Woman raising hand to ask question

FAQ By Certificate Lifecycle (Learn)

Public Key Infrastructure Certificate Authorities (PKI-CA’s) such IdenTrust must follow a strict process validated via the PKI-CA’s audited Certificate Policy (CP) and Certification Practices Statement (CPS). After initial validation of compliance with Adobe’s AATL technical requirements, the CA is added to Adobe’s AATL. Once in the AATL, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products.

 

AATL, short for Adobe Approved Trusted List, is a program that allows users to create digital signatures that are trusted instantly whenever the signed document is opened in Adobe® Acrobat® or Reader® software. IdenTrust is a member of AATL  via the commercial public trust root.

  1. Open Adobe® Acrobat® or Adobe Reader® and click on Edit | Preferences
  2. Select Signatures and click on 'More' in the Document Timestamping section
  3. Click on 'New' to add a new Timestamping CA Server Authority
  4. For name, type 'IdenTrust Timestamping CA Server Authority'
  5. For Server URL, type ‘http://timestamp.identrust.com’
  6. Do not check the option 'This Server Requires me to Log on'
  7. Click [OK] to save the configuration

After ‘http://timestamp.identrust.com’ is configured, any new signatures on PDF files will get automatically time-stamped by IdenTrust TSA.

Timestamping binds the TrustID | EV Code Signing | Organization Identity | Hardware Storage digital signature, the signed code, and an accurate date and time. Upon execution, timestamped files are automatically validated for integrity, alerting the user if the file is no longer in the same state as when it was timestamped. Timestamping adds long term integrity and non-repudiation validation for up to 10 years after the TrustID | EV Code Signing | Organization Identity | Hardware Storage certificate has expired or has been revoked.

http://timestamp.identrust.com

To use it, post an RFC 3161 compliant message or configure it within applications supporting it.

The TrustID® Certificate Policy that governs this type of certificate establishes that TrustID | EV Code Signing | Organization Identity | Hardware Storage Certificates must be issued on hardware devices compliant with FIPS 140-2 Level 2 or higher security assurance. IdenTrust offers USB tokens for this purpose. This additional security requirement not only offers two-factor authentication but also prohibits the private key from being exported, thus offering additional assurance to relying parties on the ownership of the certificate holder.

IdenTrust also offers a EV Code Signing | Organization Identity | Hardware Storage (HSM) certificate for those who have their own storage device.

Yes - Microsoft® does not have a built-in user interface for a Timestamping Authority, but the IdenTrust TSA can be manually configured. You may view our PDF document How Do I Apply IdenTrust Timestamping Authority (TSA) to Microsoft® Office (MS-Office) Digitally Signed Documents to learn more. 

​​​​​​Yes, you may submit forms for your IGC certificate request by email. Follow these steps:

  1. Take the Part 1 – Subscribing Organization Authorization Form to an organization officer to have it filled out, including signed by the organization officer.
    • All fields must be filled in. Missing information will lead to the submission being rejected.
  2. Take the Part 2 – ID Form to a notary or Trusted Agent (TA) and present the accepted forms of identity required, either one valid federal ID (must be valid and contain a photo) or two valid state or local government IDs, one of which must contain a photo.
    • All fields must be filled in. Missing information will lead to the submission being rejected.
  3. Sign the Part 2 form in the presence of the notary or TA.
  4. Have the notary or TA sign the Part 2 form.
  5. Scan the completed Part 1 and Part 2 forms and email to [email protected].

To avoid delays or rejection of the submission, confirm the following prior to electronic submission:

  • All fields are filled in.
  • All signatures are either handwritten or digital.
    • Stamp signatures and electronic signatures (i.e. DocuSign) are not accepted.
  • All information is legible.

The standard method of submitting original signature forms is also accepted. Originals may be mailed to:

IdenTrust Registration
5225 W. Wiley Post Way
Suite 450
Salt Lake City, UT 84116

Yes! You may find a copy of the IdenTrust Secured TLS Seal Agreement here.

The original Federal Bridge cross certified version of the IdenTrust Global Common Root CA certificate utilized by IdenTrust to participate in the Federal Bridge Program expired on August 21, 2021. IdenTrust has obtained a re-signed certificate from the Federal PKI and has replaced the expiring certificate with the re-signed certificate.


This change should not impact your operation or certificate validations; however, if you would like to download the new root chains for both IGC human certificates and IGC device certificates at https://www.identrust.com/support/downloads, IdenTrust Global Common (IGC), for your availability and distribution as needed. 

IdenTrust does undergo an SSAE-18 SOC 2 Type II audit every year. However, since the detailed information in the audit report is company-confidential, we require an NDA to be in place.

An alternative that does not require an NDA:
As a Certificate Authority, IdenTrust undergoes a WebTrust for Certificate Authorities audit, and the attestation letter for this audit is publicly available without the need for an NDA. The WebTrust for CA audit examines not only the same general information security practices as the SOC 2 criteria does, but also certificate life cycle practices including proper handling of applicant information. The link for the WebTrust for CA audit is at the bottom of our home page. You may also be interested in examining our Privacy Policy.

IdenTrust as a Certificate Authority issues Digital Certificates to digitally sign electronic documents. eNotary individuals can customize the appearance of the Digital Signature with their own Electronic Seal and /or facsimile of a wet signature, while keeping data integrity and non-repudiation of the signed document.
 
Please use our helpful “How do I” pages to learn more:
Customize the appearance of a Digital Signature in Adobe®
Use Digital Certificate to Sign & Seal Documents

IdenTrust does not assist with the creation of the Electronic Seal but there are multiple companies online who provide this type service of service; here are some samples:
https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/appearances.html
https://www.designfreelogoonline.com/logoshop/free-logo-maker-notary-logo-templates/

IGC certificates are valid for a period of one, two, or three years. They can then be renewed as early as 90 days prior to expiration. Renewal notifications are sent to account owner's email address at 90, 60, 30, 15, 7 and 1 day intervals. 

NOTE: Digital certificates are non-transferable to another person or business. 

Yes you can purchase a FATCA certificate without having a GIIN.   If you do have a GIIN number, IdenTrust may use it to facilitate the approval process for your certificate. 

Yes - the "IdenTrust DST Root CA X3" root is expiring on 9/30/2021 has been replaced with the "IdenTrust Commercial Root CA 1" self-signed root which is also trusted by the major browsers and root stores since 1/16/2014. You may download the IdenTrust Commercial Root CA 1 at this link: Root Certificate Download.

If you have appliances that are not dynamically updating the root trust chain, they need to be manually updated with the self-signed "IdenTrust Commercial Root CA 1" which can be downloaded at this link: Root Certificate Download

Digital certificates retrieved into a browser, also known as software storage certificates, are intended to be used mainly from a single computer. As no additional device is required, software storage certificates are relatively inexpensive.

Digital certificates retrieved into a portable hardware device such as USB token or Smart card, not only can be used from multiple computers, but also offer additional security via the built-in second factor authentication feature. Certificates stored in hardware devices can also be configured for Client Authentication for faster secure login sessions.

The decision to opt for a software storage or a hardware storage certificate is mainly predefined by the sponsoring organization (business); at an individual level, the applicant should weigh-in if the additional security and portability benefits are worth the hardware expense. 

Note: Be sure to check with your relying party or program to determine if it requires a specific type of storage:

  • Software
  • USB token
  • Smart card 

Browser compatibility will depend on the type of certificate and the operating system you are using.

Microsoft® Windows® OS
Software Certficates Microsoft® Edge Google® Chrome Mozilla® Firefox Android® OS
Certificates can be retrieved using these browsers X X X  
Certificates can be imported to these browsers X X X X

 

Hardware Certificates Microsoft® Edge Google® Chrome Mozilla® Firefox Android® OS
Certificates can be retrieved using these browsers X X X  
Certificates can be imported using these browsers X X X  

 

 

Apple® Mac® OS
Software Certificates Google® Chrome Mozilla® Firefox Apple® Safari iOS (iPhone/iPad)
Certificates can be retrieved using these browsers X X X  
Certificates can be imported using these browsers Accessible Via Keychain X Accessible Via Keychain X

 

Hardware Certificates Google® Chrome Mozilla® Firefox Apple® Safari iOS (iPhone/iPad)
Certificates can be retrieved using these browsers X X X  
Certificates can be imported using these browsers Accessible Via Keychain X Accessible Via Keychain  

 

TLS/SSL Certificates Are Interoperable With:
  • Apple® Safari (for OSX and iOS)
  • Blackberry®
  • Google® Chrome (for Windows®, Apple®, OSX®, and Android®)
  • IBM®
  • Microsoft® Edge
  • Mozilla® Firefox (in Windows®, Apple®, OSX®, and Linux® Environments)
  • Oracle® Java

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate. 

 

Here is a list of what you will need to provide: 


An official Photo ID: Driver’s license or State ID Card 
A Credit Card: In your name for address verification (not necessarily for payment) 
Personal Information: Your FULL name (no nicknames or abbreviations), home address, and Social Security Number 
Payment Information: Credit Card number or Payment Voucher number

 

If you are requesting a certificate that asserts affiliation with an organization, you will also need to submit forms that demonstrate that your organization is authorizing you to obtain a certificate that includes the organization name.

Your digital certificate will display several pieces of information:

 

  •  It will be signed by the private key of the issuing CA
  •  Unique identifier (distinguished name) of the certificate issuer
  •  Period of time for which certificate is valid (validity period)
  •  Unique identifier (distinguished name) of the certified subject
  •  Public key of the certified subject
  •  The issuer's signature

Different certificate types may also normally contain items such as:

 

  •  Email address
  •  Company name

 

Please note that the certificate will NEVER contain or display your personal information. The information that we collect during the application process is only used to validate your identity. 

 

You can also view your certificate in your browser.  The following is an example of what your certificate looks like in Microsoft® Edge:

 

Image removed.

 

IdenTrust Global Common (IGC) Certificates are cross-certified with the U.S. Federal Bridge Certification Authority, enabling trust by U.S. Federal, State and local governments, along with commercial entities or applications wishing to rely only Certificates proven to be issued in a standards-compliant manner.  

IGC Certificates available:

  • Basic Assurance | Individual Identity | Software Storage
  • Basic Assurance | Individual Identity | Hardware Storage
  • Medium Assurance | Business Identity | Software Storage
  • Medium Assurance | Business Identity | Hardware Storage | Trusted By Adobe®
  • Medium Assurance | Individual Identity | Hardware Storage | Trusted By Adobe®
  • Medium Assurance | Organization Identity | Device

Use cases for IGC Certificates include authentication to networks and applications, digital signing of email, transactions and documents, and encryption of email. Our Certificate Selection Wizard will help you to determine the best certificate to suit your business or personal needs.  Learn more about IGC Federal Bridge Certified certificates.

Account Password

 

The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).

 

Within the CMC you can:

 

  • Revoke your certificate
  • Replace your certificate
  • Renew your certificate
  • Update your account information
  • Update Account Password & security questions

 

The rules for creating your Account Password are:

 

  • Account Password must be between 8-30 characters in length
  • It can consist of letters, numbers and some special characters
  • Cannot contain ( ) \ / " *.
  • The Account Password is case sensitive (UPPER & lower case)


Certificate Password

 

The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password. This is referred to as the Certificate Password

 

The Certificate Password is used each time the certificate is accessed:

 

  • Signing emails
  • Signing documents (Adobe, Word, Excel, etc..)
  • Accessing a secure website

 

When creating your Certificate Password we recommend you use the following guidelines:

 

  • Between 8-30 characters
  • At least 1 lower case letter
  • At least 1 upper case letter
  • At least 1 special characters
  • Create a Certificate Password that is not easily guessed, but something that you will not forget

Adobe Approved Trusted List or AATL, is a program that enables people to sign documents in Adobe Document Cloud solutions and have that signature trusted globally. When a document is signed with an AATL-approved certificate, the recipient of the signed document will be able to trust the certificate* automatically and avoid the time-consuming process of manually downloading the certificate root chain locally required to authenticate the signature.

In short, AATL certificates allow anyone to validate a digital signature, on any device, at any time!

IdenTrust CA is a current AATL Member and authorized to issue AATL-enabled certificates.

AATL certificates must be issued on password protected devices that are FIPS 142-2 L2+ compliant, such as HID Global USB tokens and HID Global Smart cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device; thereby eliminating the potential of key compromise by bad actors. Due to this requirement, only hardware certificates which are stored on a token or smartcard, are included on the AATL.

 

Software Certificates, that are stored directly on the computer itself, do not meet the requirements for inclusion on the AATL.

 

*AATL signatures are only auto-trusted when using other Adobe products. Should the recipient use another product, they will need to follow the manual process to trust the signature.

Storage devices such as the USB token and Smart card have limited space available to store certificates. Different certificate types have different file sizes, meaning a storage device will likely only be able to hold 3–4 certificate pairs, depending on the device being used.

We recommend purchasing a new HID USB token or HID Smart card after three renewals, or after three certificates have been stored on the device to ensure the device doesn't run out of storage space when retrieving another certificate. If you do run out of storage space, you will need to purchase a new device or remove old certificates that are no longer needed.*

You will be able to purchase new hardware when renewing your certificate, or you may purchase one by contacting our Support Team at +1 (888) 339-8904.

 

*Removing old certificates may impact your ability to decrypt email messages encrypted with that certificate. Whenever possible, we suggest removing old signing certificates only.

Both IGC and TrustID have AATL certificates available. Learn more about AATL Enabled Digital Certificates.

IGC certificates may be purchased directly from the IdenTrust website where both credit card and voucher payment is accepted.  In some cases a participating agency may cover the costs for people under that agency or for those who are required to obtain an IGC certificate necessary to interact with that agency.  If you would like to find out if your certificate costs are covered by a participating agency, please contact that agency directly, as IdenTrust does not directly participate in these certificate cost concessions.

Your private key (which is sometimes password protected in your web browser) is literally the key that opens your digital certificate.  It allows you to digitally sign documents and decrypt information that was only meant for you.  You should safeguard your private key just as you would any other form of identification. Just as you would not allow someone else to sign your name to something, or to use your social security number, you would not allow others to use your digital certificate.

There are many uses for IGC certificates.  Because IGC certificates are certified under the Federal Bridge policy, they are accepted and/or used by:

 

  • Government agencies
  • Healthcare organizations
  • Professionals for digital signing and sealing
  • Individuals for digital signing and email protection

 

Visit our Federal Bridge Certified page to learn more about IGC certificates or to purchase an IGC certificate. 

A digital certificate provides an electronic means of proving your identity in order to securely conduct business online. You can use certificates to: 

 

  1. Encrypt information so that only the intended recipient can read it;
  2. Identify yourself in electronic transactions; 
  3. Digitally sign information to provide assurance to the recipient that it has not been changed in transit; and 
  4. Verify that you actually sent the transmission. 
     

Our Certificate Selection Wizard will assist you in choosing the best certificate to meet your needs.

 

There are three general types of digital certificates--Individual Identity, Business Identity, and TLS/SSL Certificates:

  • Individual Identity certificates authenticate an individual and are used to digitally sign and encrypt electronic documents.
  • Business Identity certificates authenticate the individual to be an employee of a business and are also used to digitally sign and encrypt electronic documents.
  • TLS/SSL, or Server certificates are issued for Web servers and are used to authenticate servers to Web browsers. This is used to protect information such as credit card numbers and account information on the Web.

 

The type of certificate may also dictate whether or not the certificate is stored in software or a hardware device, such as a Smart card or USB token.

 

See our document using the IdenTrust Certificate Selection Wizard for more information about choosing your certificate.

Certificates are stored on cryptographic hardware devices for additional security and as an option to use them from multiple computers. 

For AATL Enabled certificates TrustID Medium Assurance | Business Identity | Hardware Storage | Trusted By Adobe® and TrustID Medium Assurance | Individual Identity | Hardware Storage | Trusted By Adobe®, Adobe®'s technical requirements specify that the issuing Certification Authority must generate them is cryptographic devices with at least FIPS 140-2 Level 2 security. This security feature disable exportation and duplication of the private keys. For this purpose, IdenTrust supports only HID smart cards and HID USB Tokens compliant with the AATL requirement.  

IGC certificates are cross-certificated under the Federal Bridge which means that they are accepted for use in government applications such as the Electronic Prescriptions for Controlled Substances (EPCS) program.  IGC certificates can also be used by professionals who submit signed and sealed documents to state and local agencies, such as Departments of Transportation (DOTs) and individuals who perform eNotary services. 

 

IGC certificates offer multiple benefits:

  • Using an IGC certificate allows individuals online access to information and services, such as state and local agencies for digital signing and sealing.
  • Deployment of IGC certificates can also reduce cycle time and increase the efficiency of transactions between online entities. This is accomplished through converting paper-based to electronic transactions and processes.
  • IGC certificates enable organizations to authenticate individuals initiating electronic transactions and gain assurance of an individual’s identity prior to granting access to confidential information.
  • IGC certificates can be used to create non-repudiation via digital signatures.

 

Learn more about IGC Federal Bridge Certified certificates and use our Certificate Selection Wizard to assist you in selecting the IGC certificate for your specific application. .

 

IdenTrust holds applicants' personal information in the strictest confidence. In compliance with the Gramm-Leach-Bliley Act of 1999 (GLBA), we do not share personal information with outside third parties. 

IdenTrust hardware-based Digital Certificates (both ECA and IGC) used to encrypt e-mail satisfy the DoD CMMC requirements.

DoD CMMC require use of FIPS-validated cryptography to protect sensitive information in an e-mail. IdenTrust Digital Certificates used to encrypt e-mail are generated and stored in FIPS-validated cryptographic modules.

Browser-based certificates do not meet this requirement.

Yes. All IGC certificates meet the Category II NFI PKI requirements because the IGC Root CA is cross-certified with the Federal Bridge – which is part of the definition of Category II NFI PKI.

“Category II: Non-Federal Agency PKIs cross certified with the Federal Bridge Certification Authority (FBCA) or PKIs from other PKI Bridges that are cross certified with the FBCA”

We are also listed on https://public.cyber.mil/pki-pke/interoperability/ Table in the last section of the page lists us as Category II with PIV-I being the highest assurance level (which means all of the lower assurance levels like Basic and Medium and Medium Hardware are implied to be part of that)

A digital certificate is a form of ID, just like a Driver’s License or Passport. We need to verify your identity before we can approve your application and issue your certificate.

Here is a list of what you will need to provide:
• Two forms of approved, valid (unexpired) ID, one of which must be a photo ID. Examples include a Passport, Certificate of Naturalization, Drivers License or State ID, CAC Card, and U.S. issued Birth Certificate. View our PDF document Identity Verification Requirements DoD ECA Certificate Policy for details.
• The Headquarters' address for your organization.
• The name of the agency or agencies you will use your certificate to interact with.
• Voucher Number: The voucher code you have been provided.