Skip to main content

Public Key Infrastructure Cryptography

businessman working with computers  service Quality assurance, Guarantee, Standards, ISO .




PKI Cryptography services ensure secure communication by employing digital signatures to establish trust and employing public key encryption to maintain the confidentiality of data. This process is facilitated through the utilization of digital certificates.


Public key encryption systems use pairs of related cryptographic keys, consisting of a public key and private key. While a private key is always kept strictly secret, the public key may be freely distributed and used by anyone to encrypt data, which can then only be decrypted by the owner of the corresponding private key.

Digital signature systems use private keys to sign messages/data and apply digital signatures. The corresponding public key is used to verify the authenticity of the signature.

Digital certificates are electronic documents used to prove the validity of public keys. These certificates identify the owner (or subject), establish the period of time for which the certificate is valid, and include a digital signature from a Certification Authority (CA), a common root of trust for subscribers in a PKI.

PKI encompasses the hardware, software, roles, policies, and procedures involved in the creation, management, distribution, storage, and revocation of digital certificates. 

In electronic communications, PKI helps assure:

  1. Parties are who they say they are (authentication).
  2. The exchange is private and secure (encryption).
  3. Content of the message has not been altered (data integrity).
  4. Digital signatures are genuine (non-repudiation).

DoIT, by legislative directive, is the sole source of digital certificates for State of Illinois agencies, boards, commissions, universities, and those who do business with them. Additionally, local, county, and municipal governmental entities are permitted to utilize these services. 

Digital Certificates for Indiviuals (Digital ID)

For individuals, certificates are issued from the State of Illinois’s self-signed certification authority, established 2001. A subscriber’s collection of key pairs and certificates constitutes their Digital ID.

Typical use cases for Digital ID:

  1. Digitally sign electronic documents and verify those signatures.
  2. Encrypt sensitive data, allowing decryption by authorized entities.
  3. Authenticate to state agency web resources that support Digital   ID login.

Individuals have the option to register for certificates through a self-service web application. Those possessing a valid ID or driver's license issued by the State of Illinois are eligible to receive certificates online in a matter of minutes. Alternatively, individuals without such credentials can follow an alternative process to submit an application that validates their identity.

Through identity verification, the actual person is linked to their Digital ID, enabling digital signatures to hold the same weight as a physical signature when employed in compliance with the terms outlined in the State of Illinois Digital ID Subscriber Agreement.

The Registration Authority (RA) is delegated the responsibility of approving applications and handling requests for Digital ID management. The RA ensures that certificates are issued and administered in compliance with the State of Illinois Public Key Infrastructure Certificate Policy and Certification Practices Statement.

TLS (SSL) Certificates for Devices

Transport Layer Security (TLS) – also known as Secure Socket Layer (SSL) – is a protocol for securing communications across networks. The most common use case for TLS certificates is secure web communications. The presence of a “lock” icon a web browser’s address bar or “https” in URL is an indicator that a TLS certificate is being used to secure a web page.

TLS certificates assure that the web server (for example, MyAgency.Illinois.Gov) is truly the web site that it claims to be and that the contents of the session cannot be intercepted by a third party. This trust is established because the server’s certificate is signed by a CA (Certificate Authority) that is “chained” to a global root CA trusted by the web browser.

Applicants for device certificates will submit a Certificate Signing Request (CSR) generated using a device’s private key along with supporting material attesting authorization to administer certificates for applicable domain names – also known as subject and subject alternative name (SAN).

The RA (Registration Authority) has discretion over issuance of device certificates in accordance with applicable policies. Upon approval, applicants will receive a certificate signed by CA for installation on device. 

Product Features

All certificates conform to x509 standard for potential interoperability with compliant public key systems.

For individuals enrolled in Digital ID, certificates are issued from the State of Illinois’s self-signed CA.

  • Separate key pairs for signing and encryption allows for key escrow and authorized recovery of encrypted data while maintaining non-repudiation of digital signatures.
  • Supporting desktop software for select operating systems and email applications provides integration with third-party software. 
  • Self-service web applications for enrollment and account management.
  • Authentication to State of Illinois web applications that support Digital ID login.

For devices, TLS/SSL certificates are issued from a global root certifying authority included in the root of trust of major operating systems and web browsers.

  • Universal web browser compatibility
  • Minimum 2048-bit key strength with SHA-256 signature
  • Up to 13-month lifetime

Rates and Billing

Fees from the Department of Innovation and Technology (DoIT) are currently exempted.

Ordering and Provisioning

Service can be procured, modified or cancelled by selecting the "Order Services" button near the top of the right pane.

DoIT Responsibilities

  • Service provisioning and implementation
  • Incident resolution
  • Routine maintenance
  • Provide 24/7 support for questions and/or problems.
  • Maintain contracts with vendor.
  • Notify customer of any changes to the product
  • Provide instructions to complete the creation of the Digital ID

Agency Responsibilities

  • Develop and implement agency governance to ensure staff compliance with DoIT incident reporting and request requirements.
  • Identify requirements and assess the assurance level needed for accessing your application.
  • Work with the PKI Team to identify service requirements and develop implementation plans. Depending on the scale of the plan, the DoIT governance process may be required.
  • Provide end-user training as needed.

Service Levels and Metrics

Service Fulfillment/Provisioning

Staff will respond to service requests during the published business hours. DoIT targets to provision this service as follows:

  • Certificates for in-state applicants completed on-line within 5 minutes

  • Out-of-state applications processed within 2 business days of receipt

Incident Response and Resolution

All incidents reported to DoIT will be captured in the DoIT IT service management ticketing system and addressed according to the Incident Management Guidelines.

To report an incident, contact PKI Digital Certificate support group, Monday through Sunday, 8:00 AM to 4:30 PM at 217-524-3648 or 312-524-3648.

Service Availability

This service will be available 24/7 excluding planned outages, maintenance windows and unavoidable events.

Security Services

Related Resources