USB Token and Smart Card Password

This password is created when you initially setup your token. Before the retrieval of your certificate, you are prompted by the token software to create password that will protect your token. This password can only be changed if you know the current passcode. Both the USB and the OTP tokens have a token passcode. 

You may review the IdenTrust Commercial Root CA 1 and IdenTrust Public Sector Root CA 1 test certificates, including 'Valid', 'Revoked', and Expired' examples here:

• IdenTrust Publicly Trusted Roots Test Certificates Page

Visit our ECA Document Library to locate all the forms you need to do business within the IdenTrust.

Browser compatibility will depend on the type of certificate you are using:

Visit our How Do I pages for specific information about exporting and importing your digital certificate using a particular browser. 

This message showing as warning upon opening digitally signed PDF documents usually means that the policy asserted in at least one of the digital certificates present in the PDF, is not in Adobe’s Approved Trusted List, referred as AATL Enabled certificate.

This message DOES NOT mean that the certificate is invalid, unless it is truly expired, suspended or revoked. The real status of the certificate is confirmed by double-clicking on each digital signature present in the opened PDF document.

A temporary way to resolve this issue is to ‘trust’ the certificate in the device used to open the PDF document. See “Trust Manager” in the ‘Preferences“ section of Adobe Acrobat or Adobe Reader. This temporary solution has to be repeated once on each device where a signed PDF is opened.

A permanent way to avoid that warning message is purchasing an IdenTrust AATL Enabled Digital Certificate

AATL Enabled certificates are issued directly on Smart  Cards or USB tokens compliant with FIPS 140-2 L2+ standard like HID Global USB tokens or HID Global Smart Cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device, thereby eliminating the potential of key compromise by bad actors.

If the certificate used to sign the PDF document is AATL enabled and the “invalid signature”  message is present, the AATL list in that device has to be updated: Adobe Reader/Adobe Acrobat: Preferences, Trust Manager, click on [Update Now] in the “Automatic Adobe Approved Trusted List (AATL) section.“

Microsoft® announced that it will no longer support the Internet Explorer version 11 (IE 11) after June 15, 2022. This means that security patches and other updates from Microsoft will cease after that time, and in some versions of Windows, IE 11 may stop working.

For more information visit our Important Announcements page.

IdenTrust recognizes that it is sometimes difficult to determine what certificate is best to meet your needs.  To help you with this process, IdenTrust has created our unique Certificate Selection Wizard which will help guide you through the process of selecting your certificate.  The wizard is based on what you consider to be your Buying Community or what type of user community that you are most associated with.  Examples of Buying Communities include users of DoD ECA Agency applications, EPCS prescribers, professional who need digital signing and sealing or those individuals who need a certificate for personal use. 

1.  Start by selecting a category from the My Buying Community or the Certificate menu.  Once you have selected a category that is most similar to how you will use your certificate, you can choose from various Learn More links to access additional details about certificates in this category and how to use them. 

2.  When you are ready to purchase your certificate, you simply select a BUY NOW button that will launch the wizard related to that specific Buying Community or Certificate type you have chosen.  An added bonus is that IdenTrust has worked with the government agencies and vendors that use our certificates and we have configured our wizard to only offer you the types of certificates that they will accept.  

3.  From there all you need to do is respond to the prompts and the wizard will assist you in finalizing your buying decision.  

With IdenTrust, choosing the best certificate is for you is as easy as 1, 2, 3! 

Digital certificates retrieved into a browser, also known as software storage certificates, are intended to be used mainly from a single computer. As no additional device is required, software storage certificates are relatively inexpensive.

Digital certificates retrieved into a portable hardware device such as USB token or Smart card, not only can be used from multiple computers, but also offer additional security via the built-in second factor authentication feature. Certificates stored in hardware devices can also be configured for Client Authentication for faster secure login sessions.

The decision to opt for a software storage or a hardware storage certificate is mainly predefined by the sponsoring organization (business); at an individual level, the applicant should weigh-in if the additional security and portability benefits are worth the hardware expense. 

Note: Be sure to check with your relying party or program to determine if it requires a specific type of storage:

• Software
• USB token
• Smart card 

IGC Certificates are available in the following types. Click the link to learn more about the product: 

• IGC Standard | Basic Assurance | Individual Identity | Software Storage
• IGC Standard | Basic Assurance | Individual Identity | Hardware Storage
• IGC Standard | Medium Assurance | Business Identity | Software storage
• IGC Standard | Medium Assurance | Business Identity | Hardware Storage | Trusted by Adobe®
• IGC Standard | Medium Assurance | Organization Identity | Device

TrustID | Basic Assurance | Individual Identity | Software Storage Certificate:
Authenticates you in personal online transactions, access to specific restricted Web sites, and allows you to send and receive, sign and encrypt email communications, using this digital certificate.

The following certificate is stored on your PC browser for use on a single computer:

• TrustID | Basic Assurance | Individual Identity | Software Storage

The following certificate is stored on a USB token or smart card, can be used from multiple computers and is AATL Enabled: create digital signatures that are instantly trusted whenever the signed document is opened in Adobe^® Acrobat^® or Reader^® software and can be used to sign unlimited number of PDF documents:

• TrustID | Medium Assurance | Individual Identity | Hardware Storage | Trusted by Adobe®

TrustID | Medium Assurance | Business Identity Certificate:
These are digital certificates for employees of companies that will authenticate the individual as an employee of that company.  When applying for this type of certificate, each certificate is only for one individual, not an entire company.

The following certificates are stored on your PC browser for use on a single computer:

• TrustID | Medium Assurance | Business Identity | Software Storage
• TrustID | Medium Assurance | Business Identity | Software Storage | Non-U.S.

The following certificates are stored on a USB token or smart card, can be used from multiple computers and is AATL Enabled: create digital signatures that are instantly trusted whenever the signed document is opened in Adobe^® Acrobat^® or Reader^® software and can be used to sign unlimited number of PDF documents:

• TrustID | Medium Assurance | Business Identity | Hardware Storage | Trusted by Adobe®
• TrustID | Medium Assurance | Business Identity | Hardware Storage | Trusted by Adobe® | Non-U.S.

TrustID | Secure Email | Email Identity Certificate:
Authenticates that the email address in the certificate is owned and/or controlled by you; no individual or business identity is verified. Once approved, the certificate allows you to sign and encrypt email communications.

The following certificates are stored on your PC browser for use on a single computer:

• TrustID | Secure Email | Email Identity | Software Storage
• TrustID | Secure Email | Email Identity | Software Storage | Non-U.S.

The following certificates are stored on a USB token or smart card and can be used from multiple computers:

• TrustID | Secure Email | Email Identity | Hardware Storage
• TrustID | Secure Email | Email Identity | Hardware Storage | Non-U.S.

TrustID | IdenTrust TLS/SSL | Organization Identity | Organization Validated (OV) Certificate:
Authenticates a Web site or a network server using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols.

Visit our TrustID Products page for additional information.

IdenTrust offers two equivalent certificate types, which the IRS has approved to use for the FATCA program.

IdenTrust recommends using the FATCA Organization | Organization Identity | Software Storage certificates type since it was designed to provide an easier application and approval process. You should evaluate the information required for application and select the option that matches information you already have or can generate easily.

You may also select the FATCA | IdenTrust TLS/SSL | Organization Identity | Organization Validated (OV), which is the same certificate as our standard IdenTrust TLS/SSL | Organization Identity | Organization Validated (OV) certificate.

Our FATCA IRS Reporting Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.