Jump to: Auto-install for Apple and manual instructions for Apple or PC.
Background & Why Your Device May Not Auto-Trust
If you received a Digitally Signed or Digitally Certificated document from our company or an employee, typically a PDF or email, your system may not recognize the Issuer by default, especially on #Apple devices. Your program will mistakenly tell you the certificate is invalid and thus not trusted. That’s not the full story. Our certificates are issued by IdenTrust. They are part of the IGC series of certificates issued by IdenTrust, part of the very reputable HID Global Group (an international security firm).
Why? Our certificates let us transact with the Federal, State, local, and international governments, letting authorities trust works. This series of certificate is required for Notary works. Most laypersons just don’t need that level of trust built-in: they don’t work with governments.
That doesn’t mean our certificates are worthless or insufficient. It just means the Federal government of the U.S. co-vouches for identity in the trust chain. These are still vetted by authoritative, respected, audited firms (like IdenTrust/HID Global).
Therefore, you should manually validate our certificates if your device doesn’t automatically do it. Or, if you’ll be communicating with an employee here often, you/your administrator ought to simply install these Intermediate & Root Certificates onto your computer(s). After installing, make sure to set these to “(Always) Trusted.”
Alternatively, you can also bypass the abone and just install the employee’s certificate, when prompted by your program. Then, mark it as Trusted (but that bypasses the idea of a Chain of Trust).
How do Certificate Authorities Work, What are Root Certificates, and How do They Build a Web Chain of Trust?
Very trustworthy, monitored, regularly audited companies (called Certificate Authorities–”CAs”) issue the various Root (and Intermediate) Certificates that power the Internet’s trust system. Each end-user Certificate (like the one in my PDFs or emails) links to at least one Intermediate CA, and every Intermediate links to a primary Root Certificate. Some Roots are cross-signed by other CAs. This provides a stronger web of trust, and it provides for a fallback (e.g., your computer may be able to use one of the cross-signed certificates instead of our CA’s [IdenTrust, an HID Global company]).
All computers come with certain Root and Intermediary CA certificates by default. These are called Trust Stores. Browsers come with Trust Stores too: that lets you see if an HTTPS website is trustworthy (like this one!). But your computer may be missing some CAs because you just don’t need them–not necessarily because they’re risky. In this case, Adobe Acrobat (or your email client) will automatically reject/caution you.
Which CA Certificates Do I Need, and Where do I Get Them?
To fix, just install the certificates below: three are required. Download them DIRECTLY from the CAs at the EXACT links provided below. NEVER download Root Certificates from a third-party: this destroys the chain of trust in case of a malicious middleman!
Further, these are the ONLY CAs that you’ll need for *our* document signing Certificates. CEK Enterprises, Inc. does not warranty these CAs or their certificates and make no representation of support for such Roots.
Auto Install & Auto-Trust: macOS, iPadOS, iOS, tvOS
If you are in an Apple ecosystem, simply download this preconfigured, signed profile from within Safari (MUST be Safari!).
- Then, open your Preferences app, and click on the Profile tab that appears.
- Accept to Install
- Voila! Your device fully trusts all our certificates for emails and documents.
- Apple Profile: Apple vouches for us as the author of the profile itself (they are a Root CA).
Manual Install: Windows, Android, and Apple Ecosystem
U.S. FEDERAL: CERTIFICATE AUTHORITY–ALSO CROSS-SIGNS IDENTRUST’S CERTIFICATES (BUILDING A WEB OF TRUST)
The federal government no longer issues root CAs as of 2016, but their existing roots are valid until they expire. Since they cross-sign IdenTrust’s Roots, it’s helpful to install these too. It’s not always required. These Roots may help your computer/device trust many other valid certificates, too.
In most cases, you can simply download (and manually trust FCP CA G2), which then sets the trust chain. We recommend installing at least all -4- certs marked with an asterisk*.
- MANDATORY! Federal Common Policy CA G2 certificate (manually trust)
- *REQUIRED: Federal Bridge CA G4 certificate
IDENTRUST–A Certificate Authority–Issues Employee Digital Certificates
IdenTrust is well trusted (undergoing rigorous annual audits by the U.S. government), estables Root CA and is part of HID Global, a major physical- and digital security firm trusted worldwide. Do you use a keycard at work? HID issues the majority of those! Anyway, you may need some or all of these to automatically validate our end user Certificates:
- *REQUIRED: IdenTrust Global Commons certificate (“IGC”)
- The IdenTrust IGC certificate is Trusted by the US Federal Government, who vouches for its authenticity and rigorous QA and QC procedures to validate identity of certificate holders
- HELPFUL: IdenTrust Public Trust – Root
- HELPFUL: IdenTrust Public Trust – Intermediate
- OPTIONAL: IdenTrust Commercial Root CA 1
Again, you may simply mark a certificate from us as “Trusted” within Adobe Acrobat (or your system’s certificate store), if you wish.
*REQUIRED. Remember, you can always bypass every CA and just mark our specific certificates as trusted directly. That defeats the purpose, though! Installing these CAs also automatically distrusts our certificate(s) if it’s compromised. You’d miss out on auto-revocation alerts if you skipped installing the full trust chain (the above certificates).
FUN FACTS
Did you know? Digital Signing Certificates must be reissued at least every 36 months, or as often as every 12 months? Authorities decided this to be in the best interest of maintaining trust. Also, it helps them in their regulatory- and self-imposed audit requirements.
By reissuing, the CA reviews important information to make sure the certificate holder (an employee) is still who s/he says s/he is. The CA may demand multiple forms of genuine identification, validate email address, validate business across several databases, validate each end user’s home address to link to a real person, validate phone numbers, and more. Sometimes, the CA may even require appearance before a Notary Public or Clerk of Court as part of the application (including renewal applications). Talk about Trust!!