Frequently Asked Questions

If you have a backup of your certificate's private key, you can transfer the backup to a new computer and open the backup to run the import wizard. If you do not have a backup of your private key, you need to issue a new certificate. The email in which we send you the certificates does not contain the private key.

In the case of a certificate stored on a smart card, you install the SecureStore service application and then insert the smart card into the computer.

If any of the information on the certificate has changed, a new certificate must be issued. It is not possible to change the entries in the certificate.

The number of certificates is not limited, so a natural/legal person can own an unlimited number of issued certificates.

The private key is available only to the owner of the certificate, if the private key of the certificate stored in the computer storage (.PFX file) has not been backed up, from which the certificate can be re-imported into the storage (private key stored in the MS Windows/MacOS storage), the only option is to request a new certificate.

The Home Office recommends that users who have doubts that their "electronic signature" could be compromised by the RSA key vulnerability can use an online test to check whether their "electronic signature" is affected by the discovered vulnerability.

These are RSA keys that have been generated using the cryptographic libraries of the manufacturer Infineon Technologies AG (eID issue Slovakia, Estonia, Austria). The Ministry of the Interior further recommends that if the result of the test shows that the user's RSA keys are affected by the vulnerability found, the user should contact the vendor of the resource or the manufacturer of the resource used to generate them for further action. It is recommended to invalidate the affected qualified certificate. Information from the Ministry of the Interior is available here.

Smart cards provided by the I.CA as Qualified Signature Creation Devices (QSCDs) and which can be identified by the OID (QCP-nqscd): 0.4.0.194112.1.2, i.e. the private key is generated and stored on the QSCD in the relevant certificate, are not vulnerable to the above threat. More information can be found here.

The procedure for obtaining a subsequent certificate.

The procedures for certificate revocation are defined in the I.CA certification policy:

• By submitting the request electronically - via the web form .
• By sending an electronically signed message to revoke@ica.cz
• By personal delivery of the request to the RA
• By mail

Yes, the certificate can be used on multiple computers. To install the certificate on a PC where a certificate request has not been created, install the certificate from a backup of the certificate (PFX file).

However, we recommend a secure private key store, i.e., a certificate stored on a smart card or USB token, for transferring certificates between PCs.

A qualified certificate for an electronic seal is based on a recognised electronic seal according to Act No. 297/2016 Coll., which can be of two types:

• a guaranteed electronic seal based only on a qualified certificate for electronic seal,
• a qualified electronic seal, i.e. a guaranteed electronic seal which is based on a qualified certificate for electronic seals and is created using a QESCD (qualified electronic seal creation device).

It is intended for legal entities only. It serves to ensure the integrity of the data and the correctness of the origin of the data with which the qualified electronic seal is associated.

Recognised electronic signature means a guaranteed electronic signature based on a qualified certificate issued by an accredited certification service provider and containing data that enables

Recognised electronic signature means a guaranteed electronic signature based on a qualified certificate issued by an accredited certification service provider and containing data that enables unambiguous identification of the signatory. It is therefore a qualified certificate for electronic signature offered by us.

A qualified electronic signature is based on a qualified certificate issued by an accredited certification service provider, this certificate is stored on a qualified means for creating an electronic signature (QSCD means). This is a higher level of signature than a recognised electronic signature. Specifically, it will be a qualified certificate for electronic signature offered by us and stored on a Starcos 3.7 smart card.

The MPSV identifier (= IK MPSV) denotes the unique identification of the client in relation to the MPSV, FÚ, ČSSZ and ÚP ČR. I.CA enables its clients to obtain this identifier free of charge as part of the service of issuing a qualified certificate. You can choose the option of inserting the MPSV identifier when generating the application for the initial certificate or it can be inserted on request when the certificate is issued at a branch of the Registration Authority.

The issued certificate (the public part of the certificate) is usually sent to the certificate requester's e-mail box at the time of issuance.

It is also possible to search for public certificates in the list of public certificates and to save them in selected formats - DER, PEM, TXT.

To install your personal certificate (the public part of the certificate), use the email we sent you or the certificate file in DER format (this format was sent to your email inbox when the certificate was issued, or you can look it up on the list of public certificates).

For proper use of the smart card via RDP (remote desktop), you need to enable sharing of the smart card and USB ports in the RDP settings. The smart card must then be connected to the computer from which you are connecting. The remote computer must have the I.CA SecureStore Card Manager application installed.

The cause of this error message is insufficient space on the smart card to store the certificate private key/sequential certificate. Therefore, it is necessary to remove some objects with older certificates from the smart card. The removal of the certificate from the smart card is done using the I.CA SecureStore application.

You need to select personal certificates, then click on the container with certificates for the year and select Remove container on the right, enter the pin and the container will be removed.

Note: If the certificate is generated on a smart card and the private keys (key pairs) are removed, this session is not reversible.

If you have Adobe Acrobat or Adobe Reader installed by default, when you open a document that contains an electronic signature, the list of trusted certification service providers is automatically updated and already includes the I.CA root certificate for validating the electronic signature of PDF documents.

If you have disabled automatic updates, you can use manual updates via the "Menu", "Preferences", "Rights Manager", EUTL automatic update menu "Update".

If you install the certificate on your computer, you will not have the certificate's private key stored on your computer. The most common cause is that a user attempts to install a certificate on a computer or user profile where the certificate request was not created. In the case of a certificate stored on a computer, you must install the certificate on the computer where the certificate request was created.

If you have been unable to create an application using the online forms on our website, for example, because of security policy settings. It is also possible to use our offline ICA NewCert application to create an application.

A valid ID card or passport is required to obtain a certificate. The ZealID application that is used to identify a person supports documents issued by countries that can be found on the ZealID website in the list of supported documents.

When issuing a certificate online for an individual, you cannot insert a title into the certificate. This is because the process cannot verify that the applicant has the title.

If you close the creation of a request in the online certificate issuance process before the request is submitted, you will need to start the process from the beginning. This means that you will need to create a new pre-registration on our website.