How to create and use your signing certificate


Your digital signing certificate is used to identify yourself in the electronic world. A digital certificate can be used in several software applications. For example, it could be used for access to secure servers, encrypting data, signing e-mails, and other functions. Your digital certificate is created outside of the IP-Protector application. Then, a copy of the certificate and private key is exported for access by IP-Protector software.


Steps:

  1. Creating your private signing key and certificate
  2. Exporting your certificate for access by IP-Protector
  3. Recording key storage location information in IP-Protector
  4. Accessing the private key to create a signature

There is an alternate approach that uses a smart card to store your signing key that you can read about here.

 

Step 1. Creating your private signing key and requesting a public key certificate


Several vendors are listed below that provide signing certificates (public and private keys) that can be used in the IP-Protector application.


There are several techniques for creating key-pairs and certificates. Each of the vendor's web sites below will describe their unique process for creating your keys and their free trials. For example, your organization may have a defined process for creating signing certificates. The IP-Protector only requires that the certificate key-pair be stored in a IETF standard PKCS #12 record.


Back to top


Vendors that provide CA services

The vendors listed below are examples of CA's that provide certificates. There is a free trial certificate provided by most of these vendors for your initial testing.


Your public key is packaged in a X.509 certificate. That certificate contains your identity and the identity of an external party that has witnessed your possession of the associated private key. This is an essential element in the trust model of your digital signature.

 

Comodo offers their Free Secure Email Certificates here.


Global Sign offers their PersonalSign certificates here.

 

Trustwave offers their Secure Email Digital IDs here.

 

Back to top

 

Step 2. Exporting your certificate for access by IP Protector


The process of exporting your certificate is identical to making a backup copy of your digital certificate. There are two decisions that you make during this process:

  1. Where to store the certificate file? We suggest that you put the copy of the certificate on a removable disk like a thumbdrive. The certificate file is encrypted and could be stored anywhere on your computer.
  2. The password you use to protect the certificate should be difficult to guess. It should include a combination of letters and numbers and longer than 10 characters. The security of your signing certificate is only as good as the password you choose.
  3. There are additional details about protecting your private key on our web site here.

 

How you export the signing certificate depends on the browser that you use.


In Internet Explorer:
Go to TOOLS --> INTERNET OPTIONS

Click the Content tab

Click the Certificates button

Click the Personal Tab

Select the certificate you wish to use in IP-Protector

Click the Export button and follow the wizard.

- Make sure to export your private key and choose a good password.

- Choose "Personal Information Exchange - PKCS #12" (do not check "Enable Microsoft Strong Protection" )


Back to top

Firefox:
Go to TOOLS --> OPTIONS

Click the Advanced Icon

Click the View Certificates button

Click the Your Certificates Tab

Select the certificate you wish to use in IP-Protector

Click the Backup button and follow the wizard.- Make sure to export your private key and choose a good password.


Back to top


In Netscape browser:
Go to EDIT --> PREFERENCES

Click on open the Privacy and Security list

Click the CertificatesClick the Manage Certificates button

Go to the Your Certificates tab

Select the certificate you wish to use in IP-Protector

Click the Backup button and follow the prompts. Make sure to choose a good password.

Back to top


In Internet Explorer 4:
Go to VIEW --> INTERNET OPTIONS

Click the Content Tab

Click the Personal Tab

Select the certificate you wish to use in IP-Protector

Click the Export button and follow the wizard. Make sure to export your private key and choose a good password. 


Back to top


In Netscape Messenger:
Go to COMMUNICATOR --> TOOLS --> SECURITY INFO

Under Certificates, click Yours

Select the certificate you wish to use in IP-Protector

Click the Export button and follow the instructions on screen. Make sure to choose a good password.


Back to top


Step 3. Recording key storage location information in IP-Protector


This is a one-time setup task to describe where the signing key is stored. Each time you create a signature, the software will need to access this storage location and will ask you for your password. During this step, the signing key file is not opened or read.


Here is a screen shot where you enter this information.

  • Short, descriptive name - This is just for your reference to distinguish between multiple signing keys. If you have just one, for example, you might name it "trial key".
  • File location - The file that contains the key. This file needs to be a PKCS #12 record and can be created using the two steps above. You might save this on a removable disk, for example, A:/signature.pfx

Back to top

 

Step 4. Accessing the private key to create a signature

 The private key is stored inside the computer file you specified in the previous step. The private key can be accessed only by providing your password. Using your password, the private key is retrieved from the file and used to calculate your signature. The signature calculation is done inside the IP-Protector software.


Here is a screen shot where you enter your password and the software retrieves the key.


The check box option "save password for subsequent uses" allows the software to keep the private key in memory until you close the application and you will not need to reenter your password for each signature. Not checking this option means the software makes a best effort to remove the private key from memory immediately following the signature generation.


There is an alternate approach that uses a smart card to store your signing key and optionally generate the signature that you can read about here.


Back to top