You will be provided with a retrieval kit and instructions for using our online website to retrieve your certificate, found HERE. You will need to provide the Account Password that you chose when you applied for your certificate.
As a security measure, your activation code is valid for only one use. If your computer has had hardware or software problems and your certificate has been lost or corrupted, you will need to replace your certificate. If you wish to use your certificate on another computer, you will need to export your existing certificate to that computer.
Visit our How Do I library for information about how to replace or export your certificate.
To ensure there is no confusion about this: a key recovery, when initiated by the end-user, is a process where your previous signing certificate is revoked, new keys for it are created, and a new signing certificate is created (with the same information and expiration as before). It also allows for the same/original encryption certificate and keys to be retrieved again.
This process is normally only needed if your current certificate keys are currently unusable for some reason (deleted, forgotten private key password, etc.).
A key recovery can only be performed where IdenTrust stores a copy of (or escrows) the encryption certificate private key. (Please note that we NEVER have a copy of your signing-certificate private key). In some cases, depending on the type of certificate, we cannot recover your encryption keys.
For accounts where we do not escrow the encryption private key, or accounts that do not have encryption capability, a key recovery is not an option; however, you may be able to initiate a certificate replacement instead. Visit our How Do I library to learn more about certificate replacement.
To Initiate a Key Recovery:
If your organization has set up a "Certificate Coordinator" or "Local Registration Agent" with us, you can contact them to initiate the key recovery. Otherwise, please follow these steps to initiate the key recovery:
1. Access the Certificate Management Center. If you are prompted to choose a certificate to log in, click Cancel.
2. Enter your account number and your account password.
- The account number was sent to you in a physical letter after your account was approved.
- The account password is the one that you provided online when you applied for your certificate.
3. In the section showing your Valid Certificates make sure your current encryption certificate is selected.
4. In the drop-down box under Valid Certificates, select I would like to request recovery of my certificate
5. Click the Continue button.
6. Follow the onscreen instructions to complete the key recovery request.
Note: This request needs to be processed and approved by a member of our Registration department. A new notification with new retrieval information will need to be sent before your new certificate can be retrieved.
You will be asked whether you want to change your Account Password during the renewal process. Please be aware that this is not the same as the Certificate Password you use with your digital certificate (although you may have chosen the same code for both Account Password and Certificate Password). Unless you are confident that you will remember a new Account Password, we suggest that you do not change it. As a reminder, changing the Account Password will not change the Certificate Password you use with your certificate.
Learn more about the differences between Account and Certificate passwords.
If you are having trouble logging in to the Certificate Management Center (CMC), make sure that your browser is not blocking pop-ups for this site. If you are unable to login because you have forgotten your Account Password, you have the option to reset your password via the CMC. This option is available by clicking the link I forgot my account password in the CMC login page. Once you have reset your account password you should be able to access the CMC.
In order to renew your certificate before it expires, if you have a software certificate you must be on the computer where your certificate is currently stored. If your certificate is stored in a Smart Card or USB Token you must have the device attached to the computer that has the Smart Card or USB Token software . When you login to the Certificate Management Center, a window will appear with your name in it. You must highlight your name and click "OK". If your name is not in the box, it means that your certificate is not on the computer you are using. Other suggestions:
You may also find screenshot instructions here.
For additional information about managing your certificate, visit our How Do I library.
IdenTrust begins processing the application for a certificate as soon as the form of payment (credit card or voucher number) is provided. As soon as your application has been approved, IdenTrust will process the credit card or voucher number charge. Once processed, no refunds will be provided by IdenTrust. If your application has not been approved, you may cancel it without the credit card or voucher number being billed.
You create the certificate in a browser on your computer when you retrieved it. It can only be used on that computer (in that browser) unless you export it to another computer (or browser). If you have retrieved your certificate on one computer and would like to use it on another computer (or browser) as well, you will need to export the certificate and then import it to the other computer or browser.
Visit our How Do I library to learn more about how to import and export your certificate.
Your digital signature can be imported to Office 365 easily, following these instructions:
For Office 365 subscriber, and on build 16.19.18110915 and higher,
If you don't see the Sign / Encrypt Message button, you might not have a digital ID configured to digitally sign messages and you need to do the following to install a digital signature.
A digital signature on an e-mail message helps the recipient verify that you are the authentic sender and not an impostor. To use digital signatures, both the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.
If you are an Office 365 subscriber, and on build 16.19.18110402 and higher,
In an email message, choose Options, select both the Sign and Encrypt buttons. Pick the encryption option that has the restrictions you'd like to enforce, such as Do Not Forward or Encrypt-Only.
Note: Office 365 Message Encryption is part of the O365 E3 license. Additionally, the Encrypt-Only feature (the option under the Encrypt button) is only enabled for subscribers (Office ProPlus users) that also use Exchange Online.
If your certificate is stored on a Smart Card or Token, install the software you received with your hardware on the new computer, reboot your machine, and insert the Smart Card or Token. Your certificate is now ready for use on the new machine.
If your certificate is stored in your browser, then depending on the browser that you use, the process of importing and exporting your certificate may vary. Please see our How Do I section to view the instructions that apply to your situation.
If you no longer have access to your digital certificate, please visit our Certificate Management Center, where you can request a replacement for your certificate. If you need further instructions for replacement, see our How Do I library, where you can find additional information.
If you have an IGC or TrustID certificate that you cannot use, you may need to replace the certificate. Visit our How Do I library for instructions to replace your certificate.
If you cannot access your account with us because you have forgotten your IdenTrust Account passphrase, you can reset your password thru the Certificate Management Center. You do not need to replace the certificate in this case.
If you have a DOD ECA s-Certificate or t-Certificate, a key recovery will need to be done. These certificates cannot be replaced. Visit our How Do I library for instructions to request a Key Recovery.
For reasons of security and non-repudiation, no person or equipment has access to your unencrypted account password, so there is no mechanism for IdenTrust to look up your account password if you forget it. However, you do have the option to reset you account password through our Certificate Management Center. You will need to have your IdenTrust account number in order to complete these instructions. Your account number was provided to you when you were approved for your certificate.
1. Access the Certificate Management Center (CMC).
2. Click LOGIN to launch the CMC session.
3. When presented with the Choose a digital certificate dialog screen, click Cancel. This will allow you proceed by using your account information.
4. On the Certificate Management Center Login screen, enter your account number, and then choose the I forgot my password link.
5. You will receive a confirmation screen, indicating that the password assistance instructions have been sent to you email address.
6. Follow the instructions provided in the email to allow you to reset your account password. Please note that if you cannot remember the answers to your secret questions, you will need to apply for a new certificate.
IdenTrust never has access to your CryptoAPI Private Key (certificate) password, so we are unable to help you retrieve it if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate and will need to replace it. This process will take approximately 3-5 business days, and will be done without charge to you.
For more information about replacing a certificate, please see our How Do I library for instructions to replace your certificate.
The Master Password or certificate password is the password that protects your certificate. IdenTrust never has access to your master/certificate password, so we are unable to help you retrieve this password if it is lost or forgotten. If you forget this password, you will not be able to use your current certificate (if it is password protected) and will need to replace your certificate. This process will take approximately 3-5 business days, and will be done without charge to you.
For more information about replacing a certificate, please see our How Do I library.
This is the certificate password that you create during the retrieval process to protect your certificate, and will be used each time you use or export your certificate. The CryptoAPI Private Key password is stored in the browser within your computer and IdenTrust never has access to it. It allows you to encrypt and decrypt data and to authenticate transactions using your digital certificate.
We recommend that your certificate password be at least 6 characters in length and it may be as long as 30 characters. It can consist of letters, numbers, and special characters. The certificate password is case-sensitive (UPPER CASE and lower case letters are not the same thing). To protect your certificate, we recommend that you do not check the Remember password box.
There are multiple passwords associated with your account and hardware. Please note IdenTrust does not have access to view, confirm or reset your passwords.
Account Password
This password is created during the online application. You do have the ability to update your password if you can correctly answer the three security questions you chose when you applied for your certificate. Every account has an account password, but your account can be associated with multiple certificates.
USB Token and Smart Card Password
This password is created when you initially setup your token. Before the retrieval of your certificate, you are prompted by the token software to create password that will protect your token. This password can only be changed if you know the current passcode. Both the USB and the OTP tokens have a token passcode.
This message showing as warning upon opening digitally signed PDF documents usually means that the policy asserted in at least one of the digital certificates present in the PDF, is not in Adobe’s Approved Trusted List, referred as AATL Enabled certificate.
This message DOES NOT mean that the certificate is invalid, unless it is truly expired, suspended or revoked. The real status of the certificate is confirmed by double-clicking on each digital signature present in the opened PDF document.
A temporary way to resolve this issue is to ‘trust’ the certificate in the device used to open the PDF document. See “Trust Manager” in the ‘Preferences“ section of Adobe Acrobat or Adobe Reader. This temporary solution has to be repeated once on each device where a signed PDF is opened.
A permanent way to avoid that warning message is purchasing an IdenTrust AATL Enabled Digital Certificate
AATL Enabled certificates are issued directly on Smart Cards or USB tokens compliant with FIPS 140-2 L2+ standard like HID Global USB tokens or HID Global Smart Cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device, thereby eliminating the potential of key compromise by bad actors.
If the certificate used to sign the PDF document is AATL enabled and the “invalid signature” message is present, the AATL list in that device has to be updated: Adobe Reader/Adobe Acrobat: Preferences, Trust Manager, click on [Update Now] in the “Automatic Adobe Approved Trusted List (AATL) section.“
Yes. After you have submitted a purchase order, IdenTrust will provide Voucher Numbers that you can distribute to applicant(s). These vouchers are used during the application process as the method of payment.
The purchase order process requires that you also submit a completed voucher form.
Purchase order requests under $500 cannot be accepted.
Please fax purchase orders for digital certificates and/or hardware to 1 (801) 415-7083.
Once your application has been approved the information cannot be updated in your certificate. However, certain information provided during your initial application can be updated via our Certificate Management Center. Some information can be updated immediately, while others will have to wait for the renewal process. Some changes will require you submit a new certificate application. A few examples of changes include:
My mailing address has changed.
You can update the mailing address on your account at any time through the Certificate Management Center.
My headquarters address has changed, or my company's name has changed.
Unfortunately, you are unable to make changes regarding your organization name and/or address. A new application will have to be submitted with the new organization information.
If you use the certificate to gain access to a federal or state agency, you may have to re-register with the new company information prior to being able to use the new certificate. Please contact the appropriate agency for further clarification.
My email address has changed.
You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal.
My name has changed.
You will be asked to confirm your name during the renewal process, at which time you can update to your current legal name. You may be asked to send in proof of the name change if our Registration Department is unable to verify it.
If you require a certificate with your new name, you will need to purchase a new certificate.
You may access your account through the Certificate Management Center by logging in with your certificate.
The application process for a digital certificate is generally a 4-step process.
1. Apply for Your Certificate
Note: You will also be asked to enter a Password when you apply. Please record this Password and store it in a secure place. You will need this Password to retrieve your digital certificate.
Notary Form: In addition to the online application, some certificate applications require that you complete a notary form and submit it to IdenTrust. If required, the form will be provided for you to download at the end of the online application process.
2. Certificate Application Processing
Your application will undergo the approval process which can include authenticating identity information, authenticating paperwork, verifying organization information, and verifying organization affiliation.
3. Receive Your Approval Notification
Once approved, you will receive notification from IdenTrust. The method will vary based on the type of certificate you have purchased:
4. Retrieve Your Certificate:
Follow the instructions in the approval notification, which will include:
When applying for a digital certificate, you will be asked to select your payment method. You will have the following options for payment:
Credit Card
You will be asked to enter your credit card information during the online application process.
Make sure that you have the correct billing address for your credit card; this will be entered during the online payment process.
Voucher Number
- IdenTrust must receive your Purchase Order before the issuance of voucher numbers.
- Purchase Orders must include a completed Voucher Order Form with the order.
- Requests must be submitted to IdenTrust Registration at [email protected] or fax to 1 (801) 415-7083.
To purchase using a credit card, simply select from the list of products below and you will be directed to our online purchasing system:
Purchase ECA Vouchers
Purchase IGC for EPCS Vouchers
Purchase IGC for Digital Signing and Sealing Vouchers
Purchase TrustID Vouchers
A Non-U.S. applicant is anyone residing and/or working outside of the United States. Non-U.S. applicants are eligible to apply for the following certificate types:
View our Supported Countries list.
IdenTrust does undergo an SSAE-18 SOC 2 Type II audit every year. However, since the detailed information in the audit report is company-confidential, we require an NDA to be in place.
An alternative that does not require an NDA:
As a Certificate Authority, IdenTrust undergoes a WebTrust for Certificate Authorities audit, and the attestation letter for this audit is publicly available without the need for an NDA. The WebTrust for CA audit examines not only the same general information security practices as the SOC 2 criteria does, but also certificate life cycle practices including proper handling of applicant information. The link for the WebTrust for CA audit is at the bottom of our home page. You may also be interested in examining our Privacy Policy.
Browser compatibility will depend on the type of certificate and the operating system you are using.
Software Certficates | Microsoft® Edge | Google® Chrome | Mozilla® Firefox | Android® OS |
---|---|---|---|---|
Certificates can be retrieved using these browsers | X | X | X | |
Certificates can be imported to these browsers | X | X | X | X |
Hardware Certificates | Microsoft® Edge | Google® Chrome | Mozilla® Firefox | Android® OS |
---|---|---|---|---|
Certificates can be retrieved using these browsers | X | X | X | |
Certificates can be imported using these browsers | X | X | X |
Software Certificates | Google® Chrome | Mozilla® Firefox | Apple® Safari | iOS (iPhone/iPad) |
---|---|---|---|---|
Certificates can be retrieved using these browsers | X | X | X | |
Certificates can be imported using these browsers | Accessible Via Keychain | X | Accessible Via Keychain | X |
Hardware Certificates | Google® Chrome | Mozilla® Firefox | Apple® Safari | iOS (iPhone/iPad) |
---|---|---|---|---|
Certificates can be retrieved using these browsers | X | X | X | |
Certificates can be imported using these browsers | Accessible Via Keychain | X | Accessible Via Keychain |
TLS/SSL Certificates Are Interoperable With: |
---|
|
Account Password
The Account Password is created by you when the application is filled out online. This password is required to download your certificate and to access your account via the Certificate Management Center (CMC).
Within the CMC you can:
The rules for creating your Account Password are:
Certificate Password
The Certificate Password is created to protect the use of the certificate. Depending on the assurance level of your certificate, when your certificate is downloaded to your machine you may be prompted to create the private key password. This is referred to as the Certificate Password.
The Certificate Password is used each time the certificate is accessed:
When creating your Certificate Password we recommend you use the following guidelines:
IdenTrust recognizes that it is sometimes difficult to determine what certificate is best to meet your needs. To help you with this process, IdenTrust has created our unique Certificate Selection Wizard which will help guide you through the process of selecting your certificate. The wizard is based on what you consider to be your Buying Community or what type of user community that you are most associated with. Examples of Buying Communities include users of DoD ECA Agency applications, EPCS prescribers, professional who need digital signing and sealing or those individuals who need a certificate for personal use.
1. Start by selecting a category from the My Buying Community or the Certificate menu. Once you have selected a category that is most similar to how you will use your certificate, you can choose from various Learn More links to access additional details about certificates in this category and how to use them.
2. When you are ready to purchase your certificate, you simply select a BUY NOW button that will launch the wizard related to that specific Buying Community or Certificate type you have chosen. An added bonus is that IdenTrust has worked with the government agencies and vendors that use our certificates and we have configured our wizard to only offer you the types of certificates that they will accept.
3. From there all you need to do is respond to the prompts and the wizard will assist you in finalizing your buying decision.
With IdenTrust, choosing the best certificate is for you is as easy as 1, 2, 3!
TrustID | Basic Assurance | Individual Identity | Software Storage Certificate:
Authenticates you in personal online transactions, access to specific restricted Web sites, and allows you to send and receive, sign and encrypt email communications, using this digital certificate.
The following certificate is stored on your PC browser for use on a single computer:
The following certificate is stored on a USB token or smart card, can be used from multiple computers and is AATL Enabled: create digital signatures that are instantly trusted whenever the signed document is opened in Adobe® Acrobat® or Reader® software and can be used to sign unlimited number of PDF documents:
TrustID | Medium Assurance | Business Identity Certificate:
These are digital certificates for employees of companies that will authenticate the individual as an employee of that company. When applying for this type of certificate, each certificate is only for one individual, not an entire company.
The following certificates are stored on your PC browser for use on a single computer:
The following certificates are stored on a USB token or smart card, can be used from multiple computers and is AATL Enabled: create digital signatures that are instantly trusted whenever the signed document is opened in Adobe® Acrobat® or Reader® software and can be used to sign unlimited number of PDF documents:
TrustID | Secure Email | Email Identity Certificate:
Authenticates that the email address in the certificate is owned and/or controlled by you; no individual or business identity is verified. Once approved, the certificate allows you to sign and encrypt email communications.
The following certificates are stored on your PC browser for use on a single computer:
The following certificates are stored on a USB token or smart card and can be used from multiple computers:
TrustID | IdenTrust TLS/SSL | Organization Identity | Organization Validated (OV) Certificate:
Authenticates a Web site or a network server using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols.
Visit our TrustID Products page for additional information.
Certain pieces of information provided during your initial application may change during the certificate's lifetime. Some of these pieces of information can be updated immediately, others will have to wait for the renewal process and some changes will require you submit a new application. Examples of common changes include:
My mailing address has changed.
You can update the mailing address on your account at any time by logging into the Certificate Management Center (CMC).
Once you have access the CMC, locate the prompt labeled Manage Your Account Information and select View/Update Account Information. Make the necessary changes and select Finish.
My headquarters address has changed, or my company's name has changed.
Unfortunately, you are unable to make changes regarding your organization name and/or address. This is because organization information is included in your certificate and can only be used in conjunction with conducting business on behalf of that specific organization. In order to update an organization, you must obtain a new certificate. Be aware that if you currently use your certificate to gain access to a federal or state agency, you may also need to re-register with the new company information prior to being able to use the new certificate with the agency system. We suggest that you contact the appropriate agency for further clarification.
My email address has changed.
You will have the option to change the email address associated with your certificate during the renewal process. It cannot be changed prior to a renewal. If you must have your current email included in your certificate, you will need to purchase a new certificate.
My name has changed.
You cannot change your name except at when you renew your certificate. During the renewal process , you will be asked to confirm your name. At that time you can update to your current legal name, which will be included in your new certificate . If the IdenTrust Registration Department is unable to verify the requested changes, you may be asked to send in proof of the name change by providing additional documentation such as:
If you must have a certificate that includes your new name prior to certificate renewal, you will need to purchase a new certificate.
Revocation is the action of making your certificate unusable. This is necessary when you believe that your certificate/private key has been compromised. Revocation prevents anyone from using your certificate to create digital signatures or from accessing secure sites. It is your obligation, based on the Subscriber Agreement you accepted, to request that your certificate be revoked in the case that you believe it has been compromised. Use the following procedure to revoke your certificate:
Visit our How Do I library for instructions to replace your certificate.
Visit our Document Library to view Subscriber Agreements for each certificate policy type.