FAQs

What is Public Key Infrastructure (PKI)?

The Public Key Infrastructure or PKI is an infrastructure that secures communications among individuals and government agencies. This way, the government’s delivery of services to citizens and businesses becomes safer, faster and more efficient.

Why is it called ‘public key’? Does it mean open and unrestricted?

No. The “public key” in PKI refers to the virtual ‘key’ that subscribers use to secure files sent over an otherwise unsecure ‘public’ network like the Internet. While it is called public, it can also work in a private network setting.

Why do I need a PKI?

What is a digital certificate?

A digital certificate is a file issued by a Certificate Authority that proves the identity of the certificate holder just like an ordinary ID, only in this case, it is digital.

What is a Certificate Authority?

A Certificate Authority or CA is a trusted third-party that issues digital certificates. Before it issues a digital certificate to an individual/organization, it requires identity verification which is usually done by a Registration Authority.

What is a Registration Authority?

A Registration Authority or RA is the entity that performs the identity verification before a digital certificate can be issued to an individual/organization. It is also the entity that receives and processes applications. 

How big is a digital certificate?

How to apply for a digital certificate?

First, you will need to submit application requirements to a Registration Authority (RA). Then, the RA will need to perform identity verification.

Who can avail of a digital certificate?

Any individual who is of age and possesses the necessary documents may apply for a digital certificate.

Do I have to pay for a digital certificate?

No. The digital certificate is free.

What types of certificates are issued?

What are my responsibilities as digital certificate holder?

Your responsibilities as a digital certificate holder are listed in the Subscriber's Agreement

Does the digital certificate have an expiration?

Yes. A digital certificate is valid up to two (2) years from the date of issuance. After that, you have to apply for a new one.

How do I renew and how long is the process of renewal?

A digital certificate, technically, cannot be ‘renewed.’ It means you have to apply for a new one every time it expires and go through the application process again. All requirements will have to be satisfied.

Do I have an option not to use it?

Of course you do. It’s just that you will not be able to do the following: open encrypted files, access applications that require digital certificates and digitally sign documents for authenticity. Also, if you have been issued a certificate but you decided not to use it, please be advised to keep your digital certificate with private key in a secure location to prevent unauthorized use.

Can I use a digital certificate on my mobile device?

Yes. You can install your digital certificate on your mobile device. The authentication certificate can be used in any email client with S/MIME feature, including the native Mail application of iOS devices. It can also be used to access web portals with client authentication requirement. Meanwhile, signing certificates can be used in web applications with document signing feature that uses digital certificates.

Where can I store the digital certificate?

It can be stored in a USB secure token (FIPS-compliant device), an ordinary USB flash disk, a PC, a laptop or any mobile computer. The USB secure token is the safest because it has a built-in application that allows only a limited number of times for entering the PIN before it is blocked. A token can contain up to ten (10) certificates. 

Is it possible to have multiple certificates?

You can only be issued one each of authentication certificate and signing certificate at a time.

What if I lose my certificate?

The digital certificate consists of a private key and a public key. The public key of a digital certificate is a public document. The moment you use it you can never lose it. On the other hand, the private key is solely issued to the user for decryption of messages. When the private key is lost, compromised or the passphrase to use it is forgotten, then the certificate needs to be revoked and a new key pair can be generated as well as the digital certificate that will be associated with it.

What if the I resign, retire or exit from government service?

Can PNPKI track the documents that are being digitally signed using PNPKI’s digital certificate?

PNPKI cannot monitor the documents that are being digitally signed.

Can PNPKI track the number of devices that has the digital certificate or what device is being used when using the digital certificates?

No, the PNPKI cannot track the number of devices or what device was used when using the digital certificates.

Can PNPKI track the content and track where the document was sent?

The system has no way of checking the content nor track where it was sent or used. It will be the responsibility of the person to ensure the accuracy of the content and to track the document.

Can PNPKI trace where signing has been done for cases of compromised certificates?

There are currently no digital certificates that are equipped with geo-tagging and this feature is impossible for now.

If my digital certificate is revoked, all the signed documents before the revocation are still valid?

Yes, all the signed documents before the certificate revocation are still valid as long as the long-term validation (LTV) is enabled in the signing application like Adobe Acrobat Reader. If not, the user can confirm the validity of the certificates with the Certification Authority (CA). 

If my digital certificate is revoked, can I still use it for signing?

No. You will not be able to use it.

If my digital certificate is revoked, can others still use its corresponding public key to send encrypted emails to me?

Once the public key is shared, it cannot be unshared. However, if the sender attempts to encrypt using the public key of a revoked certificate, the email client will prompt an error. The sender should send his/her new public key to the recipient for the encryption of his/her email.

Do I need internet to use the services of PNPKI?

Yes. The services of PNPKI such as certificate enrollment, timestamping, and validation (OCSP) and digital signing are available only through the Internet. It is recommended to be connected to the internet for validation and authentication purposes.

What is the best email client/mail application  to use when encrypting and signing emails?