Skip to main content

You create the certificate in a browser on your computer when you retrieved it. It can only be used on that computer (in that browser) unless you export it to another computer (or browser).  If you have retrieved your certificate on one computer and would like to use it on another computer (or browser) as well, you will need to export the certificate and then import it to the other computer or browser.


Visit our How Do I library to learn more about how to import and export your certificate.

Your digital signature can be imported to Office 365 easily, following these instructions:

For Office 365 subscriber, and on build 16.19.18110915 and higher,

If you don't see the Sign / Encrypt Message button, you might not have a digital ID configured to digitally sign messages and you need to do the following to install a digital signature.

  • On the File menu, click Options > Trust Center.
  • Under Microsoft Outlook Trust Center, click Trust Center Settings > Email Security
  • Click Import/Export to import a digital ID from a file on your computer,
  • If you have both a signing and an encryption certificate you will import both.

A digital signature on an e-mail message helps the recipient verify that you are the authentic sender and not an impostor. To use digital signatures, both the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.


If you are an Office 365 subscriber, and on build 16.19.18110402 and higher,

In an email message, choose Options, select both the Sign and Encrypt buttons. Pick the encryption option that has the restrictions you'd like to enforce, such as Do Not Forward or Encrypt-Only.

Note: Office 365 Message Encryption is part of the O365 E3 license. Additionally, the Encrypt-Only feature (the option under the Encrypt button) is only enabled for subscribers (Office ProPlus users) that also use Exchange Online.

You should not use your personal email in the FATCA certificate. You should provide a business email during the application. Ideally, you will provide a generic email that is associated with the organization. 


Example of emails that will not be accepted include: [email protected], [email protected]


Example of acceptable emails include: [email protected], [email protected]


Visit our FATCA IRS Reporting pages for additional information.

SmartScreen® is a security feature that protects users from malicious software. Microsoft doesn't share how it calculates the reputation of an application, but it does consider how many times the application has been downloaded and whether the certificate was issued by a trusted certificate authority like IdenTrust. Microsoft is constantly updating the SmartScreen filter attributes, so how the reputation of an application is calculated may change over time.

Signing an application with an EV code signing certificate doesn't guarantee that it will have a good reputation with SmartScreen®, but it does give the application's publisher a higher level of trust.

With the increase of Cybersecurity awareness, the DoD requires that “Data in Transit” such as email, needs to be secured if it contains sensitive data.

The three main capabilities for ECA certificates are: 

  1. Authentication: ECA Digital Certificates enable you to virtually authenticate yourself online and gain access into a secure DoD system that is PKI enabled and requires a DoD approved Digital Certificate.
  2. Digital Signing: ECA certificates can be used to digitally sign documents and emails which verifies the identity of the sender or signer and also ensures that the integrity of the document has not been compromised since the time that it was signed.
  3. Encryption: ECA certificates also has the capability of encrypting emails. This ensures that only the intended authorized recipients will be able to open and view the document.

When items 2 and 3 above are used in combination this signing and encrypting process meets the DoD’s requirements for securing DoD “Data in Transit”.

Learn more about DoD cybersecurity compliance.


If your certificate is stored on a Smart Card or Token, install the software you received with your hardware on the new computer, reboot your machine, and insert the Smart Card or Token. Your certificate is now ready for use on the new machine.


If your certificate is stored in your browser, then depending on the browser that you use, the process of importing and exporting your certificate may vary.  Please see our How Do I section to view the instructions that apply to your situation.


If you no longer have access to your digital certificate, please visit our Certificate Management Center, where you can request a replacement for your certificate.  If you need further instructions for replacement, see our How Do I library, where you can find additional information.


The best way to protect your identity, as a certificate holder, is to ensure that only you are using your digital certificate. Allowing others to use your certificate through sharing your password, Smart card or USB token password, or your private key weakens the security of the system and presents a security danger to you. A digital certificate is a credential, just like a driver's license or passport, which you would not allow others to share. Certificate holders found to have shared this confidential information will be notified that their certificates are subject to revocation.

The IdenTrust Customer Support team is available to assist certificate subscribers in applying, retrieving and managing their certificates. Visit our Contact Us page for more details about how to reach us and the hours that our team is available.

Most PDF documents that you will receive will come pre-made with a signing box. If this is the case, follow these directions:


1.  Complete any required fields that are in the PDF document.


2.  When you are ready to digitally sign, simply click on the signing box.


3.  This will open the signing documents window where you can select the certificate you wish to use to sign the PDF document.


     Note:  If you have more than one certificate, you can select the one you wish to use by clicking on the Sign As dropdown box. 


4.  Once you have selected the certificate you will use to sign the PDF document, select Sign.


5.  The Save As dialogue box will appear.


6.  Select the location you would like to save the signed PDF document, then click Save. 


7.  Your digital signature has now been applied.  


Visit our How Do I pages to learn more about digital signing and how to create a signing box in a pdf document.


IdenTrust as a Certificate Authority issues Digital Certificates to digitally sign electronic documents. eNotary individuals can customize the appearance of the Digital Signature with their own Electronic Seal and /or facsimile of a wet signature, while keeping data integrity and non-repudiation of the signed document.
Please use our helpful “How do I” pages to learn more:
Customize the appearance of a Digital Signature in Adobe®
Use Digital Certificate to Sign & Seal Documents


IdenTrust does not assist with the creation of the Electronic Seal but there are multiple companies online who provide this type service of service; here are some samples:

If you have an IGC or TrustID certificate that you cannot use, you may need to replace the certificate. Visit our How Do I library for instructions to replace your certificate.


If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase, you can reset your password thru the Certificate Management Center. You do not need to replace the certificate in this case. 


If you have a DOD ECA s-Certificate or t-Certificate, a key recovery will need to be done. These certificates cannot be replaced.   Visit our How Do I library for instructions to request a Key Recovery.

Yes, your certificate is stored along with the private key in your cryptographic module: your browser, your smart card or USB token.

According the ECA Certificate Policy and the Subscriber Agreement you accepted, it is your obligation to protect the private key with reasonable security, including a password. The password should be FIPS 112 compliant.

You can also search for FIPS112 to learn more about this topic.  

You will create your account password when you register for an IdenTrust certificate.  You will also use your account password when you retrieve your approved certificate.  When selecting your account password, be aware that it:


  • Must be between 8 – 30 characters in length
  • May consist of letters, numbers, and any special characters except ( ) \ / “ *
  • Is case-sensitive (UPPER CASE and lower case letters are not the same thing)
  • Should be something that you will be able to remember, but that others will find difficult to guess 


Please note that your account password is different than your certificate password (although you may wish to choose a password that is the same for both).  Your certificate password is used only when you use your certificate for signing or to access a secure site. 


If no longer in possession of the USB token or Smart card housing your digital certificate, the certificate is deemed 'compromised' and must be revoked. To Revoke a Certificate/Account where the digital certificate is no longer accessible, a request must be submitted officially via one of two ways:

  1. Signed email from an Organization Officer/Representative.
    • An organization’s representative (i.e., personnel office representative) can request revocation directly via a signed e-mail and a call to the Support, or mail to Registration on company letterhead containing a notarized signature.
    • The communication should include the information about the Subscriber’s certificate to be revoked, including Subscriber name, email, and if possible the account number and/or application ID number, both available in email previously sent to the Subscriber. 
    • If the revocation is being requested for reason of key compromise or suspected fraudulent use of the private key, or if the smart card or USB token could not be collected and zeroed out, then the revocation request must indicate key compromise.
  2. Company Letterhead
    • Signed and notarized on the company letterhead, please provide the following:
      • Account number of certificate holder to Revoke (if available)
      • Certificate holder name
      • Certificate holder Email Address
      • Reason for Revocation
    • Sign the request and have this request signed/notarized by any licensed Notary Public.
    • Mail completed letter to:
      • ECA Registration IdenTrust Services
      • 5225 Wiley Post Way, Suite 450
      • Salt Lake City, Utah 84116

For reasons of security and non-repudiation, no person or equipment has access to your unencrypted account password, so there is no mechanism for IdenTrust to look up your account password if you forget it. However, you do have the option to reset you account password through our Certificate Management Center.  You will need to have your IdenTrust account number in order to complete these instructions.  Your account number was provided to you when you were approved for your certificate.


1.  Access the Certificate Management Center (CMC).


2.  Click LOGIN to launch the CMC session. 


3.  When presented with the Choose a digital certificate dialog screen, click Cancel. This will allow you proceed by using your account information.


4.  On the Certificate Management Center Login screen, enter your account number, and then choose the I forgot my password link.


5.  You will receive a confirmation screen, indicating that the password assistance instructions have been sent to you email address.


6. Follow the instructions provided in the email to allow you to reset your account password. Please note that if you cannot remember the answers to your secret questions, you will need to apply for a new certificate.

IdenTrust never has access to your CryptoAPI Private Key (certificate) password, so we are unable to help you retrieve it if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate and will need to replace it. This process will take approximately 3-5 business days, and will be done without charge to you.


For more information about replacing a certificate, please see our How Do I library for instructions to replace your certificate.


The Master Password or certificate password is the password that protects your certificate. IdenTrust never has access to your master/certificate password, so we are unable to help you retrieve this password if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate (if it is password protected) and will need to replace your certificate. This process will take approximately 3-5 business days, and will be done without charge to you.

For more information about replacing a certificate, please see our How Do I library.

If you forget the password to access your USB token, you will not be able to use your certificate until you re-initialize the token and do a key recovery. If your organization has a Certificate Coordinator, Trusted Internal Agent, or Local Registration Agent registered with IdenTrust, you can contact that person to initiate a key recovery.  Otherwise, please contact the IdenTrust Support team at 1 (888) 248-4447 for assistance.


Your request will then be processed by our Registration team. Once the request has been approved, you will be sent a letter (via US mail) with new retrieval information. You may then retrieve the new certificate by following the same process you used when initially retrieving it. You can check the status of your key recovery application by visiting our Certificate Management Center.


If you have a Smart card or USB token for an ECA certificate, you will need to initiate an ECA Program Key recovery.

If you have used the IdenTrust Certificate Selection to make your buying decision, it is unlikely that you have purchased the wrong type of certificate; however, if you have concerns about this, please feel free to contact our Customer Support team and they can help to assess the product you have selected. Please have your IdenTrust Account Number readily available when you call. View our Contact Us page to see our Customer Support hours and phone numbers.

A FIPS 112-compliant password requires the following characteristics: 


Composition: Password should contain both upper and lower case characters (e.g., a-z, A-Z) and have digits and punctuation characters as well as letters. Example: 0-9, !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./


Length: The minimum length is 8 characters. Longer passwords will provide stronger security. Passwords are more easily remembered as a passphrase. Example: Don’tUseMyExactExample2


Lifetime: The maximum life is one (1) year and a change is recommended every three (3) months where practical. "Passwords shall be replaced as quickly as possible, but at least within one (1) working day from the time that a compromise of the password is suspected or confirmed"


Source: Users should not select a password that can be found in a dictionary or name list


Ownership: Passwords should not be shared


Distribution: Passwords should not be shared in email


Storage: Passwords should not be stored insecurely


Entry: Passwords should be entered in a way that others cannot observe entry 


Transmission: Passwords should never be transmitted in clear text 


Authentication Period: Users are recommended to lock their screen when leaving their area and to have an inactivity, auto-lock, password-protected screensaver set to protect unauthorized use of their token and system.

This is the certificate password that you create during the retrieval process to protect your certificate, and will be used each time you use or export your certificate.   The CryptoAPI Private Key password is stored in the browser within your computer and IdenTrust never has access to it. It allows you to encrypt and decrypt data and to authenticate transactions using your digital certificate.


We recommend that your certificate password be at least 6 characters in length and it may be as long as 30 characters. It can consist of letters, numbers, and special characters. The certificate password is case-sensitive (UPPER CASE and lower case letters are not the same thing). To protect your certificate, we recommend that you do not check the Remember password box.


There are multiple passwords associated with your account and hardware. Please note IdenTrust does not have access to view, confirm or reset your passwords. 


Account Password

This password is created during the online application.  You do have the ability to update your password if you can correctly answer the three security questions you chose when you applied for your certificate.  Every account has an account password, but your account can be associated with multiple certificates.

USB Token and Smart Card Password

This password is created when you initially setup your token. Before the retrieval of your certificate, you are prompted by the token software to create password that will protect your token. This password can only be changed if you know the current passcode. Both the USB and the OTP tokens have a token passcode. 

You may review the IdenTrust Commercial Root CA 1 and IdenTrust Public Sector Root CA 1 test certificates, including 'Valid', 'Revoked', and Expired' examples here:


Visit our ECA Document Library to locate all the forms you need to do business within the IdenTrust.

Browser compatibility will depend on the type of certificate you are using:

Image removed.

Visit our How Do I pages for specific information about exporting and importing your digital certificate using a particular browser. 

This message showing as warning upon opening digitally signed PDF documents usually means that the policy asserted in at least one of the digital certificates present in the PDF, is not in Adobe’s Approved Trusted List, referred as AATL Enabled certificate.

This message DOES NOT mean that the certificate is invalid, unless it is truly expired, suspended or revoked. The real status of the certificate is confirmed by double-clicking on each digital signature present in the opened PDF document.

A temporary way to resolve this issue is to ‘trust’ the certificate in the device used to open the PDF document. See “Trust Manager” in the ‘Preferences“ section of Adobe Acrobat or Adobe Reader. This temporary solution has to be repeated once on each device where a signed PDF is opened.

A permanent way to avoid that warning message is purchasing an IdenTrust AATL Enabled Digital Certificate

AATL Enabled certificates are issued directly on Smart  Cards or USB tokens compliant with FIPS 140-2 L2+ standard like HID Global USB tokens or HID Global Smart Cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device, thereby eliminating the potential of key compromise by bad actors.

If the certificate used to sign the PDF document is AATL enabled and the “invalid signature”  message is present, the AATL list in that device has to be updated: Adobe Reader/Adobe Acrobat: Preferences, Trust Manager, click on [Update Now] in the “Automatic Adobe Approved Trusted List (AATL) section.“

Microsoft® announced that it will no longer support the Internet Explorer version 11 (IE 11) after June 15, 2022. This means that security patches and other updates from Microsoft will cease after that time, and in some versions of Windows, IE 11 may stop working.

For more information visit our Important Announcements page.