Personal Authentication Certificates can be used to add a trusted digital signature to emails and documents, as well as encrypt emails. This guide will walk you through the full process of obtaining a Personal Authentication Certificate, from purchase and certificate generation to collection and installation.
Quick Overview of the Personal Authentication Certificate Process
The steps for obtaining a Personal Authentication Certificate are very similar to the SSL and Code Signing certificate processes. After you purchase the Personal Authentication certificate, you will be required to generate it on your account with us, and then complete validation with the Certificate Authority (CA).
We have three types of Personal Authentication Certificates:
- Basic – The certificate will only verify the user’s email address.
- Pro – The certificate will verify the user’s full name as well as email address.
- Enterprise – The certificate will verify the user’s full name, email address, and also provide details about their organization.
For more information, check out our Personal Authentication Certificate product page.
Once you have decided which certificate you need, you’ll follow these steps:
- Purchase your certificate. You will provide the exact details for the certificate after purchasing.
- Generate the certificate. You will need to use Internet Explorer 11 (Windows) to generate the certificate on your account.
- Complete the validation requirements. The requirements for validation depend on the type of certificate you have requested.
- Collect the certificate. You will receive an email from the CA with instructions for collecting your certificate. You must use the Internet Explorer browser on the same computer that you used to generate the certificate.
- Download/export the certificate. After you successfully collect the certificate in your browser, you can download the PKCS12/PFX file from the browser’s certificate store.
- Install the certificate. Once you have downloaded the certificate file from your browser, you can install it on your PC or in your email client, and you can also move it to another system if needed.
Generating your certificate
Step 1: Make Sure You’re Using the Right Browser
Generating a Personal Authentication Certificate requires using a browser that has certificate/key generation capabilities. At this time, the only browser that supports certificate generation is Internet Explorer 11. Our site will not allow a different browser for certificate generation.
Step 2 – Generate Your Certificate
Open Internet Explorer and login to your account on thesslstore.com to start the generation process.
Once you have logged in and accessed your dashboard, locate the certificate order and click “Generate Cert Now”. Check for the order in your Incomplete Orders page if you don’t see it on your Recent Orders list.
On the generation form, you will be asked to provide information about the end user of the certificate. The email address that you provide in the Login Information section should be the address that is meant to use this certificate.
The generation form for Basic and Pro certificates does require organization details even though the certificate will not include them. If you do not have an organization, you can provide your own name and address (remember, these details will not be on the certificate).
For an Enterprise certificate, please provide the legal name of the company and the address that is listed on the legal registration for the company. The Certificate Authority will need to verify this information through government and third-party business websites, so everything will need to match up exactly.
Once you have filled out all the required information, click “Submit” and allow the browser some time to save the certificate data. It may take a few minutes for this process to finish.
Validating your certificate
After the certificate has been generated, the Certificate Authority will need some time to process the order and begin the validation process with you.
The Basic certificate does not require any special validation and can be issued almost immediately after generating the order.
For the Pro certificate, the CA must verify the user’s identity using a government-issued photo identification card, such as a driver’s license or passport.
You can scan or take a picture of the card, making sure that the information is legible, and submit the document directly to the CA, or contact our support team for additional assistance.
The Enterprise certificate also requires identity verification of the user with a government-issued photo ID.
In addition to the identity verification requirement, the CA must also confirm the organization’s registration status by checking the appropriate government website for your region, such as your state’s Secretary of State website, or your country’s government site.
Finally, the CA must also confirm the organization’s address and telephone number, then complete a verification phone call with the certificate user using the number verified from a third-party source.
Your organization’s address and phone number cannot be verified using your own website or any unapproved website source. The following websites are approved for use in organization validation:
- Dun and Bradstreet
- Better Business Bureau
- Yellow Pages
To get through the validation process as quickly as possible, we recommend that you make sure your organization has a listing on one of these approved business websites, and that the information on the listing is up-to-date and matches your government registration.
If you prefer not to have your organization listed on one of these sites, you will need to submit a Professional Opinion Letter signed by an attorney or accountant instead.
Please contact our support team if you have any questions about this requirement, we’re always happy to assist.
Collecting your certificate
After the validation process is completed and the CA has issued the certificate, the user will receive an email containing a link and a code to complete the certificate collection process.
PLEASE NOTE: You must access the collection page using the same browser and same computer that originally generated the certificate.
Step 1 – Collect the certificate in the browser
Open the collection link in Internet Explorer. You may need to copy and paste the link into the browser rather than click it, as that might open the link in a different browser that will not work to complete the process.
Provide the user’s email address and collection code from the CA’s email, then click the button to ACCEPT the terms of the Subscriber Agreement. Click Submit & Continue when you are ready to proceed.
On the next page, click the “Request My Certificate Now” button to collect the certificate into the browser’s certificate store. This process can take a few minutes, but you should get another confirmation email when the certificate is ready.
While the certificate is being collected, please leave the browser open, and do not refresh the page, click the Back button, or navigate away from the page.
When the collection process is done, you should see a pop-up informing you that the certificate is installed in the browser.
Step 2 – Download the certificate from the browser’s store
Your certificate is now saved in the browser’s certificate store and can be downloaded from there. For full instructions on completing this process, check out our certificate collection guide for Internet Explorer.
Installing your certificate
The certificate collected from your browser should be a PFX format file, which contains the public and private keys for the certificate. Once you have this file, you can proceed to install it on your system, or transfer it to another system to install there.
Depending on your email client, you may need to import the certificate there and configure your settings to start using it. We have a guide for installing a certificate in Microsoft Outlook. For other email clients, please refer to the appropriate support documentation regarding the certificate installation process.
Please note: You can only send encrypted emails to a recipient who has their own email signing certificate installed on their side, after you have already exchanged signed emails with them. You can send signed emails to anyone.