6.3 Issuing soft certificates using a credential profile

Soft (or browser) certificates are not stored on a device such as a card or token; they are stored on your PC. You can either request a certificate and allow the user to collect it using MyID, or you can create a certificate in a password-protected file that you can send to the user.

You issue soft certificate using a credential profile; this treats the package of certificates as a virtual card. Certificates are either added to the recipient's local store or exported as a PFX file. You can remotely administer these certificates as a card, allowing easy disabling, replacing and canceling of the certificates.

You can issue certificates issued using either a CSP or CNG/KSP.

Note: Issuing and recovering certificates with elliptic curve cryptography (ECC) keys to a software local store (CSP), or as a .pfx file, is not currently supported.

This section provides instructions for working with soft certificates using MyID Desktop. Alternatively, you can use the MyID Operator Client to work with soft certificates; the MyID Operator Client features also allow you to print transport and PIN mailing document for soft certificates. See the Working with soft certificates section in the MyID Operator Client guide for details.

6.3.1 Requesting soft certificates

To request soft certificates for another user:

  1. From the Cards category, select Request Card.
  2. Use the Find Person screen to find the person to whom you want to issue the certificates.

  3. Select the person.

  4. From the Select Credential Profile list, select a credential profile containing soft certificates.

    See the Setting up a credential profile for soft certificates section in the Administration Guide for details of setting up a profile.

  5. Click Request Card.

You can also request soft certificates in the MyID Operator Client. See the Requesting a device for a person section in the MyID Operator Client guide for details.

6.3.2 Validating soft certificate requests

If the soft certificate credential profile has the Validate Issuance option set, you must validate the request before you can collect the soft certificates.

To validate a soft certificate request:

  1. From the Certificates category, click Validate Certificate Request.

    You can also launch this workflow from the Certificate Administration section of the More category in the MyID Operator Client. See the Using Certificate Administration workflows section in the MyID Operator Client guide for details.

  2. Use the search screen to enter the criteria for the request, then click Search.

    The list of requests that require validation is displayed.

  3. Select the job you want to validate and view its details.

  4. If required, you can change the credential profile for the request by selecting a different soft certificate credential profile from the drop-down list.

  5. Click Accept to validate the request, or Reject to cancel the request. If you reject the request you must provide a reason.

6.3.3 Collecting soft certificates

Once an administrator has requested a credential profile containing soft certificates, the user can collect the certificates.

To collect your certificates:

  1. Log in to MyID using an existing card or passwords.

  2. From the Certificates category, click Collect My Certificates.

    Note: You can also launch this workflow from the self-service menu in the MyID Operator Client. See the Launching self-service workflows section in the MyID Operator Client guide for details.

    MyID checks for any pending soft certificates.

    If the certificates are taking a long time to issue, you can:

    • Click Cancel – you can exit the workflow and collect the certificates later.
    • Click Fail – you can exit the workflow, but the certificates are failed. Any failed certificates must be requested again.

  3. Once the certificates are ready, the next action depends on the Storage Method setting for the certificate policy in the credential profile:

    • FileStore – type and confirm the password for the PFX file, then click Save.

      You can use the following characters in PFX passwords:

      a-z A-Z 0-9 ! \ " # $ % ' ( ) * + - . / : ; = ? @

      Note: You cannot use spaces.

      Choose a location and name for the PFX file, then click Save.

      You can now double-click the PFX file, enter the password, and add it to your certificate store.

      Note: If you want to issue certificates using CNG/KSP, you must use the certutil utility to import the PFX rather than just double-clicking on the file, as double-clicking automatically loads the private key into the Microsoft Enhanced Cryptographic Provider; that is, a CSP rather than a KSP.

    • SystemStore – the certificate is stored automatically in the Personal certificate store of the logged-on Windows user.

    Note: If the Storage Method is set to AutoSave, the Collect My Certificates workflow behaves in the same way as with SystemStore. If you want to use the AutoSave option to save the certificate to a USB device automatically, you must use the MyID Operator Client to collect the soft certificate request instead.

6.3.4 Working with certificate packages

Once you have issued a certificate package, it is treated as a virtual card by MyID. For example, you can enable or disable the package using Enable/Disable Card, and the certificates will be suspended or unsuspended; you can cancel the package using Cancel Credential, and the certificates will be revoked.

You can cancel a soft certificate package in the MyID Operator Client; on the View Device screen, click Cancel Device. See the Canceling a device section in the MyID Operator Client guide for details.

You can request a renewal for a soft certificate package in the MyID Operator Client; on the View Device screen, click Request Device Renewal. See the Renewing a device section in the MyID Operator Client guide for details.

Certificate packages appear in the list of cards with names like "Certificate Package 1451".