Skip to main content

Site Seal

What is the Entrust Site Seal and why should I use it?

The best way to let your visitors know you have taken steps to ensure the security of their information is with the Entrust Secured Site Seal. Just by clicking the Entrust Secured Site Seal, visitors can verify your site's authenticity, and certificate status. Posting the Entrust Secure Site Seal on your website lets your website visitors know that you are committed to online security. Unless you deploy Extended Validation, the only indication of a secure connection customers get is a small lock on the bottom of web browsers. Customers may not know to look for this lock, but will be assured by a security seal. Studies have shown that shopping cart abandonment is reduced, and order completions are increased, when using a site seal. Entrust is recognized as a trusted Security brand for over a dozen years, providing layered security solutions that help instill confidence for consumers, enterprise and governments. Now you can leverage that brand for your own customers.

How do I get a Site Seal?

All Entrust certificates will be distributed with the Entrust Site Seal. Your Certificate Requester (technical contact) will receive an Entrust Site Seal upon the fulfillment of your certificate order. Entrust can re-distribute your Entrust Site Seal free-of-charge should you misplace it.

Will my Entrust Site Seal work with other sites I am hosting?

No, an Entrust Site Seal is specifically developed for a particular certificate. It cannot be applied to a site other than the specific site for which your web certificate was generated.

Is there more than one version of the Entrust Site Seal that I can install?

Yes, Entrust provides you with several parameters that are modifiable. You can add code to the webpage to show a choice of different site seals based on a similar design. Differences in seals include size and colors. The Entrust Site Seal HTML code can be found on your certificate retrieval page. If you no longer have the certificate retrieval email, please contact Entrust Certificate Services, and they will be happy to provide you with the information.

Do you have a French version of the Entrust Site Seal?

Yes. You can retrieve the French version of the Entrust Site Seal by going to your certificate retrieval page and selecting the option for French. The code will be generated for you and you will be able to add the code to your web page that will host the Entrust Site Seal. If you no longer have the certificate retrieval email, please contact Entrust Certificate Services and they will be happy to provide you with the information.

How can I change my Entrust Site Seal to a different or updated version?

In order to change your Entrust Site Seal to a different or updated version, you will require access to your certificate retrieval page. You will be presented with a number of different site seal options. Select the seal of your choice and a version will be generated for you. You can use this code on the web page that will host the new seal. If you no longer have the certificate retrieval email, please contact Entrust Certificate Services and they will be happy to provide you with the information.

TLS/SSL Certificates

How are Entrust TLS/SSL Certificate trusted by the browsers?

Entrust TLS/SSL Certificates are automatically and transparently trusted by most browsers. This trust is established because Entrust Root Certificates are embedded in most major browsers and root certificate programs.

What size keys does Entrust use?

The public key that is created on your server must be a minimum of 2048 bits, depending on your server software. This public key will be contained within your Entrust digital certificate. The Entrust private key, which is used to sign your Entrust TLS/SSL Certificate, is a 2048 bit.

What browsers will my Entrust TLS/SSL Certificate work with?

The Entrust TLS/SSL Certificates we issue work with all major browsers. For a full list, take a look at our compatibility page at this link: Digital Certificates – Browser Compatibility.

What servers will my Entrust TLS/SSL Certificate work with?

Entrust Certificates follow the industry standards and RFC’s, the server vendor we will provide the requirements of the certificate. If there are special requirements or issues during the installation, please Click Here to contact our Technical Support Team

Do I require the Entrust Chain Certificate?

Yes. All certificates with a validity date greater than 31 December 2010 require a chain certificate. All Extended Validation certificates require a chain certificate. Additional information is available here.

How do I contact Entrust Certificate Services for additional assistance?

You can reach Entrust Certificate Services Support 24x7*, Please Click Here for details *Pending on contract or issue, charges may apply. All calls will be answered and vetted 24x7

Document Signing Certificates

What are Entrust Document Signing Certificates?

Entrust Document Signing Certificates enable users to digitally sign Adobe® and Microsoft Office® documents. Visual trust indicators verify the publisher's identity and that the document was not altered. Users can authenticate sensitive documents requiring multiple signatures. Real-time assurance verifies the document's authenticity not just the first time, but throughout its lifetime.

What are the steps to get a Document Signing Certificate?

It's easy.

Step 1: Select the DSC certificate that's right for you.

Step 2: Click on the Buy Now button to start the purchase process. Have your authorization, billing and technical contact information ready. You will also have to provide your domain and company information.

Step 3: Entrust will begin the process of verifying the information. Our stringent verification process may include phone calls and trusted third party searches to verify information. Once verified, your USB security token will be shipped to you unless you require a certificate for an HSM module.

Step 4: Once you receive a Secure USB token you will have to install a software package that initializes the token. Once complete, the certificate is installed on the token. Contact us if you need more information.

How does it work?

Authors interested in creating certified documents can register with Entrust. Once the registrant's identification information is verified, they are provided with a digital ID to be used in Adobe® and Microsoft® products to apply a trusted digital signature to a document. When a Document Signing Certificate is opened, a trust dialogue is immediately presented at the top of the document. Visual indicators enable recipients to verify the signature's authenticity and whether the document has been altered since signing every time the document is opened. The dialog may vary depending on the software solution and version the recipient is using, but in general looks like this:

  • This document has been certified by a valid trusted signature using the Adobe trust process and cannot be repudiated by the author. Certified documents may allow users to complete forms or also sign documents.
  • This document has been signed by a valid trusted signature using the Adobe trust process and cannot be repudiated by the author.
  • This document was signed using an untrusted certificate, and cannot be verified.
  • This document has been altered or tampered with since signing.

What are the system requirements for downloading and signing the Document Signing certificate?

The SafeNet software used for the certificate is only compatible with Windows OS at this time. Once initialized, users can download the certificate using Internet Explorer.

Certificate Download Requirements:

  • Microsoft Windows Operating System – 7, 8.1
  • Microsoft Windows Server Operating System – 2008 and 2012
  • Microsoft Internet Explorer 10 and 11
  • SafeNet Software – Provide by Entrust Datacard upon purchase

Certificate Signing Requirements:

  • Microsoft Windows Operating System – 7, 8.1 and 10
  • Microsoft Windows Server Operating System – 2008 and 2012
  • Adobe Reader
  • Adobe Acrobat
  • Microsoft Office Word and Excel
  • OpenOffice
  • LibreOffice
  • SafeNet Software – Provide by Entrust Datacard upon purchase

Viewing Requirements:

  • Adobe Reader, Acrobat or other PDF software compatible that supports certificate signed PDF documents
  • Microsoft Word and Excel

What's the difference between a certified certificate and a signed certificate?

The key difference is that a certified document provides the ability for extra functionality: allows some modifications to the document without breaking validation, for example, form filling; validates even with Acrobat Sandbox enabled, and can be used to allow JavaScript if disabled. From the point of view of integrity and authenticity, certified and signed certificates are the same.

What happens to the documents that have been signed, if my Entrust Document Signing Certificate expires?

In most cases, the signature will remain valid after the certificate has expired, leaving the documents valid long after the initial signing. However, the software that you are using may be configured to allow signatures to expire. In that case, the signature is only valid for the duration it was configured.

How am I and my organization vetted?

Before issuing a Document Signing Certificate, registrants are vetted though a stringent verification process to ensure proper identity. Entrust performs the following verification process: Individuals (without an organization): Individuals who are not associated with an organization will have their name identified on the Document Signing Certificate. Entrust will verify a government issued identity received by fax or scan. A phone number for the individual will be obtained through a trusted third party source. A call will be placed to the subscriber with the found phone number. A validation email will confirm the email address of the subscriber via a shared secret.

Individuals or roles within an organization: In this case, the certificate is for an individual associated with an organization. Both the individual's and the organization's names will be identified in the certificate. Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information. A phone number will be obtained through a third party listing. A call to the Organization Representative (OR) contact will verify the employment of the OR and confirm the authorization of the subscriber. A call to the subscriber will confirm the request. Entrust will validate the email address of the subscriber via a shared secret. Organizations ordering certificates on behalf of the organization: In this case, the certificate is for an organization whose name will be in the certificate. No individual's name will appear in the certificate; however, an individual will be assigned as the Key Custodian for the certificate: Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information. A phone number will be obtained through a third party listing. A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian. A call to the Key Custodian to verify the request. Entrust will validate the email domain of the organization. Entrust Cloud: For customers of Entrust Cloud the verification must include authorization of administrators that will perform the role of Local Registration Authority (LRA): Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information. A phone number will be obtained through a third party listing. A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the LRA’s. A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian. Entrust will validate the email domain of the organization.

What kind of certificates are there?

Entrust offers four different Document Signing Certificates:

Individual Signing Certificates:

Manual: These certificates are used by individuals who wish to sign and certify documents on an ad hoc basis. Examples of this are workflow approvals, legal documents, contracts and letters. The certificates are assigned to an individual whose first and last name appear in the signature along with their email address. This certificate is sold on a secure token.

Group Signing Certificates:

Manual: These Document Signing Certificates are used by groups that wish to sign and certify documents on behalf of a group. These certificates, delivered on a secure token, display the organizational group name and email in the signature rather than an individual name. They are intended for ad hoc use. For example, a sales department may decide to sign its proposals or RFP responses.

Group Signing Certificates:

Automatic: These Document Signing Certificates display the same signature properties as the manual group signing certificates. The difference is that these are intended for use in an automated process, (usually Adobe® Live Cycle) to sign and certify documents. Typical use cases for this signature are invoices, account statements, transcript requests and confirmations.

Enterprise Signing Certificates:

Automatic: Intended for corporate use, Enterprise signing certificates display the company name in the signature properties rather than the name of an individual or group.

Why do I need special hardware?

A requirement for providers of Document Signing Certificates is to ensure the security of the private signing key. Using digital signature technology, Adobe products provide recipients with assurances that certified PDF documents are authentic – that they did originate from their stated author and the portions of the document signed by the author have not been modified since authoring. For this reason, the private key is generated and stored on a FIPS compliant cryptographic token that ensures the key cannot be duplicated thus preserves the solution for non-repudiation. Entrust includes a FIPS validated cryptographic USB token with each individual and group certificate sold. This key is secured by passwords and is easily accessed by signing applications. For Enterprise digital signatures, organizations can download their certificate to a HSM (Hardware Security Module) which is also FIPS compliant.

What products work with Entrust Document Signing Certificates?

We support all versions of Adobe Acrobat and Adobe Reader since version 9, and all Microsoft Office products which run on supported versions of Windows. Pending testing of Libre, Open Office and Bluebeam

How does this differ from other client certificates?

Most client certificates work well inside an organization that had deployed software to validate and sign digital documents. Typically PKI customers have the ability to apply digital signatures and have them validated by coworkers inside the organization. The problem comes when exchanging documents outside the organization. Many recipients do not have the technology in place to verify signatures, nor the skills to configure that technology.

Entrust Document Signing certificates are different because the technology to interpret them is built into Adobe® Reader which is ubiquitous. The benefit of using signatures in an application that is readily available and on most desktops is that readers do not have to configure software and no special skills are needed. Additionally, Entrust Document Signing Certificates can be used with other office documents such as those produced from Microsoft Office products.

Can I reissue Entrust Document Signing Certificates?

Entrust Document Signing Certificates can be reissued to the same identity within 30 days of purchase. A certificate may be reissued if passwords are forgotten, tokens are misplaced (an administrative fee applies to replace the token), a key is compromised, or if the individual leaves and organization. If the subscriber leaves the organization, the key should be revoked without re-issue.

Reissuing certificates should not be confused with recycling certificates, which is a feature of server based TLS/SSL certificates in Entrust Cloud TLS/SSL Enterprise. With the TLS/SSL Enterprise service, administrators can revoke a certificate, and reissue that certificate again to another server, without depleting their inventory of certificates. This feature of TLS/SSL Enterprise is not available for Entrust Document Signing certificates.

What information does the certificate contain?

Certificate information varies by Certificate type:

What's the difference between certified and approval signatures?

A document that is certified attests to the content of the document and certifies that it has not been altered in any way. When a document is certified, the author can specify what changes can be made to the document before its certification is no longer valid. That usually takes the form of:

  • No changes permitted
  • Form fields filled out only
  • Comments on the document allowed
  • When a person (not necessarily the author) signs a document to consent or approve it, an approval signature is applied. In all cases for approvals and certification, the document displays the certificate status in the blue bar at the top of the window.

Multi-Domain EV TLS/SSL Certificates

What is ‘Extended Validation’?‘

Extended Validation’ refers to rigorous, industry standard validation methods to be used by a CA before issuing an TLS/SSL certificates. The guidelines for Extended Validation are published by the CA/Browser Forum.

What is an EV (Extended Validation) Multi-Domain TLS/SSL Certificate?

An Extended Validation (EV) TLS/SSL certificate created by an industry consortium called the CA/Browser forum. This new category of certificate was conceived in response to the growing threat of phishing attacks with a goal of increasing consumer confidence in online transactions. EV certificates will be issued to websites only after rigorous validation of their identity. Web browsers will reflect this higher level of identity assurance with prominent and distinct trust indicators, such as the green address bar in Internet Explorer and Mozilla Firefox, and advanced green indicators in the latest versions of Opera and Google Chrome.

What is the CA/Browser Forum?

The CA/Browser Forum is a group of Certification Authority service providers, web browser manufacturers, and other industry participants that came together to look at ways to reduce the threat of phishing. Entrust formerly chaired this group and strongly supports its work. More information can be found at the CA/Browser Forum website.

How will Entrust Multi-Domain EV TLS/SSL Certificates increase consumer confidence?

With numerous malicious phishing incidents and online fraud, consumers are concerned with identity theft and would like reassurance that the site they are entering their personal data into can be trusted. If consumers feel the site is not trusted and their personal information is unencrypted, they will leave the site and take their transactions to another vendor. Entrust Multi-Domain EV TLS/SSL Certificates will help increase consumer confidence by displaying prominent and consistent trust indicators while consumers are conducting online transactions. Now the lock is now at the top of the browser window instead of the bottom, and if a website has an Entrust Multi-Domain EV TLS/SSL Certificate installed, the address bar color will display green and will display the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence.

Who can purchase an Entrust EV TLS/SSL Certificate?

A broad range of business entities are now eligible for EV certificates:

  • Private Organization: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation.
  • Government Entity: A government-operated legal entity, agency, department, ministry, or similar element of the government of a country, or political subdivision within such country (such as a state, province, city, county, etc).
  • Business Entity: Any entity that is neither a Private Organization nor a Government Entity. Examples include general partnerships, unincorporated associations and sole proprietorships.

How can I buy an Entrust Multi-Domain EV TLS/SSL Certificate?

Entrust Multi-Domain EV TLS/SSL Certificates will be available first for purchase through Entrust Certificate Services website at https://www.entrustdatacard.com/products/categories/ssl-certificates, and at a later date through our Enhanced interface for customers managing larger pools of certificates.

Can I upgrade my existing Entrust TLS/SSL Certificates to the new Entrust Multi-Domain EV TLS/SSL Certificates?

Yes. Please note that customers taking advantage of these promotions will need to be validated under the new EV guidelines before certs can be issued.

What is the maximum lifetime for an Entrust Multi-Domain EV TLS/SSL Certificate?

Entrust Multi-Domain EV TLS/SSL Certificates have a maximum of lifetime of 1 years (13 months).

How will Entrust Multi-Domain EV TLS/SSL Certificates be different from the current Entrust TLS/SSL Certificates?

The primary difference will be in what happens before the Entrust EV TLS/SSL Certificates are even issued. Before issuing any Entrust TLS/SSL Certificate, Entrust performs checks to "vet", or validate, the identity of the requestor.

Under the new EV model, validation of an entity (e.g. a company or web site operator) requesting an Entrust Multi-Domain EV TLS/SSL Certificate will be performed using industry standard guidelines, as defined by the CA/Browser Forum. This is different from current practices in that different Certification Authorities have very different validation standards. Although the majority of Certification Authorities have rigorous validation practices, not all do, and this undermines the overall security of TLS/SSL for consumer transactions.

Certificates issued using "Extended Validation" will include a reference to an EV-specific certificate policy. Each Certification Authority will have a unique policy and Policy Object Identifier (OID). Browsers supporting EV will behave differently when they encounter a certificate issued under an EV policy OID that they recognize.

Note that at a technical level, Entrust Multi-Domain EV TLS/SSL Certificates will not be different from standard X.509 certificates, and will be backwards compatible with older browsers. Entrust Multi-Domain EV TLS/SSL Certificates will include more information on the subject (the entity the certificate was issued to) – including jurisdiction of incorporation.

Are my existing Entrust TLS/SSL Certificates still sufficient for securing online transactions?

From a cryptographic perspective, yes your current Entrust TLS/SSL Certificates are still going to result in encrypted TLS/SSL sessions. However, the greatest threat to online transactions is not cryptographic in nature – it is phishing. Phishing preys on consumer's inability to discern between trustworthy sites and imposter sites.

The EV initiative is targeted at making it easier for consumers to make that distinction. From a usability perspective, non-EV certificates will have decreasing effectiveness as consumers adopt the new browsers and come to expect the strong trust indicators provided by Entrust Multi-Domain EV TLS/SSL Certificates while conducting transactions.

Should I switch to Entrust Multi-Domain EV TLS/SSL Certificates?

If you are operating a website that conducts ecommerce transactions, or if you collect sensitive or private information, you should be considering switching to Entrust Multi-Domain EV TLS/SSL Certificates.

Phishing attacks are a real threat to the trust consumers have placed on the internet, and Entrust Multi-Domain EV TLS/SSL Certificates can only be part of the solution if they are deployed and used widely.

How will browsers respond when they visit a website with an invalid certificate or phishing site?

The response may vary depending on the type of browser but, in general, a red address bar could indicate that you that you have accessed a known phishing site. Red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they wish. A red address bar could also indicate that there may be a problem with the certificate or that it may not be issued from a trusted Certificate Authority.

Internet Explorer includes prominent warnings to users and will recommend users not visit the page. If the user ignores the warnings and continues, the address bar goes red, and red warning ‘security badges’ appear.

I'm a website operator. How will Entrust Multi-Domain EV TLS/SSL Certificates affect me?

For website operators, some changes to consider include that more details about the subscriber will be placed into the certificate including:

  • Domain name
  • Organization name
  • Jurisdiction of Incorporation
  • City or town
  • State or province (if any)
  • Country – mandatory

Some CSR generating tools may not allow you to add this information to your certificates. However, Entrust will be able to add this information to your Entrust Multi-Domain EV TLS/SSL Certificates once your certificate order has been placed. Please note that EV standards do not permit the use of wildcard certificates which can impact the number of certificates you may be required to purchase.

Can I get an Entrust Multi-Domain EV TLS/SSL wildcard certificate?

No, the EV TLS/SSL guidelines do not permit wildcard certificates. In some cases the use of subjectAltName extensions can provide the same benefits as a wildcard certificate, and this is permitted within the EV guidelines.

Under what conditions will my Entrust Multi-Domain EV TLS/SSL Certificate be revoked?

Entrust MUST revoke an Entrust Multi-Domain EV TLS/SSL Certificate it has issued upon the occurrence of any of the following events:

  • The Subscriber requests revocation of its Entrust Multi-Domain EV TLS/SSL Certificate.
  • The Subscriber indicates that the original Entrust Multi-Domain EV TLS/SSL Certificate Request was not authorized and does not retroactively grant authorization.
  • Entrust obtains reasonable evidence that the Subscriber's Private Key (corresponding to the Public Key in the Entrust Multi-Domain EV TLS/SSL Certificate) has been compromised, or that the Entrust Multi-Domain EV TLS/SSL Certificate has otherwise been misused.
  • Entrust receives notice or otherwise become aware that a Subscriber violates any of its material obligations under the Subscriber Agreement.
  • Entrust receives notice or otherwise become aware that a court or arbitrator has revoked a Subscriber's right to use the domain name listed in the Entrust Multi-Domain EV TLS/SSL Certificate, or that the Subscriber has failed to renew it domain name.
  • Entrust receives notice or otherwise become aware of a material change in the information contained in the Entrust Multi-Domain EV TLS/SSL Certificate.
  • A determination, in the CA's sole discretion, that the Entrust Multi-Domain EV TLS/SSL Certificate was not issued in accordance with the terms and conditions of these Guidelines or the CA's EV Policies.
  • If Entrust determines that any of the information appearing in the Entrust Multi-Domain EV TLS/SSL Certificate is not accurate.
  • Entrust ceases operations for any reason and has not arranged for another EV CA to provide revocation support for the EV Certificate.
  • Entrust's right to issue Entrust Multi-Domain EV TLS/SSL Certificate under these Guidelines expires or is revoked or terminated [unless the CA makes arrangements to continue maintaining the CRL/OCSP Repository].
  • Entrust's Private Key for that Entrust Multi-Domain EV TLS/SSL Certificate has been compromised.
  • Entrust receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of the CA's jurisdiction of operation.

What is Entrust's EV Certificate Problem Reporting and Response Capability?

Reporting

If you wish to revoke your Entrust Multi-Domain EV TLS/SSL Certificate for any of the above reasons, you may contact Entrust by filling in our online complaint form. In addition to Entrust Multi-Domain EV TLS/SSL Certificate revocation, Subscribers, Relying Parties, Application Software Vendors, and other third parties can contact Entrust by filling in our online complaint form for reporting complaints or suspected Private Key compromise, EV Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to EV Certificates.

Investigation

Entrust will begin investigation of all Certificate Problem Reports within twenty-four (24) hours and decide whether revocation or other appropriate action is warranted based on at least the following criteria:

  • The nature of the alleged problem;
  • Number of Certificate Problem Reports received about a particular EV Certificate or website;
  • The identity of the complainants (for example, complaints from a law enforcement official that a web site is engaged in illegal activities have more weight than a complaint from a consumer alleging they never received the goods they ordered); and
  • Relevant legislation in force.

Response

Entrust will maintain a continuous 24/7 ability to internally respond to any high priority Certificate Problem Report, and where appropriate, forward such complaints to law enforcement and/or revoke an Entrust Multi-Domain EV TLS/SSL Certificate that is the subject of such a complaint.

Secure Email Certificates

Do both parties need an Entrust Secure Email cert to communicate?

No, both parties just need an X.509 cert (public or private, any vendor)

Encryption — both parties should need an x.509 s/mime cert
Signing — only the signer needs a cert, the verifier doesn't

How do the parties exchange certificates if they are encrypting?

There is no central directory to publish the certs to, therefore the users who wish to encrypt need to exchange certs manually. This is commonly done by sending a signed email to the recipient, which "harvests" or collects the encryption cert

How does Entrust protect these private keys since they keep a backup of them for us?

The keys are stored in Entrust's secure facility, protected by a security level that no one customer would be able to provide on their own; it is the same protection offered by our public certificate business. They have the same level of protection as our CA keys, including aspects of physical security (room access), logical security (dual custody for access) and storage security (encrypted and integrity-protected with CA keys) This is not a case of any Entrust IT employee could get at these.

Does a re-issue of a certificate last for a year?

No, a re-issue has the same expiry as the original certificate, because it is at no charge. Only a renewal would offer a new term, and as a result would use another license/inventory.

Can I use the Secure Email certificates for MS Office Document signing?

Yes you can.

Does this ID offer non-repudiation?

In order to offer the fully automated key backup, Entrust generates the private key on the Entrust server, and delivers it to the end-user in a P12 format. Because it is a dual-usage single key pair, the signing key is also generated on the Entrust server and not on the client machine. This may negate non-repudiation. We recommend you discuss this with your legal team.

Can I use my personal email account to obtain the certificate my corporation has purchased for me?

No. Because SMIME Enterprise certificates are Class II certificates, this means Entrust validates the organization and the email domain. The administrator approves or denies the certificate request. If your request does not match an email domain already verified by Entrust in your account, you will not be able to request the certificate. So since we cannot verify that “hotmail” or “gmail” are domains owned by your organization, you cannot issue a SMIME Enterprise certificate to those types of email addresses. However, you would be able to issue the SMIME Personal certificate under a hotmail account, because we do not verify the email domain.

The Cloud

What is Entrust Certificate Services?

Entrust Certificate Services features a self-service tool that helps streamline the procurement and administration of TLS/SSL certificates. Acting as a centrally managed, self-service system, the service reduces administrative hassles and lessens the risk of inadvertent certificate expiration by issuing expiry notifications and allowing customers around-the-clock access to issue certificates. Entrust Certificate Services benefits include the following:

How is the Entrust Certificate Service licensed?

The Entrust Certificate Service is available in two licensing options: Subscription and Units.

Subscription: Allows the management of a specific number of concurrent certificates over the term of the subscription. Subscription accounts allow the selection of specific certificate expiry dates and the re-use of certificate licenses to maximize usage. When a certificate expires or is deactivated, its license goes back into the inventory for future use. The Subscription license does not allow use of the certificates once the subscription expires.

Units: Allows the management of a specific number of certificate-year licenses (units). Units can be used to issue certificates ranging from one to four years. Units must be used within one year of purchase and may be used for the full term of the certificates validity regardless of when it was deployed.

How do I purchase Entrust Certificate Services?

Entrust Certificate Services can be purchased online at www.entrust.net or by contacting an Entrust sales representative via the following:

Phone: 1-888-690-2424 (toll-free within North America)

Phone: 1-613-270-3411 (outside of North America)

Email: [email protected] You can purchase the Entrust Certificate Services with a purchase order (PO) or credit card (Visa, MasterCard and American Express).

How do I enroll in the Entrust Certificate Services?

If purchasing online, you will be required to provide your enrollment information through the order process. If purchasing by purchase order, you will receive instructions via email on how to enroll for the service. During enrollment, you will be required to provide the following information: Company Name, Domain Information, Administrator(s), Authorization Contact, Technical Contact(s) and Billing Contact. This information is used to establish your account and create user login credentials.

Can I manage certificates for my clients?

Yes, you can request certificates for your clients. Before you start, you will need to purchase Client Company Names from Entrust, if you do not already have them. Your clients will be contacted by Entrust so that we can verify all the information in the client request. We’ll also obtain their consent that you are authorized to manage certificates on their behalf.

Is there an expiry date on my account?

Yes, for customers with Subscription accounts, your account will expire one, two or three years from the first day you sign into your account, depending on your subscription. The expiry date can be found on the Contract Information page when you log into your Entrust Certificate Services. For customers with a Units (non-Subscription), your account will expire one year from your last certificate unit purchase. You will receive email notification from Entrust Certificate Services at approximately one month and 10 days prior to expiry.

How do I get my account credentials to log on to the service?

Upon enrolling for the service, Entrust will provide each Technical Contact with instructions on how to establish their account login ID. Once the ID has been established, customers should login at https://cloud.entrust.net/.

How do I renew the Entrust Certificate Management Service?

To renew your service, contact your Entrust sales representative at:

Phone: 1-888-690-2424 (toll-free within North America)

Phone: 1-613-270-3411 (outside of North America)

Email: [email protected]

What certificate types are offered in Entrust Certificate Services?

Entrust Certificate Services offer several certificate product types to meet your TLS/SSL requirements. These products include: Standard OV TLS/SSL, Advantage OV TLS/SSL, Extended Validation (EV), Unified Communications (UC) and Wildcard OV TLS/SSL certificates. For more information on the certificate types, see the following:

https://www.entrustdatacard.com/products/categories/ssl-certificates

http://www.entrust.net/knowledge-base/technote.cfm?tn=7127.

How do I install an TLS/SSL certificate in my environment?

For certificate installation instructions, please visit our Supported Web Servers page and select the Web server in your environment. Please Note: Entrust does not provide documentation or support for custom applications.

What are Entrust Extended Validation TLS/SSL Certificates?

Extended Validation (EV) TLS/SSL certificates are a relatively new category of TLS/SSL certificate created by an industry consortium called the CA/Browser Forum. To help increase consumer confidence in online transactions, this category of certificate was conceived in response to the growing threat of phishing and man-in-the-middle attacks. EV certificates are issued to Web sites only after rigorous validation of their identity. Web browsers will reflect this higher level of identity assurance with prominent and distinct trust indicators, such as the Subscriber name in green background in the address bar used by Internet Explorer 7, Firefox 3 and Opera 9.5.EV certificates are available in Entrust Certificate Services.

How do I contact Entrust Certificate Services for additional assistance?

If you have additional questions, or need information, please contact Entrust Certificate Services Support by calling 866-267-9297 within North America (1-613-270-2680 outside of North America), Monday through Friday 8 a.m. to 6 p.m. Eastern Time. You can also send us an email at [email protected]

Discovery

Will this solution only find TLS/SSL certificates?

Entrust Discovery will find any certificate exposed to a network service, i.e. if it is protecting an IP address on a port, we will be able to detect it. This includes TLS/SSL certificates, device certificates, etc.

Since management of Entrust certificates are free, how do I get credited for my used license when I switch an non-Entrust managed certificate to an Entrust certificate?

You must switch to an Entrust certificate, and then re-run the Discovery Agent, and ensure the results are imported into the Manager. The Manager will detect that a replacement occurred and credit the license count at that time.

Is there a functional difference between the Cloud model and the Premises model or is it the same software?

The Cloud model offers single sign-on, and has a few less items to configure (email sender, licensing), but otherwise is the same product.

Why do I have to install the Discovery Agent on my (customer) premises?

In order to be able to query your internal IP addresses, the source of the query needs to reside in your premises. By installing the Discovery Agent in your premises, you are able to discover both your internal and external facing certificates.

Which O/S's will the Discovery Agent run on?

Discovery Agent will run on Linux Red Hat 5.5+, and on Windows (XP, 7, 2003, 2008 32 and 64 bit).

Do I need to back up the Agent?

No. If you uninstall the Agent or lose the machine it's running on, you can always reinstall an Agent and rerun scans. The most you would lose is your saved scans and any data that has been discovered but not yet uploaded to the Manager. If you are planning on removing the Agent, be sure to export to the Manager first.

Certificate Enrollment

What should I prepare before applying for an Entrust Server Certificate?

To ensure that Entrust can process your application for an TLS/SSL or WAP Server Certificate efficiently, please make sure that you have the following information:

  • You generate a Certificate Signing Request (CSR). You can find more information concerning Certificate Signing Requests in our CSR FAQ section.
  • You own your domain name: Entrust will not be able to process your Server Certificate if the domain name is not registered to your company, parent company or subsidiary.
  • A business telephone number that can be found using a third party search directory.
  • Your contact information is accurate: During the application, you will need to provide three contacts:

An Authorization Contact who must be a senior member of your organization and have the authority to request certificates on behalf of your organization. This person is contacted when information is required for the Entrust Server Certificate.

A Technical Contact who will receive the certificate when it is issued, and who is notified about certificate renewals and updates. The Technical Contact is usually the person responsible for the daily operation of the Web or WAP Server on which the certificates will be installed. If your server(s) are hosted by a third-party or ISP, someone within that organization should be listed as the Technical Contact.

A Billing Contact who will receive all billing information regarding the purchase of your Entrust Certificate.

To better suit the needs of small organizations (25 employees or less), Entrust Certificate Services will allow the Technical and Authorizing Contact to be the same person. If your organization employs more than 25 people, you will be required to provide separate points of contact, or your application will fail the verification process.

What is the Entrust verification process for an Entrust Certificate?

To apply for an Entrust Server Certificate, you will need to provide the following information:

  • Valid payment information (valid Entrust Purchase Order number, valid Credit Card Information or Promo Code)
  • Authorizing Contact
  • Technical Contact
  • Billing Contact
  • Certificate Signing Request (CSR)

Once your application has been submitted, the following information will be verified:

  • Information about your organization (official registration, address, phone number, etc?)
  • Right for your organization to use the domain name included in the CSR.
  • Employment of the Technical Contact by the Authorization company

Online Consent Form

If the Technical Contact works for a subcontracting company (i.e., ISP) Entrust Certificate Services will forward a Consent Form to the Authorization Contact. The Consent Form will also confirm that the Authorizing Contact has read and agreed to the terms of the CPS and Subscription Agreement.

How is this information verified?

In order to process your certificate, Entrust Certificate Services will verify:

  • Your company information against publicly accessible information.
  • Domain ownership with Domain Registrar
  • Employment of your Technical Contact through phone call to the Authorizing Contact.

Why does Entrust require a third party phone number source?

When Entrust issues an TLS/SSL Certificate to any entity, that certificate leverages the trust of Entrust's Root Certificate. This Root Certificate is embedded in the internet browsers that clients use to access websites over the internet. By issuing a certificate, Entrust is attesting to the client accessing the site the certificate is installed on that they can trust that the information they submit on that site is being securely transmitted to the legitimate business identified in the certificate. This attestation means that Entrust has performed due diligence in verifying that:

  • the organization that the client is dealing with is a legitimate organization operating under the name identified in the organization name in the certificate
  • that the organization verified is the registered owner of the domain
  • that the individual who received the certificate was an authorized representative of the organization verified in step 1

In order to properly verify an organization as stated above, Entrust or its Verification Agent must be able to contact that organization by way of a valid third party phone source. This requirement ensures that Entrust is contacting the appropriate organization to obtain the necessary Proof of Right information. It also allows Entrust to confirm that the individual requesting the certificate is authorized to do so on behalf of the organization. These steps help protect your organization from the fraudulent use of its name in an TLS/SSL or WAP certificate.

What is a third party phone number source?

A third party phone source is a publicly available resource where the phone number registered to a business or individual may be listed. Some examples of third party sources would be Directory Assistance (555-1212 or 411), the phone book (white or yellow pages) or an online phone directory.

Who can be a Technical Contact?

A Technical Contact will receive the certificate when it is issued, and is notified about certificate renewals and updates. The Technical Contact is usually the person responsible for the daily operation of the Web or WAP Server on which the certificate will be installed. If your server is hosted by a third-party or ISP, someone within that organization should be listed as the Technical Contact. Entrust will forward a Consent Form to the Authorization Contact. The Consent Form will confirm that the Technical Contact works for the Authorizing Organization and also that the Authorizing Contact has read and agreed to the terms of the CPS and Subscription Agreement.

Who can be an Authorization Contact?

An Authorization Contact must be a senior member of your organization and have the authority to request a certificate on behalf of your organization. This person receives a copy of the certificate when it is issued and is contacted if further information is required to process your request.

Why will my Authorization Contact be contacted?

Entrust or Dun and Bradstreet will call your Authorization Contact to verify the employment of your Technical Contact.

How do I proceed if I get an "Invalid CSR" message during the application?

Please refer to our CSRs FAQs section for all CSR related questions.

Why does Entrust need to verify my Domain Name?

As per the CA/Browser Forum requirements, Entrust and all Certification Authorities must request that the subscriber demonstrate ownership and domain control before a certificate can be issued to protect the domain or website. This ensure that Entrust is issuing certificates to authorized domain owners. Entrust uses two primary methods to verify proof of domain ownership and control:

  • Email: Entrust will send an email to the registered domain owner to confirm that they authorize the subscriber to request a certificate from Entrust. In some cases, this information may not be available due to domain privacy restrictions.
  • DNS Authentication: Entrust can provide the subscriber with a random value that the subscriber can post in a specific section of their domain DNS record. This will demonstrate to Entrust that the subscriber has control over the domain DNS record.

How can I check on the status of my application?

Entrust provides clients with an online form to check the status of applications. The form can be found at Customer Order Tracking page. You will be required to enter your order number. Your order number was provided during the online application, and is referenced in the subject line of correspondence email sent to you regarding your application

How long does it take to get an Entrust Certificate?

Our standard global SLA is 3-5 business days. If the information you provided with your application is not adequate (i.e. your organization does not own the domain name you apply for), the processing time will take longer, or your application will be rejected.

How will I know if my application for an Entrust Server Certificate has been accepted or rejected?

You will be notified by Entrust when the verification process is completed. If your application has been accepted, you can pick up your Entrust Server Certificate by connecting to the URL found in your email notification (sent to the Technical and Authorization Contacts).

What can I do if my application has been rejected?

If your Entrust Certificate application is rejected, you can work with the Entrust Certificates Services Support Team to determine the best way to submit a new application. The main reasons that can lead an application to fail are:

  • The domain name in the CSR is not registered to the authorizing organization.
  • The address in the certificate application is not a valid address for your business.
  • CSR is incorrectly formatted.
  • Your company does not have a phone number publicly registered at the address in your application.
  • The Authorization Contact does not confirm the employment of the Technical Contact.

What is a Dun and Bradstreet D-U-N-S Number?

The Dun and Bradstreet D-U-N-S Number is a non-indicative number assigned by Dun and Bradstreet to identify unique business entities, access D&B products and link related entities and data.

Will my order be processed if I do not have a D-U-N-S number?

You do not need to have a Dun and Bradstreet D-U-N-S number to apply for an Entrust TLS/SSL Certificate. If your organization does have a D-U-N-S number, it can help to expedite verification of your organization and therefore your order.

How can I retrieve my Entrust TLS/SSL Certificate?

Your Entrust TLS/SSL Certificate is provided to the order technical contact in an email when your order is completed. You can also utilize the Customer Order Tracking page by entering your order number and in the Certificate section of the page select the "Click here to retrieve your certificate" link.

How do I contact Entrust for additional assistance?

If you have additional questions or require further information, please contact Entrust Certificate Services Support by calling 866-267-9297 (1-613-270-2680 outside of North America), Monday through Friday 9:00 AM to 5:00 PM Eastern Time or emailing us at [email protected]

TLS/SSL Certificates Reissue, Renewal and Revocation

When do I need to renew my Entrust TLS/SSL Certificate?

Entrust recommends starting the renewal process 30 days before the expiration of your current Entrust certificate.

Will I receive notification when my Entrust TLS/SSL Certificate is going to expire?

Entrust will notify the Authorizing contact listed on your TLS/SSL Certificate order application one month prior to the expiration date of your Entrust TLS/SSL Certificate. Entrust will also notify the Technical contact listed on your Entrust TLS/SSL Certificate order application two weeks prior to the expiration date of your Entrust TLS/SSL Certificate. Instructions on renewing your Entrust TLS/SSL Certificate will be contained in this expiry notification email.

How much does it cost to renew my Entrust TLS/SSL Certificate?

During the renewal process you will be provided the pricing based on your previous order, for questions regarding renewal please click here to start the renewal process

How do I renew my Entrust TLS/SSL Certificate?

You can renew your Entrust TLS/SSL Certificate at: https://www.entrust.com/digital-security/certificate-solutions/products/digital-certificates/tls-ssl-certificates/renewals

How do I renew my TLS/SSL certificate with Entrust if I am already using one from another Certification Authority?

It is no issue to renew your certificate with Entrust Certificate Services, regardless if the previous certificate was issued by a different Certificate Authority. If you have any questions, our customer service teams are standing by to assist, Click Here for support.

Is the verification process going to be quicker for a renewal?

Entrust must go through the same steps for a renewal certificate as if a new certificate was being purchased. However, Entrust can reference the previously verified information to expedite the renewal process. The time it takes to complete a renewal will also depend on how long it takes the subscriber to complete the various steps, such as accepting the Entrust subscriber agreement email, complete proof of domain control validation, and answering any phone calls for authorization purposes. The renewal verification process usually takes 3 to 5 business days within North America.

What is Entrust's TLS/SSL Certificate replacement / reissue policy?

Entrust has a certificate replacement / reissue policy that states Entrust Certificate Services can offer a one time, no charge replacement of your certificate within thirty (30) days of the original issue date. If you require a replacement certificate after the initial replacement, or it has been over thirty (30) days since the issuance of your TLS/SSL Certificate, you must purchase a new certificate at buy.entrust.net

Please Note: Backing up the certificate key pair is emphasized on our website and enrollment guide. The private key (which is the key file used to decrypt data) always remains on the your server. Entrust does not have access to this file. It is a key file that is generated in a special manner on the server. The file that Entrust issues is the signed public key used to encrypt data. Depending on the server, the key pair should always be backed up onto removable media storage. The public key will not work without the private key. If you have access to your original server, O/S backup, or can restore an O/S image that included the working TLS/SSL site, you can follow the "Backing Up your TLS/SSL Certificate and Private Key" sections for you server. If you qualify for a free reissue, please follow these steps:

  • Please create a new keypair / CSR on your server.
  • Log a service request with Entrust Certificate Services Support.
  • In your description, please include your order number, domain name and reason for the reissue and paste in your CSR. You may also email your CSR directly to [email protected]. Do not use a .com in the filename.
  • Your request will be verified and if approved, Entrust will reissue the certificate via email which will be sent to the technical contact.

What is Entrust Certificate Services refund policy on TLS/SSL Certificates?

For Enterprise customers we encourage you to contact your dedicated account manager for details concerning your enterprise account and refunds. If you’re unsure who your account manager is, you can find those details listed in your account, or reach out to support at 1-866-267-9297 (1-613-270-2680 outside of North America). For customers who have purchased single certificates we offer a 30 day refund policy. Please see this link for details.

Can an Entrust TLS/SSL Certificate be revoked?

Yes, an Entrust TLS/SSL Certificate can be revoked. A certificate should be revoked under the following conditions:

  • The private key has been lost or stolen
  • The contents of the certificate are no longer valid (for example a company has changed its name)
  • The certificate is being misused
  • Or other circumstances deemed to warrant revocation
  • Entrust will automatically revoke your Entrust TLS/SSL Certificate if being replaced by a reissued certificate.
  • If for any reason Entrust needs to revoke your TLS/SSL Certificate, you will be notified of the revocation.

    How do I revoke my Entrust TLS/SSL Certificate?

    If you need to revoke your Entrust TLS/SSL Certificate, use the following link https://www.entrust.net/customer/revoke_form.cfm. You will be required to supply the passphrase you provide when you applied for this certificate. In the event you lost your passphrase, please contact the Entrust Certificate Services support TLS/[email protected] to get a template of a letter to fax us.

    How do I contact Entrust for additional assistance?

    Please Click Here to contact our Technical Support Team.

Multi-Domain EV TLS/SSL Certificate Revocation Information and Reporting Policy

Under what conditions will my Entrust Multi-Domain EV TLS/SSL Certificate be revoked?

Entrust MUST revoke an Entrust Multi-Domain EV TLS/SSL Certificate it has issued upon the occurrence of any of the following events:
  • The Subscriber requests revocation of its Entrust Multi-Domain EV TLS/SSL Certificate.
  • The Subscriber indicates that the original Entrust Multi-Domain EV TLS/SSL Certificate Request was not authorized and does not retroactively grant authorization.
  • Entrust obtains reasonable evidence that the Subscriber's Private Key (corresponding to the Public Key in the Entrust Multi-Domain EV TLS/SSL Certificate) has been compromised, or that the Entrust Multi-Domain EV TLS/SSL Certificate has otherwise been misused.
  • Entrust receives notice or otherwise become aware that a Subscriber violates any of its material obligations under the Subscriber Agreement.
  • Entrust receives notice or otherwise become aware that a court or arbitrator has revoked a Subscriber's right to use the domain name listed in the Entrust Multi-Domain EV TLS/SSL Certificate, or that the Subscriber has failed to renew it domain name.
  • Entrust receives notice or otherwise become aware of a material change in the information contained in the Entrust Multi-Domain EV TLS/SSL Certificate.
  • A determination, in the CA's sole discretion, that the Entrust Multi-Domain EV TLS/SSL Certificate was not issued in accordance with the terms and conditions of these Guidelines or the CA's EV Policies.
  • If Entrust determines that any of the information appearing in the Entrust Multi-Domain EV TLS/SSL Certificate is not accurate.
  • Entrust ceases operations for any reason and has not arranged for another EV CA to provide revocation support for the EV Certificate.
  • Entrust's right to issue Entrust Multi-Domain EV TLS/SSL Certificate under these Guidelines expires or is revoked or terminated [unless the CA makes arrangements to continue maintaining the CRL/OCSP Repository].
  • Entrust's Private Key for that Entrust Multi-Domain EV TLS/SSL Certificate has been compromised.
  • Entrust receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of the CA's jurisdiction of operation.

What is Entrust's EV Certificate Problem Reporting and Response Capability?

Reporting

If you wish to revoke your Entrust Multi-Domain EV TLS/SSL Certificate for any of the above reasons, you may contact Entrust by filling in our online complaint form. In addition to Entrust Multi-Domain EV TLS/SSL Certificate revocation, Subscribers, Relying Parties, Application Software Vendors, and other third parties can contact Entrust by filling in our online complaint form for reporting complaints or suspected Private Key compromise, EV Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to EV Certificates.

Investigation

Entrust will begin investigation of all Certificate Problem Reports within twenty-four (24) hours and decide whether revocation or other appropriate action is warranted based on at least the following criteria:

The nature of the alleged problem;

Number of Certificate Problem Reports received about a particular EV Certificate or website;

The identity of the complainants (for example, complaints from a law enforcement official that a web site is engaged in illegal activities have more weight than a complaint from a consumer alleging they never received the goods they ordered); and

Relevant legislation in force.

Response

Entrust will maintain a continuous 24/7 ability to internally respond to any high priority Certificate Problem Report, and where appropriate, forward such complaints to law enforcement and/or revoke an Entrust Multi-Domain EV TLS/SSL Certificate that is the subject of such a complaint.