How to Search for Enterprise PKI (EPKI) Client Certificates - AATL and PersonalSign
Jun 27, 2023
How to Search for Enterprise PKI (EPKI) Client Certificates - AATL and PersonalSign
Overview
The following guide explains how to search for Enterprise PKI Client Certificate orders.
Related to the ongoing ICA revocations outlined on this page (ICA Revocations and Remediation Steps), follow the steps below to search for impacted PersonalSign and AATL orders.
- Log into your GlobalSign GCC Account (www.globalsign.com/login) with username (Username Format = ex. PAR98764_username) and password.
- Click on the top tab labeled: Enterprise PKI and click “Search Certificates” on the left side menu. Then click “Show Advanced Search”.
- Enter the appropriate Advanced Search criteria.
In this example (related to the ongoing ICA revocations) enter the following search criteria and then click Search:
- “Issue Date is”
- “before”
- Enter Date:
- For PersonalSign (EPKI Lite for Personal Digital ID or Department Digital ID) orders, enter - Nov 11, 2020
- For AATL (EPKI AATL Signing for Adobe PDF) orders enter - Oct 14, 2020
- Click “Search”.
- Result:
Next Steps:
To Reissue:
- For each record that appears, select “Application” and then scroll to the bottom of the page.
- Note: If the certificate expires before February 24th, 2021 you do not need to reissue it. You can renew the certificate instead.
- Click on the “Reissue Certificate” button.
- Note: The certificate identity information can’t be changed – it’s hard-coded to reflect your current certificate details.
- Enter a one-time certificate pick up password you’ll need to provide to the certificate holder in an out-of-band method and click next.
- Confirm details and then click “Complete”.
- An email will then be sent to the Certificate holder’s email (similar to what they received during the initial ordering process).
- Install the certificate. Users will need to click on the link in the pick-up email and follow this installation guide:
https://support.globalsign.com/ssl/ssl-certificates-installation/download-and-install-personalsign-certificate
Note regarding EPKI Renewals (related to ongoing ICA revocations):
There are three renewal configurations available to the EPKI Administrator at the EPKI Profile level:
- Manual (Default setting) – Renewal reminder emails sent to the subscriber at periodic intervals; Subscriber registers for renewed certificate and a notification email is sent to the EPKI Administrator alerting them of a pending request that requires review.
- Automatic – Renewal reminders sent to the subscriber at periodic intervals; successful client authentication will automatically generate a renewed certificate.
- Quick – At 30 days before certificate expiration, active certificate holders are automatically sent an email to immediately install a renewed certificate.
With the Manual and Automatic Renewal settings – automated Renewal emails (prompting the renewal) can start at 90 days prior to a certificate’s expiration date. That means, end certificate holders can follow the automated renewal email prompts up to 90 days early. We roll over any remaining time, so no time is lost with early renewals.
This is important to note, since certificates that expire about 90 days after the Revocation deadline can follow the renewal process instead of being re-issued (if you’re using the Manual or Automatic method).
Note:
- We recommend that end users follow the renewal prompts as soon as they receive the 90-day renewal notice, to ensure the replacement certificate can be installed in a timely manner.
- You can still use the Quick renewal settings, but that setting only sends emails 30 days prior to expiration.
- For Manual and Automatic renewal settings - make sure you have the 90-day renewal emails enabled (as shown in the picture below):