Support > Most Popular: Replace
There are some circumstances in which your certificate may become unusable.
In some cases, access to your certificate can be restored, but in other cases it will be necessary to replace
the certificate. When a certificate is replaced, the old certificate is revoked.
Select from these frequently asked questions about replacing your certificate:
Internet Explorer users:
- I can’t access my certificate. What should I do?
1. I can’t access my certificate. What should I do?
- Do I need to replace my certificate?
- How do I replace my certificate?
If you have an ACES, or TrustID certificate that you cannot use, you
may need to replace the certificate. Please see “Do I need to replace my certificate?” below.
If you have a DOD ECA s-Certificate
or t-Certificate, a key recovery
will need to be done. These certificates cannot be replaced.
If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase,
you can reset your passphrase at the Certificate Management Center.
You do not need to replace the certificate in this case.
2. Do I need to replace my certificate? (Internet Explorer)
You can determine whether your certificate needs to be replaced by trying to export the certificate.
(If you need more detailed instructions for exporting the certificate, please see the
how-to export section of the FAQs).
Close all open Internet Explorer windows, and open a new one.
Click on Tools, then on Internet Options.
Click on the Content tab, and then on the Certificates button.
Your certificate should be listed under the Personal Tab. If it is not there, either the certificate was
retrieved on a different computer (or browser), or it has been deleted. If you cannot find your
certificate on another computer, you will have to replace the certificate.
If your certificate is there, select it by clicking once, then click Export.
The Certificate Export Wizard will pop up. Click Next.
If the “Yes, export the private key” option is grayed out, your computer has deleted the
private key and you will have to replace the certificate
If your password is accepted, a window will pop up saying that your export was successful; click OK. You do not need to replace your certificate.
If the “Yes, export the private key” option is available, make sure it is checked, and then
Make sure the “Enable strong protection” box is checked. Put a check in the “Include
all certificates in the certification path if possible” box. Click Next.
Type in a password that will be used for exporting and importing this certificate; re-type it in the
second box to confirm it. Click Next.
Click the Browse button. Choose the drive and folder where you would like to
store the exported file, and type in a file name. Click Save. Click
Next. Click Finish.
A window will pop up; enter your password. If the password is not accepted, confirm that you are using the
correct password – this should be the CryptoAPI Private Key password that you created
when you originally retrieved your certificate online (the password you use to access your certificate),
and not your account passphrase. Confirm that caps-lock is not on.
If your password is still not accepted, you will need to replace your certificate.
Back to top
3. How do I replace my certificate? (Internet Explorer)
Once you have determined that your certificate needs to be replaced (see “Do I need to replace my
certificate?” above), replacement is a three-step process: removing the corrupted certificate from your
computer, replacing the certificate, and verifying replacement.
1. Remove the corrupted certificate from your computer
2. Replace your certificate
- Close all open Internet Explorer browser windows.
- Open a new Internet Explorer Browser window.
- Click on Tools. (If you are using Internet Explorer 7.0, you will find
Tools on the top left of your screen. If you are using Internet Explorer
7.0, Tools is hidden on the top right of your screen behind a double arrow.)
Click Internet Options at the bottom of the pull-down menu.
Click the Content tab at the center top of the window.
Click the Certificates button in the middle of the Certificates section.
Find the certificate with your name and certificate type on it under the Personal tab,
and select it by clicking on it once.
Click the Remove button.
When you get the message “You cannot decrypt data encrypted using this certificate.
Do you want to delete the certificate?” click Yes.
Click the Close button at the bottom of the screen.
Click the OK button on Internet Options
Close Internet Explorer completely.
3. Verify certificate replacement
Log into Certificate Management Center by clicking on
the orange Login on the left side of your screen. When you are asked for a
certificate to log in with, click Cancel. Enter your account number (which can be
found on the letter you received when you first retrieved your certificate) and your IdenTrust
In the drop-down box under the listing for your “Valid Certificates” select “I would
like to replace my certificate,” and click Continue.
Follow the onscreen instructions to retrieve the new certificate.
You will be given a new activation
code to use during this retrieval process; be sure to write down this activation code.
At the end of the retrieval, you will
need to verify the installation. This will fail the first time (because you had to click Cancel
in step 2a), but you will receive instructions to retry and successfully verify the retrieval.
Back to top
- To verify certificate replacement, go to
using the computer and browser in which you have your certificate.
A window that says “Congratulations, Certificate Retrieval Completed Successfully” should pop up.
If you do not receive this Congratulations message, call our support line. You should have access to your
computer when you call, so our representative can guide you through alternative certificate replacement steps.
Let the representative know that you have followed all the steps in this FAQ, and whether you
experienced difficulty with any of the steps.
FEDERAL AGENCY PROGRAMS
STATE AGENCY PROGRAMS