Digital Certificate FAQs

  1. What is a Digital Certificate ?
  2. What is a Digital Certificate used for ?
  3. What is a Certificate Authority (CA) ?
  4. What kind of information does my Digital Certificate hold ?
  5. What are Public and Private Keys ?
  6. For how long is my Digital Certificate valid ?
  7. What is the password for my digital certificate ?
  8. What happens when my digital certificate expires ?
  9. How do I know I have a good digital certificate ?
  10. What does revoking my digital certificate mean ?
  11. When should a certificate be revoked ?

Digital Certificates Troubleshooting

  1. I lost my Digital Certificate. What do I do now ?
  2. I cannot remember my certificate password ?
  3. What happens if the number of replacement requests exceeds 24 hour limit ?
  4. There was a problem accessing your private key ?
  5. How do I validate my certificate chain ?

Digital Certificates How-To

  1. How do I register for a digital certificate ?
  2. How do I replace an existing iCA Identity certificate ?
  3. How do I configure MAS to use new iCA Identity certificate ?
  4. How do I make a copy of my digital certificate ?
  5. My certificate is about to expire. How can I renew it ?
  6. How can I protect my Digital Certificate ?
  7. How can I contact Customer Support ?

MAS/VPN Questions and Answers

  1. What is MAS/VPN ?
  2. Do I need a certificate to use MAS/VPN ?
  3. How do I register for MAS/VPN access ?
  4. When I click connect on the MAS/VPN dialer, I am asked to enter a password for a "Private Key Container" or a CryptoAPI Private Key/Private Exchane Key ?
  5. I am a valid MAS/VPN user, but unable to download the software and/or documentation from the web site ?
  6. Can I use my Digital Certificate on multiple machines ?
  7. After clicking on the Connect buttonof the MAS/VPN Dialer, I receive the error "Bad Keyset". What should I do ?
  8. While connecting with the MAS/VPN Dailer the connection hangs at 'Negotiating Security Profiles' and then I receive the error "Unable to contact server". What should I do ?
  9. While connecting with the MAS/VPN Dialer, the connection hangs at 'Negotiating Security Profiles' and then I receive the error message "Your IPSec session has been terminated". What should I do ?
  10. While connnecting with the MAS/VPN Dialer, the connection hangs at 'Negotiating Security Profiles' and then I receive the error message, "The remote peer requires additional user authentication to authorize this connection". What should I do ?
  11. My connection was up for a for a while and it shows that I am still connected, but I can no longer reach any resources. What should I do ?
  12. I got a new certificate or renewed my existing certificate. How do I reconfigure my MAS/VPN client to use it ?
  13. What is the Bank of America Digital Certificate utility ?

Security FAQ and Concepts

  1. What is encryption ?
  2. What is SSL ?
  3. What is IPSEC ?
  4. What is a Code Signing Certificate ?
  5. What is a CRL ?
  6. What is S/MIME E-Mail ?
  7. What is Web Authentication ?
  8. What is Authorization ?
  9. What are BioMetrics ?
  10. What is LDAP ?
  11. What is Public Key Cryptography (PKI) ?
  12. What is a Smart Card ?

Code Signing FAQ

  1. What file types are supported for code signing within the bank ?
  2. How do I place a Nexus request for code signing ?
  3. Where do I download the CORP2 (Pre-Prod) iCA certificate chain ?
  4. How does Code-Signing work ?

A Digital Certificate itself is simply a collection of information that is used to uniquely and electronically identify people and resources over networks and the Internet. In addition to all the benefits of authentication they provide, digital certificates also make access control more secure, confidential and easier for many different types of activities such as human resource and financial services, private intranet and extranet sites and secure business-to-business services.

The main purpose for the Bank of America associate digital certificates is to provide a stronger level of security when using authentication across the Internet. Currently digital certificates are widely used for VPN and Remote Access. A digital certificate however can be used for multiple purposes such as encryption, authentication of users to Portals and Web servers, digitally sign transactions and secure e-mail over the Internet.

Digital certificates must be issued by a trusted entity known as a Certificate Authority. A CA's role is analogous to that of a passport office, which issues a passport that is broadly acknowledged and accepted as a trustworthy means of personal identification. Certificate authorities are responsible for issuing, revoking, renewing, and providing directories of digital certificates.

Certificate Authorities typically offer a combination of cryptography technology, an infrastructure of highly secure facilities, and a specification of practices and liability that establish its ability to operate as a trusted third party. Once a CA has validated the certificate holders' identity and signed a certificate, the holder can present their certificate to people, Web sites, and network resources to prove their identity and establish secure and confidential communications.

A certificate typically includes a variety of information pertaining to its owner and to the CA that issued it, such as:

Digital certificates are based on public key cryptography, which uses a pair of related keys:

The public key and private key perform inverse operations and are used together. Since these keys only work as a pair, an operation (for example encryption) done with the public key can only be undone (decrypted) with the corresponding private key, and vice-versa.

Bank of America Associate Certificates are valid for 1 year from the date they were issued. Once they are close to expire, the certificate's owner will get a notice with a reminder to get the digital certificate renewed or reissued.

During the download process of your certificate, if you set your security level to High, your web browser asks you to assign a name and a password for your private key. That is what is commonly called your digital certificate password.Please remember:

A new GetHelp job will be initiated on Associate laptops.This job periodically checks for expiring certificates and Identifies any MAS/VPN certificates that are within the next 60 days or less of expiration.When found, user is prompted to renew the certificate.When you complete this process, the certificate provided will be the new iCA certificate. You will also receive an e-mail notice reminding you to renew your certificate. Detailed steps on certificate renewal is available on our online User guide.

If your digital certificate has already expired, you will have to register for a new iCA Identity certificate at https://certificates.bankofamerica.com. From the Certificate Enrollment tab on the Certificate home page, click on the MAS/VPN Associate Certificates link. This will open the iCA Certificate Enrollment site. From here, select the Request a certificate link and follow the prompts.Details steps on certificate registration is available on our online User guide.

Verification is the process used to determine whether an electronic signature or the digital certificate is valid. To dertermine if a certificate is valid and usuable with MAS/VPN use the MAS Configuration and Certificate Utility. This may be accessed from Start/Programs/Mobile Access Services/BA Certificate Setup and Repair Wizard.The Certificate that are valid are shown in the MAS Configuration and Certificate Utility.Certificates are arranged with the most recent Certificates listed first.

Revocation is the term used to make a digital certificate ineffective from a specified time forward. Usually revocation is needed when you lose your digital certificate or you know it has been compromised in some way.

Specific reasons for revocation typically include one or more of the following circumstances:

If you need your digital certificate revoked for any of the reasons mentioned above, please see the section"Using enrollment site to replace an existing iCA Identity Certificate" from the online User Guide.

If you have questions, please contact your local Help Desk, 1-800-SUPPORT, or the Certificate Administration Team at certificate.admin@bankofamerica.com

If a back up was done prior to the loss of the digital certificate, you should be able to install the certificate and continue to use it. If there is no backup copy, you will need to obtain a replacement certificate which is almost the same as getting a certificate the first time.From the Digital Certificates Home page,select "Register for Certificate".Logon to iCA Enrollment site using your SSO credentials.Select "Request a certificate".The web site will recognize that you already have a certificate and ask you to confirm your intention to replace it.To replace your certificate,select "Yes,replace my current certificate".From this point on the process is identical to the process of obtaing the certificate for the first time.Please note there is a limit on the number of replacement certificate you can request within a 24 hr period.If you exceed the limit you will receive a notice instructing you to contact the Help Desk.

For detailed instructions on the replacement process as well as other digital certificates modules, please refer to our online User Guide.

The password for your digital certificate is saved along with your private key on your computer. If you forgot the password, there is noi mechanism we can use it to reset it. You will need to go to the enrollment site to replace an existing iCA Identity certificate.you will need to obtain a replacement certificate which is almost the same as getting a certificate the first time.From the Digital Certificates Home page,select "Register for Certificate".Logon to iCA Enrollment site using your SSO credentials.Select "Request a certificate".The web site will recognize that you already have a certificate and ask you to confirm your intention to replace it.To replace your certificate,select "Yes,replace my current certificate".From this point on the process is identical to the process of obtaing the certificate for the first time.Please note there is a limit on the number of replacement certificate you can request within a 24 hr period.If you exceed the limit you will receive a notice instructing you to contact the Help Desk.

For detailed instructions on the replacement process as well as other digital certificates modules, please refer to our online User Guide.

If your request for a replacement certificate exceeds the limit on the number of requests allowed within a 24 hour period, yo will receive the notice to contact the Help Desk(1-800-SUPPORT).

That message ususally follows the "crypto signing problem" message. You either canceled the process when asked for the certificate password, or entered an incorrect password for your certificate. It can also happen if the private key for your digital certificate is not accessible. If you change your domain password and are having this problem please refer to the question #14 (below) for additional help.

Digital certificate's private key and password are not items that can't be recovered so if you are sure you have lost either one, please contact your local Technology Support Center to have your current certificate revoked. After we disable your current certificate, you can then go and register for a new one.

The entry point for all Identity certificate enrollment is the Digital certificates home page https://certificates.bankofamerica.com. To register and download your digital certificate, click on "Certificate Enrollment link" from the digital certificates home page.In order to obtain an Identity Certificate you will need 2 pieces of information: Your Simplified Sign On(SSO)credentials and your Person number. To enroll for an Identity Certificate, select the Certificate Enrollment tab and click on "MAS/VPN associate Certificate" link from the Digital certificates home page. Once your Identity is verified,the process will automatically download your digital certificate into your browser.

For detailed instructions on the registration process as well as other digital certificates modules, please refer to our online User Guide.

There are situations in which you may need to replace your iCA Identity Certificate. Typically, this will only necessary if you have forgotten the password associated with the certificate or you have lost the certificate due to system failure. Please note there is a limit on the number of replacement certificate you can request within a 24 hr period. If you exceed the limit you will receive a notice instructing you to contact the Help Desk. The process of obtaining a replacement certificate is almost the same as registering the certificate for the first time. From the Digital Certificates Home page, select 'Register for Certificate'. Logon to iCA Enrollment site using your SSO credentials. Select 'Request a certificate'. The web site will recognize that you already have a certificate and ask you to confirm your intention to replace it. To replace your certificate, select "Yes, replace my current certificate". From this point on the process is identical to the process of obtaing the certificate for the first time.

Before a new iCA Identity Certificate can be used to authenticate your remote access connection to the Baronet,MAS must be configured to use the certificate.This is done using the BA Certificate Setup Repair Wizard.This wizard is found by accessing the Start Menu on your computer and opening Programs/Mobile Access Services/BA Certificate Setup and Repair wizard.When you open the wizard,you should see a referance to the new certificate which you just obtained.The Issuer will be Identity Authority East or Identity Authority West. If you have multiple iCA certificates on your machine(i.e if you got a replacement certificate) the wizard will identify the newest certificate by default.This is the certificate you should use.Select "Configure MAS".You will be prompted to set the security level on the certificate to HIGH,which will require additional password.Remember the password because you will need to use it each time you use the certificate to log on to MAS.When prompted,enter and confirm the password.After selecting "Finish" you will be returned to the MAS Configuration and Certificate Utility.The MAS Configuration and Certificate Utility will confirm that MAS has been configured to use the Certificate.

This is done using the BA Certificate Setup and Repair wizard.This wizard is found by accessing the Start Menu on your computer and opening Programs/Mobile Access Services/BA Certificate Setup and Repair Wizard.To save your certificate,select "Save Certificate to a File" This will open the Export Wizard.Enter and confirm your password Then select "Next".Please select "Yes" to save the certificate to the default location.This location has been chosen to simplify support.When you select "Finish",you will be prompted for your certificate password.Enter the password and select "OK".The MAS Configuartion and Certificate Utility confirms that the certificate was successfully saved.

For detailed instructions on the replacement process as well as other digital certificates modules, please refer to our online User Guide. You can save a copy of your certificate on your hard drive, but it is recommended that you also save a copy of it on a diskette or network in case your computer crashes.

Digital Certificates are set with a validity date of 1 year from the time it was downloaded. Associates will no longer renew their existing Bank of America Digital certificate.Associate will acquire new certificate,issued by the Bank of America internal certificate Authority iCA.A new GetHelp job has been initiated on Associate laptops.This job periodically checks for expiring certificates and identifies any MAS/VPN certs that are within 60days or less of expiration.When found,the user is prompted to renew the certificate.When you complete this process,the certificate provided will be the new iCA certificate.Alternatively,you may register for a new iCA Identity certificate at https://certificates.bankofamerica.com.

If you have questions, or if your certificate expires before the renewal process is completed, please contact your local help desk, 1-800-SUPPORT, or the Certificate Administration Team by email: certificate.admin@bankofamerica.com.

There are several things you can do to protect your Digital Certificate:

It is your responsibility to protect your private key. Anyone who obtains your private key can take actions in your name!

Support for iCA related issues are provided by your local Technology Support Center or 1-800-SUPPORT.

Or you can send us an e-mail to certificate.admin@bankofamerica.com.

MAS stands for Mobile Access Services. This is the VPN application that Bank of America uses for all remote access. VPN stands for Virtual Private Network. The VPN client, which is integrated in to MAS, allows you to connect to the Bank's networks using your DSL, cable modem or dial-up Internet connection. It provides, for authorized users, a remote access connection with encrypted traffic, thus achieving secure remote access.

Yes. MAS/VPN authentication is done via your Bank Of America Associate Digital Certificate and your Internet Proxy username/password. It also requires the Virtual Private Network (MAS/VPN) software, personal firewall software, and digital certificates.

Please refer to http://rau.bankofamerica.com for more information on MAS/VPN. There are several files you can download to help you get set up - Certificate Registration Instructions, MAS Client User Guide, MAS Quick Start Guide and MAS Tutorial. These are available in the File Cabinet section of the Navigation menu @ http://rau.bankofamerica.com under the MAS folder.

Please note these sites are only available internally. You must be connected to the Bank of America network to access them.

You must first have valid person number and passcode. If you have both, go to the URL http://rau.bankofamerica.com and click on Request MAS. Fill in the requested information. The process will then install a digital certificate, if you do not already have one. Be sure to choose the Download Software option, if you need the MAS/VPN software. A quick installation guide will be emailed to you upon completion.

Please note that this is an internal only site - you must be connected to the Bank of America network to access this link.

This is the certificate setup wizard asking for the password to access your Bank of America digital certificate stored in your Internet Explorer Certificate Manager. Enter the password you created for this certificate when you downloaded it or imported it to continue.

You should only be prompted for this password during the initial MAS client launch. If you are being prompted for the password during subsequent client launches, your shortcut to MAS needs to be recreated.

Delete your shortcut. Next, recreate your shortcut by going to Start - Programs Mobile Access Services. Right click - Mobile Access Services. Choose copy. Select the location for your MAS shortcut. Right click. Choose Paste.

If this does not fix the problem, please call your local Technology Support Center.

Go to https://rau-vpn.bankofamerica.com/ (External Link) or http://rau.bankofamerica.com/ (Internal Link) to download the software. You will need to already have a valid digital certificate. Enter your digital certificate password. Next, enter your NB ID ; password. Here you can download the software and the user guides. If there is a problem with the web site, call tech support to have the MAS/VPN client software and/or the user guide emailed to you.

The user guide is installed to your machine along with the MAS/VPN client. If you have it installed already, you can find it by going to Start - Programs - Mobile Access Service - MAS User Guide.

Yes, you can. You will need to export the certificate and import it to the other machine.

To export your certificate, go to Start - Programs - Mobile Access Services - BA Digital Certificate Setup and Repair Wizard. To do so, select "Save Certificate to File." This will open the Export Wizard. Enter and confirm your password.Then select "Next". Please select "Yes" to save the certificate to the default location. This location has been chosen to simplify support. It will prompt you for your certificate usage password; copy the certificate to C:\Program Files\Cisco Systems\VPN Client\username\username.pfx.

You will need to copy the certificate to the other machine and place it in the default location. C:\Program Files\Cisco Systems\VPN Client\username\username.pfx.The MAS Configuration and Certificate Utility confirms that the certificate was successfully saved.

To import your certificate, go to Start - Programs - Mobile Access Services - BA Certificate Setup and Repair Wizard. Click Import/Obtain a Certificate.Importing a certificate can be done either from web site or from the file. If you are importing a certificate from a file saved in the default location then you will be prompted to import the certificate filepassword for this file. Enter the password and press Next. You will be informed that your certificate is about to set to HIGH security. Press Next and Enter a certificate password with confirmation and then press Finish. At this point the import will have succeeded and you will have choice to configure MAS or you can press Cancel. You will be informed of the successful import. You can now press Close to exit the certificate utility.

For detailed instructions on the registration process as well as other digital certificates modules, please refer to our online User Guide.

If you have questions, or if your certificate expires before the renewal process is completed,please contact your local help desk, 1-800-SUPPORT, or the Certificate Administration Team certificate.admin@bankofamerica.com.

The first thing to check is whether you have multiple logins on your PC. If you installed the certificate when logged in as nbk1234, but now are logged in as nbt4321 or not logged in at all, this error can occur. Using the correct ID to login will fix the problem.

If you are running any additional firewall software (ZoneAlarm, etc.), you need to either turn down the security settings or turn off the extra protection. Since we are running the BlackICE firewall, you do not need to worry about leaving your computer open to attack.

If this does not fix the problem, please call your local Technology Support Center.

This usually means a connectivity problem. Try to reconnect.

If the problem persists, please contact your local Technology Support Center.

This may mean that you are not using the correct username/password combination. You should confirm your username/password are correct and then re-enter them in to the MAS/VPN Dialer.

If this does not fix the problem, please call your local Technology Support Center.

Verify that you are still connected to MAS/VPN by double clicking the "Lock" icon in your system tray at the bottom of the screen. If you do not have this icon, you are not connected. Try to reconnect.

If this does not fix the problem, completely exit MAS/VPN.Right click on the yellow lock (VPN) icon in the system tray choose exit. Also, right click on the 360 (MAS) icon and choose exit. Finally, launch the MAS/VPN Dialer again and attempt to reconnect.

Before a new iCA Identity Certificate can be used to authenticate your remote access connection to the BARONet, MAS must be configured to use this certificate.This is done using the BA Certificate Setup and Repair Wizard.This wizard is found by accessing the Start Menu on your computer and opening Programs/Mobile Access Services/BA Certificate Setup and Repair Wizard.

When you open the Wizard, you should see a referance to the new certificate which you just obtained.The issuer will be Identity Authority East or Identity Authority West.If you have multiple iCA certificates on your machine(i.e if you got a replacement certificate) the wizard will identify the newest certificate by default.This is the certificate you should use.Select "Configure MAS".

You will be prompted to set the security level on the certificate to HIGH, which will require adding a password. Remember the password, because you will need to use it each time you use the certificate to logon to MAS. When prompted, enter and confirm the password.After selecting "Finish" you will be returned to the MAS Configuration and Certificate Utility. Select "Configure MAS".You will now be prompted to enter the password you assigned to the certificate.Enter the password and Select "OK". The MAS Configuration and Certificate Utility will confirm that MAS has been configured to use the certificate.

For detailed instructions on the registration process as well as other digital certificates modules, please refer to our online User Guide.

If your have questions,or if your certificate expires before the renewal process is completed,please contact your local help desk, 1-800-SUPPORT, or the Certificate Administration Team certificate.admin@bankofamerica.com.

Desktop encryption is the ability to encrypt the information on your desktop computer so that information is secure, even when multiple people use the same computer. The information stored on a laptop or desktop computer is a very valuable asset. In the event that a computer is lost or stolen, unauthorized persons could easily access the data if desktop encryption is not installed. Bank of America's desktop encryption starts by enhancing the existing local login security within Windows. The next step in desktop encryption allows users to select which folders they wish to be encrypted. The selected data is changed using a combination of 3DES encryption and the data owner's private key so that only the owner of the data can read it. When a folder has been flagged as encrypted, any file saved there is automatically encrypted. When a file is copied to a non-encrypted folder or the file is manually decrypted, then the data is again readable by anyone.

Desktop encryption is the ability to encrypt the information on your desktop computer so that information is secure, even when multiple people use the same computer. The information stored on a laptop or desktop computer is a very valuable asset. In the event that a computer is lost or stolen, unauthorized persons could easily access the data if desktop encryption is not installed. Bank of America's desktop encryption starts by enhancing the existing local login security within Windows. The next step in desktop encryption allows users to select which folders they wish to be encrypted. The selected data is changed using a combination of 3DES encryption and the data owner's private key so that only the owner of the data can read it. When a folder has been flagged as encrypted, any file saved there is automatically encrypted. When a file is copied to a non-encrypted folder or the file is manually decrypted, then the data is again readable by anyone.

Secure sockets layer (SSL), is a protocol that uses digital certificates to create a secure confidential communications "pipe" between two entities. Data transmitted over an SSL connection can not be tampered with or forged without the two parties becoming immediately aware of the tampering. SSL is supported in the vast majority of browsers, which means that almost anyone with a browser can reap the benefits of SSL. It is also incorporated into most Web servers on the market.

IPSec is a security protocol to create VPNs for remote access users.

Code signing certificates, issued by the certificate authority to a code developer, allows the code developer to digitally sign their work. When a customer downloads software digitally signed with the code developers digital certificate, they can be assured of:

Users benefit from this software accountability because they know who published the software and that the code has not been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. By signing code, developers build a trusted relationship with users, who then learn to confidently download signed software from that publisher or web site.

A global server certificate provides the same capabilities as a server certificate. The difference between the two is that global server IDs enable 128-bit SSL encryption with both domestic and export-versions of Microsoft and Netscape browsers. Open Internet Explorer and click on 'Tools', then 'Internet Options' from the drop down menu. Under the 'Personal' tab, select the digital certificate issued by Bank of America ( it either has your name or Person Number assigned to it). Click the 'Export' button and follow the process.

You can save a copy of your certificate on your hard drive, but it is recommended that you also save a copy of it on a diskette or network in case your computer crashes.

A certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. There are several reasons why a certificate might need to be revoked and placed on a CRL. For instance, the key specified in the certificate might have been compromised, or, the user specified in the certificate may no longer have authority to use the key.

S/MIME (Secure/Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the RSA encryption system. By signing an e-mail message you give the recipient assurance that you are indeed who you say you are and the ability to verify that a message has not been altered. The encryption allows the contents of outgoing messages to be encrypted with the recipient's public key. At this point, the only way to decode the message is by using the recipient's private key, which presumably only the recipient has.

The process of identifying an individual, usually based on a username and password. Authentication is the process of giving individuals access to system objects based on their identity. Authentication only ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Authorization is the process of determining whether an identity (plus a set of attributes associated with that identity) is permitted to perform some action, such as accessing a resource.

Smart cards with sufficient on-board processing to validate biometric identification could be used to authenticate those with access to high-security areas or with access to critical infrastructure information. Cards could also be used to validate user credentials for business transactions. Biometrics is a technology that encompasses a variety to methods for secure authentication and access. Such as: thumb or finger print, retina analysis, etc.

LDAP is a specification for a client-server protocol to retrieve and manage directory information. It was originally intended as a means for clients on PCs to access X.500 directories, but can also be used with any other directory system that follows the X.500 data models.

Public key cryptography is a way to conduct secure communications using encryption algorithms that are based on mathematical functions rather than substitution and permutation. Public key cryptography is asymmetric involving two separate keys (one public, one private).

Roaming Certificate and Roaming Service provide the service for roaming users to access userís credentials from any client terminal with Internet whilst maintaining security. It provides also other security related functions, such as digital signature, to end-users. This service does not require special client hardware. Bank of America uses the split independent roaming servers to enhance security and provides non-repudiation.

Smart cards are a class of credit card-sized devices with varying capabilities: stored-value cards, contact-less cards, and integrated circuit cards (ICC). A smart card is essentially a miniature computer, embedded in plastic in the form of a credit card, with limited storage and processing capability. The circuitry in a smart card derives power from a smart card reader after the card is inserted into the reader. Data communication between a smart card and an application running on a computer is performed over a half -duplex serial interface managed by the smart card reader and its associated device driver. Smart card technology provides high-level security using two-factor authentication: something you know (password or Pin) with something you have (smart card).

Most of the file formats required are:

Authenticode Files (*.exe, *.ocx, *.dll, *.vbs, *.msi, *.html),

ClickOnce Application Manifest Files (*.manifest), ClickOnce Deployment Manifest Files (*.application),

Java jar files (*.jar), Java Cab Files (*.cab),

Microsoft Word (*.doc, *.dot), Microsoft PowerPoint (*.pps, *.ppt, *.ppa), Microsoft Excel (*.xls, *.xlt, *.xla, *.xlm, *.xlc, *.odc), Excel 2003 Macros, Excel 2010 Macros, PowerPoint 2003 Macros, PowerPoint 2010 Macros, Word 2003 Macros, Word 2010 Macros, Visio 2003 (*.vdx, *.vsd), Control Panel Extension (*.cpl), Infopath 2003 (*.xsn, *.xsf),

Yahoo Widget (*.widget),
Silverlight (*.xap)

Go to http://warr.bankofamerica.com and place a new service request with "Type" as "PKI Engineering" and "Action" as "Code Signing Consulting".

Click here for test code signing certificates.

You can download CORP2(Pre-Production) iCA certificate chain from here*.

Code signing uses a combination of encryption keys and encryption technologies to ensure the integrity of code and to communicate the identity of code publishers. At the heart of code signing are two asymmetric encryption keys called the public and private keys, for example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build or compile the code. This key is unique either at the organization level or it can be unique at the application/project level.

The public key is available openly and is actually included with the signed code. The private key is available only to the code publisher. Any piece of executable code signed with the private key can be verified only by the corresponding public key and this forms the basis for code signing. Digital signatures use mathematical algorithms to create a cryptographic representation of the codes that can only be generated by the private key and verified by the public key. In the case of code signing, a publisher uses their private key to generate the signature. The software publisher's public key (which is available in the browser's trusted publisher's store) is used to verify this signature; anyone, then, can verify the signature and determine whether the actual code has been tampered with. If the signature verification is successful, then the publisherís identity is verified, because only the publisher would have access to the private key needed to sign the information. In case the signature verification is un-successful or an error related to the validity of the code-signing certificate is encountered, the user will receive a message that the publisher is "Untrusted".

To find out how to validate your certificate chain, please click on the User Guides Tab and see the following two documents:

  1. Bank of America iCA Chain Verification Guide - Windows
  2. Bank of America iCA Chain Verification Guide - Non-Windows