13 Working with soft certificates

Soft certificates are stored on your PC, or on removable storage such as a USB stick, rather than issued to a smart card. You can either request a certificate and allow the user to collect it to their PC's certificate store using MyID, or you can create a certificate in a password-protected file that you can send to the user. MyID allows you to print a transport document to accompany the soft certificate package, and a separate PIN mailer document that you can send under different cover to the user.

You issue soft certificates using a credential profile; this treats the package of certificates as a virtual smart card. Certificates are added to the recipient's local store, or exported as a PFX file to a folder of your choosing, or automatically saved to a USB device. You can remotely administer these certificates as a card, allowing easy disabling, replacing and canceling of the certificates.

Important: Collecting soft certificates in the MyID Operator Client requires the MyID Client Service to be running on the client, and the rest.provision web service to be running on the web server. In addition, you must have the WebView2 component installed on the client PC to be able to print transport or mailing documents; see the Microsoft WebView2 Runtime section in the Installation and Configuration Guide.

Note: Issuing and recovering certificates with elliptic curve cryptography (ECC) keys to a software local store (CSP), or as a .pfx file, is not currently supported.

MyID allows you to work with soft certificates in the following ways:

• Create a credential profile for soft certificates.

  See the Setting up a credential profile for soft certificates section in the Administration Guide for details of setting up a credential profile that allows you to issue software certificate packages.

• Request a soft certificate for a person.

  To request a soft certificate for a person, request a device using the soft certificate credential profile you created.

  See section 4.5, Requesting a device for a person.

• Approve the request for a soft certificate

  If you set the Validate Issuance option on the soft certificate credential profile, an operator must approve the request before you can collect the soft certificate package.

  See section 6.2.1, Approving requests.

• Collect a soft certificate.

  You can collect a soft certificate to the local PC's system certificate store, to a .pfx file located anywhere on your file system, or automatically saved to a USB device attached to your PC, depending on how the credential profile is configured.

  See section 13.1, Collecting a soft certificate.

• Print transport and PIN mailer documents for a soft certificate

  See section 13.2, Printing mailing documents for a soft certificate package.

• Cancel a soft certificate package, revoking its certificates.

  See section 5.6, Canceling a device.

• Disable a soft certificate package, suspending its certificates.

  See section 5.21, Enabling and disabling devices.

• Request a replacement for a soft certificate package.

  See section 5.3, Requesting a replacement device.

• Customize the automatically-created certificate file names.

  See section 13.3, Customizing certificate file names.