14 Working with soft certificates

Soft certificates are stored on your PC, or on removable storage such as a USB stick, rather than issued to a smart card. You can either request a certificate and allow the user to collect it to their PC's certificate store using MyID, or you can create a certificate in a password-protected file that you can send to the user. MyID allows you to print a transport document to accompany the soft certificate package, and a separate PIN mailer document that you can send under different cover to the user.

You issue soft certificates using a credential profile; this treats the package of certificates as a virtual smart card. Certificates are added to the recipient's local store, or exported as a PFX file to a folder of your choosing, or automatically saved to a USB device. You can remotely administer these certificates as a card, allowing easy disabling, replacing and canceling of the certificates.

Important: Collecting soft certificates in the MyID Operator Client requires the MyID Client Service to be running on the client, and the rest.provision web service to be running on the web server. In addition, you must have the WebView2 component installed on the client PC to be able to print transport or mailing documents; see the Microsoft WebView2 Runtime section in the Installation and Configuration Guide.

• IKB-392 – Software certificates fail to import on older Windows versions or Apple Devices

  Changes were introduced to the method MyID uses to generate software certificates in MyID 12.7.

  When MyID issues software certificates, it encrypts the passwords protecting the PFX files using AES256/SHA2.

  This is a modern security standard, but it creates a problem when importing the certificates on devices that do not support this security standard; for example, any Apple OS (MacOS or iOS), any Windows Server OS lower than Windows 2019, and any Windows client OS lower than Windows 10 build 1709.

  If you are affected by this issue, contact Intercede customer support for further assistance, quoting reference IKB-392.

Note: Issuing and recovering certificates with elliptic curve cryptography (ECC) keys to a software local store (CSP), or as a .pfx file, is not currently supported.

MyID allows you to work with soft certificates in the following ways:

• Create a credential profile for soft certificates.

  See the Setting up a credential profile for soft certificates section in the Administration Guide for details of setting up a credential profile that allows you to issue software certificate packages.

• Request a soft certificate for a person.

  To request a soft certificate for a person, request a device using the soft certificate credential profile you created.

  See section 4.9, Requesting a device for a person.

• Approve the request for a soft certificate

  If you set the Validate Issuance option on the soft certificate credential profile, an operator must approve the request before you can collect the soft certificate package.

  See section 6.2.1, Approving requests.

• Collect a soft certificate.

  You can collect a soft certificate to the local PC's system certificate store, to a .pfx file located anywhere on your file system, or automatically saved to a USB device attached to your PC, depending on how the credential profile is configured.

  See section 14.1, Collecting a soft certificate.

• Print transport and PIN mailer documents for a soft certificate

  See section 14.2, Printing mailing documents for a soft certificate package.

• Cancel a soft certificate package, revoking its certificates.

  See section 5.7, Canceling a device.

• Disable a soft certificate package, suspending its certificates.

  See section 5.22, Enabling and disabling devices.

• Request a replacement for a soft certificate package.

  See section 5.4, Requesting a replacement device.

• Customize the automatically-created certificate file names.

  See section 14.3, Customizing certificate file names.