14 Working with soft certificates

Soft certificates are stored on your PC, or on removable storage such as a USB stick, rather than issued to a smart card. You can either request a certificate and allow the user to collect it to their PC's certificate store using MyID, or you can create a certificate in a password-protected file that you can send to the user. MyID allows you to print a transport document to accompany the soft certificate package, and a separate PIN mailer document that you can send under different cover to the user.

You issue soft certificates using a credential profile; this treats the package of certificates as a virtual smart card. Certificates are added to the recipient's local store, or exported as a PFX file to a folder of your choosing, or automatically saved to a USB device. You can remotely administer these certificates as a card, allowing easy disabling, replacing and canceling of the certificates.

Important: Collecting soft certificates in the MyID Operator Client requires the MyID Client Service to be running on the client, and the rest.provision web service to be running on the web server. In addition, you must have the WebView2 component installed on the client PC to be able to print transport or mailing documents; see the Microsoft WebView2 Runtime section in the Installation and Configuration Guide.

Note: By default, when MyID issues software certificates, it encrypts the passwords protecting the PFX files using AES256/SHA2. However, some Operating Systems do not support this modern security standard, which creates a problem when importing the certificates onto these; for example, any Apple OS (macOS or iOS), any Windows Server OS lower than Windows 2019, and any Windows client OS lower than Windows 10 build 1709. If you want to import software certificates onto an OS that does support not the encryption of PFX files using AES256/SHA2, you must set the Use SHA1 encryption for certificates issued as PFX files option in the Server tab of the Security Settings workflow to Yes.

Note: Issuing and recovering certificates with elliptic curve cryptography (ECC) keys to a software local store (CSP), or as a .pfx file, is not currently supported.

MyID allows you to work with soft certificates in the following ways:

• Create a credential profile for soft certificates.

  See the Setting up a credential profile for soft certificates section in the Administration Guide for details of setting up a credential profile that allows you to issue software certificate packages.

• Request a soft certificate for a person.

  To request a soft certificate for a person, request a device using the soft certificate credential profile you created.

  See section 4.9, Requesting a device for a person.

• Approve the request for a soft certificate

  If you set the Validate Issuance option on the soft certificate credential profile, an operator must approve the request before you can collect the soft certificate package.

  See section 6.2.1, Approving requests.

• Collect a soft certificate.

  You can collect a soft certificate to the local PC's system certificate store, to a .pfx file located anywhere on your file system, or automatically saved to a USB device attached to your PC, depending on how the credential profile is configured.

  See section 14.1, Collecting a soft certificate.

• Print transport and PIN mailer documents for a soft certificate

  See section 14.2, Printing mailing documents for a soft certificate package.

• Cancel a soft certificate package, revoking its certificates.

  See section 5.7, Canceling a device.

• Disable a soft certificate package, suspending its certificates.

  See section 5.22, Enabling and disabling devices.

• Request a replacement for a soft certificate package.

  See section 5.4, Requesting a replacement device.

• Customize the automatically-created certificate file names.

  See section 14.3, Customizing certificate file names.