IdenTrust LogoDST Logo
 
 
Digital Certificate Step-by-Step Instructions
Certificate Security and Protection
PKI Basics
White Papers
Industry Legal News
FAQ Library
Contact Us
 

TrustID® Certificate Issuance Certificate Protection Information

Copyright Notice
Copyright 2000 Digital Signature Trust Co. (DST). This document is copyrighted by (DST) and is provided for the intended recipient's review only. Permission to otherwise copy, electronically reproduce, reprint, or utilize this document, in part or in whole, is expressly prohibited unless prior written consent is obtained from Digital Signature Trust.

In order to obtain consent, contact DST at:

Digital Signature Trust Co.
255 North Admiral Byrd Rd
Salt Lake City, UT 84116-3703

Table of Contents

WHY DO I NEED TO PROTECT MY PRIVATE KEY?


HOW DOES THE WAY I STORE MY CERTIFICATE AFFECT SECURITY?


WHAT CAN I DO TO PROTECT MY PRIVATE KEY?
Systems Running Windows 9X
System Boot Passwords
Screen Saver Passwords
Systems Running Windows NT or Windows 2000
System Boot Passwords
Screen Saver Passwords
System Account Login
Enabling Password Protection on Stored Certificates

HOW DO I MAKE A BACKUP COPY OF MY CERTIFICATE?
Using Internet Explorer
Using Netscape

Why do I need to protect my private key?
 When you accepted the Subscriber Agreement during the certificate application process, you agreed to protect your private key and to revoke it immediately if you know or suspect it has become compromised. Your digital certificate represents your identity on all transactions where you use your private key. You should protect your private key in the same way you would protect other vital information that impacts your identify, such as the PIN number you use to access an automated teller machine.

You should also make a backup copy of your private key to protect yourself from loss through a hardware failure. If the hard drive on your computer failed and your private key were lost, you would no longer be able to decrypt information that was encrypted with your certificate.

How does the way I store my certificate affect security?
Certificates can be stored in

  • Web browsers
  • Smart cards
  • USB tokens

Storing a certificate in a web browser program such as Netscape or Internet Explorer is the least secure method of storage. Other users of your computer can potentially access your certificate when you are away, and your certificate can be easily lost if something happens to your computer.

A Smart card is an electronic device that looks like a standard credit card, but actually stores data including certificates. Smart cards offer enhanced security since you can remove the card from the card reader and take the certificate with you when you leave your computer. Smart cards are also password protected. Smart cards are inconvenient in that they require a card reader to be installed on your computer.

An USB token is an electronic device small enough to attach to a key chain that stores digital certificates. Several different manufacturers of USB tokens exist, but all USB tokens work the same way. USB tokens offer enhanced security since you can remove the device from the USB port on your computer and take the certificate with you when you leave. USB tokens are also password protected. USB tokens are inconvenient in that they require USB token reader software to be installed on your computer, and in that they cannot be used on computers that do not have a USB port.

What can I do to protect my private key?
In addition to changing the way you store your certificate, you can take some additional steps to protect your private key based on the operating system running on your computer and the type of browser you use.

Systems Running Windows 9X
If you are running any of the Windows 9X operating systems, you can protect your private key using system boot up passwords and screen saver passwords.

System Boot Passwords
Enabling a boot-up password in your computer's CMOS/BIOS provides additional system security. Keep in mind, however, that a boot-up password by itself would not prevent a determined hacker from gaining access to your computer. Refer to your computer system documentation to learn how to enable a boot-up password.

Screen Saver Passwords
Screen saver passwords also provide additional system security by preventing casual hackers from accessing your computer when you are away. Just as with boot-up passwords, a screen saver password by itself would not prevent a determined hacker from gaining access to your computer. Additionally, you must make certain the screen saver is displayed on the screen before you leave your computer. Screen saver passwords do not prevent a user from gaining access by rebooting your system.

To enable a screen saver password in Windows 9X, double click on the My Computer icon on your system desktop and then double click on the Control Panel icon. From the Control Panel window, double click on the Display icon to display the Screen Properties window. Select the Screen Saver tab to display the Display Properties screen.

Select a screen saver from any of the provided effects listed in the Screen Saver drop down box. Make certain the Password Protected box is checked to enable the password protection feature.

Systems Running Windows NT or Windows 2000
If you are running Windows NT or Windows 2000, you can protect your private key by using system boot up passwords, screen saver passwords, and your system account login.

System Boot Passwords
Enabling a boot-up password in your computer's CMOS/BIOS provides additional system security. Keep in mind, however, that a boot-up password by itself would not prevent a determined hacker from gaining access to your computer. Refer to your computer system documentation to learn how to enable a boot-up password.

Screen Saver Passwords
Screen saver passwords also provide additional system security by preventing casual hackers from accessing your computer when you are away. Just as with boot-up passwords, a screen saver password by itself would not prevent a determined hacker from gaining access to your computer. Additionally, you must make certain the screen saver is displayed on the screen before you leave your computer. Screen saver passwords do not prevent a user from gaining access by rebooting your system.

To enable a screen saver password in Windows NT or Windows 2000, double click on the My Computer icon on your system desktop and then double click on the Control Panel icon. From the Control Panel window, double click on the Display icon to display the Screen Properties window. Select the Screen Saver tab to display the Display Properties screen.

Select a screen saver from any of the provided effects listed in the Screen Saver drop down box. Make certain the Password Protected box is checked to enable the password protection feature.

System Account Login
Both Windows NT and Windows 2000 require a login before granting any local access to the computer. This feature of the operating systems automatically provides a high level of security.

Enabling Password Protection on Stored Certificates
Certificate passwords protect your certificate while it is stored in your browser. When a password is enabled on a certificate, the browser requires you to enter the password every time you use your certificate. By default, Netscape provides password protection to stored certificates. If you use the Internet Explorer browser, you must manually enable certificate password protection.

You can enable password protection at the certificate retrieval process. When the certificate retrieval process is complete you will see a screen saying, "Your certificate information has been published to our directory. Thank you for choosing Digital Signature Trust Co." At this point your certificate is installed, but not yet password protected. To password protect your certificate perform the following steps:

  1. In Internet Explorer, click on Tools, then Internet Options. The system displays the Internet Options screen.
  2. Click the Content tab then click the Certificates button in the Certificates section of the screen. The system will display the Certificates screen.
  3. Highlight the certificate you want to password protect by clicking it once, then click the Export button.
  4. The system will display the Certificate Export Wizard window. Click Next.
  5. Place the radio button in Yes, Export the Private Key then click Next.
  6. Remove check marks from all check boxes and click Next.
  7. Enter a certificate export password in both password fields, then click Next.
  8. Click the Browse button. Navigate to your desktop then choose and enter a filename for the exported certificate, and then click Save.
  9. Click Next then click Finish. You should receive a message stating, "The export was successful". Click OK. The system will re-display the Certificates screen.
  10. Highlight the certificate you just exported and click Remove. The system will prompt you to confirm that you want to delete the certificates, click Yes. The system will delete the certificate and re-display the Certificates screen.
  11. Click the Import button. The system will display the Certificate Import Wizard window. Click Next.
  12. Click the Browse button, navigate to your desktop, select the certificate you just exported, click Open, then click Next.
  13. Enter in the certificate export password you chose earlier, place check marks in BOTH check boxes, then click Next.
  14. Click the Next button twice, and then click the Finish button. The system will display the Importing a New Private Exchange Key window. Click Set Security Level. Select the High option and then click on the Next button.
  15. The system will prompt you to enter the password information you will use to access your certificate.
  16. In the Password for: box, type in a name that Internet Explorer will use when prompting for a password to use with your certificate. In the Password: and Confirm: boxes, enter the password you will use to protect your certificate. Click on the Finish button.
  17. Click on the OK Button. You should receive a message saying, "The import was successful".

Your certificate is now password protected. Every time you use it, you will be prompted to enter the password you chose in step 16. You may safely delete the certificate file on your desktop or move it onto backup media for recovery purposes.

How do I make a backup copy of my certificate?
It is especially important to create a backup copy of your certificate since you will use it to encrypt communications. Because your private key is stored separately from your certificate, is known only to you and is in your sole possession, DST cannot replace it if it becomes lost or damaged. Without the private key, it will be impossible to decrypt any messages that have been sent to you in an encrypted format. Therefore, you should create a copy of your certificate and private key. If you are using Netscape or Microsoft browser versions 4.X or later, your browser currently supports certificate export and import. This is also useful if you want to install your certificate on multiple computers.

Certificates created in Internet Explorer can be exported to Netscape Navigator. Certificates created in Netscape Navigator can be imported only into version 5.X or later of Internet Explorer. This is due to the way that Microsoft and Netscape have implemented the certificate export file structure.

Using Internet Explorer

  1. Go to the Internet Options menu (under View in IE version 4, under Tools in IE version 5).
  2. Choose the Content tab.
  3. Click on Certificates.
  4. Highlight the certificate that you want to backup.
  5. Click the Export button.
  6. The Certificate Export Wizard will guide you through the rest of the process.

IMPORTANT: The file will be encrypted using the specific password you supply. You must know this password in order to use the exported certificate. Should someone obtain your exported certificate file without your knowledge, the file is useless without the password. Remember this password, as neither Digital Signature Trust nor Microsoft can help you if you forget the password.

Using Netscape

  1. Click on the lock icon in Netscape to open the Security Properties page.
  2. Click on Certificates, Yours.
  3. If you have not set a Communicator Certificate Database Password, the following dialog box appears:
  4. Enter a password twice, then click OK. Note: You may need to scroll the box down to bring the second password entry box into view. Enter the password again. This functionality ensures that the password was entered correctly.
  5. Click on the certificate you want to export (Netscape highlights the certificate you select).
  6. Click the Export button and follow the on-screen instructions to save the certificate to a file.

IMPORTANT: The file will be encrypted using the specific password you supply. You must know this password in order to use the exported certificate. Should someone obtain your exported certificate file without your knowledge, the file is useless without the password. Remember this password, as neither Digital Signature Trust nor Netscape Communications Corp. can help you if you forget the password.

> Back to Top