Philippine National PKI
Department of Information and Communication Technology - Region 3
3F Marison Square Bldg, Cagayan Valley Rd, Guiguinto, Bulacan, Philippines
Overview
Understanding the Philippine National Public Key Infrastructure
Secure Infrastructure
Public Key Infrastructure (PKI) enables secure communication over public networks through a comprehensive set of hardware, software, policies, and procedures. PNPKI ensures secure and reliable online transactions between government agencies and citizens.
- Government-backed infrastructure
- End-to-end encryption
- Tamper-proof transactions
- Standardized implementation
Digital Certificates
At the core of PKI are digital certificates that enable secure authentication and data integrity. These certificates support various applications from document signing to secure email communications, improving government service delivery.
- Secure document signing
- Email security
- Authentication services
- Multiple storage options
Important Information
If your agency uses email communication or has online transactions with other agencies or the public, or if your agency plans to do so, then you need PKI.
Common Applications
Document Signing
Adobe Reader, Foxit Reader
Email Security
Outlook, Thunderbird
File Encryption
Secure file sharing
Authentication
Secure login & access
Some applications, such as email, are fairly easy to configure and integrate with PKI. These applications only require users to register and receive their digital certificates. More complicated applications, such as those used for online transactions, would require extended development time.
Eventually, digital certificates will enable individuals to:
- File income tax returns online
- Participate in government procurement
- Apply for loans securely
- Process tax payments electronically
PNPKI SERVICES
Certificate Authority & Registration Authority services
These include processing of applications, issuance of digital certificates, and provision of technical support and assistance
Validation Authority service
This is used by applications to check validity of certificates via Online Certificate Status Protocol (OCSP)/Certificate Revocation List (CRL)
Timestamping service
This is used by applications to connect to an authoritative time source for the embedded timestamp in a digitally-signed document
How to Apply for PNPKI
Follow these steps to get your digital certificate
New Applications
- Complete registration at the Online Registration System (ORS)
-
Softcopy of the following supporting documents:
- Philippine National ID (PhilID/ePhilID) or
- Combination of the following:
- Birth Certificate or valid Philippine Passport; and
- Unified Multi-Purpose Identification (UMID) compliant card *
- One (1) passport size photo taken within the last six (6) months
- Online identity verification (via video call)
- Tax Payer Identification Number (TIN)
- Mobile phone number
- Email address owned by the individual or authorized by the owner for use by the subscriber
- Consent to verify and share the information submitted (included in the application form)
Note: File name of documents (softcopy) must be in this format: Lastname Firstname_Document Type (e.g. Dela Cruz Juan_Passport or Dela Cruz Juan_UMID)
Renewal Applications
- Duly accomplished application form
- Same requirements as new application
- Online identity verification (via video call)
Valid IDs (In absence of UMID)
ANY TWO of the following cards are allowed as valid IDs based on BSP Circular 608 series of 2008:
New Applications
- Complete registration at the Online Registration System (ORS) portal
-
Softcopy of the following supporting documents of the authorized representative:
- Philippine National ID (PhilID/ePhilID) or
- Combination of the following:
- Birth Certificate or valid Philippine Passport; and
- Unified Multi-Purpose Identification (UMID) compliant card *
- One (1) passport size photo taken within the last six (6) months
- Online identify verification with the authorized representative (via video call)
- Tax Payer Identification Number (TIN) of the Agency
- Authorization Letter/Board Resolution naming the authorized representative/s
- Verified e-mail address owned by the organization
- Consent to verify and share the information submitted
Additional Requirements
For Government Agencies:
- Government Service Insurance System (GSIS) registration number
For Non-Government Entities:
- SEC business registration for corporation and partnership
- DTI Certificate of Business Name Registration for single proprietorship
- Cooperative Development Authority (CDA) registration for cooperatives
- Business Permit issued by the Local Government Unit (LGU)
- Social Security System (SSS) Employer Clearance
Renewal Applications
- Duly accomplished application form
- Same requirements as new application
- Online identity verification (via video call)
Important Information
Bulk Applications & Inquiries
For bulk applications and other inquiries, please contact:
- Region III: r3.pnpki@dict.gov.ph
- Regional Offices: Contact your respective PNPKI Regional Office
Processing Time
Usually takes 1-2 working days
Cost
Free of charge
Validity
Valid for 1 year from issuance
PNPKI Manuals
Step-by-step guides to help you make the most of your digital certificate
PNPKI Video Guide 1
PNPKI Video Guide 2
Certificate Download and Installation
Document Signing
Email Signing
Frequently Asked Questions
Find answers to common questions about PNPKI
What is Public Key Infrastructure (PKI)?
The Public Key Infrastructure (PKI), as its name implies, is an infrastructure that secures communications among individuals and government agencies. This way, the government's delivery of services to citizens and businesses becomes safer, faster and more efficient.
Why is it called 'public key'? Does it mean open and unrestricted?
No. The public key in PKI refers to the virtual 'key' that subscribers use to secure files sent over an otherwise unsecure 'public' network like the Internet. While it is called public, it can also work in a private network setting.
Why do I need a PKI?
As more and more people rely on the use of online applications over unsecure network like the Internet, the need to secure files and ensure their information integrity increases. This is where the PKI comes in. It addresses the issue of authenticity, confidentiality and integrity of information.
What is a digital certificate?
A digital certificate is a file issued by a Certificate Authority containing the user's personal information just like an ordinary ID, only in this case, it is digital.
How can I have a digital certificate?
You can have a digital certificate by personally submitting an application to a Registration Authority (RA). The RA will then ask the Certificate Authority to generate a key or code and give it to you after processing.
Do I have to pay for it?
No. The digital certificate is free.
What types of certificates are issued?
You can avail of the following types of certificates:
- Authentication certificate – used in applications that require the user to login. It can be used to encrypt email.
- Signing certificate – used to digitally sign documents.
- SSL certificate – a certificate for machines, like web servers, application servers, routers, Wi-Fi devices, and others. (This is not yet available as of this writing.)
Where can I use a digital certificate?
You can use a digital certificate in your email and other documents. You can use it to encrypt a document and/or digitally sign it. Its use is to authenticate documents or put signatures on them or both.
How do I use a digital certificate?
People need a digital certificate to send you an encrypted email, for instance, that only you can open. They also use it to verify your digital signature on electronic documents. It is not the certificate that you need to protect but the private key that is associated with it. Hence, in cryptographic tokens, the private key is generated in the token and cannot be extracted from it. Soft tokens however store this private key as an ordinary electronic file. It is usually encrypted and the encryption is computationally infeasible to break. Nonetheless, this private key, if someone gets a copy of it and also the passphrase to use it can be used along with the digital certificate to fraudulently sign documents or open encrypted email.
Do I have an option not to use it?
Of course you do. It's just that you will not be able to do the following: open encrypted files, access applications that require digital certificates and digitally sign documents for authenticity.
When can I use a digital certificate?
Whenever you feel like it. Or every time secure communication is needed, or a digital certificate is required for authenticity, confidentiality and integrity of data.
How long can I use the digital certificate?
A digital certificate is valid up to two years. After that, you have to apply for a new one.
How do I renew and how long is the process of renewal?
A digital certificate, technically, cannot be 'renewed.' It means you have to apply for a new one every time it expires and go through the application process again. All requirements will have to be satisfied and personal appearance is required.
Where can I store the digital certificate?
It can be stored in a USB secure token, an ordinary USB flash disk, a PC, a laptop or any mobile computer. The USB secure token is the safest because it has a built-in application that allows only a limited number of times for entering the PIN before it is blocked. A token can contain up to ten (10) certificates. Setting the token in the factory default will erase all data in its memory.
What if I lose my certificate?
The digital certificate is a public document. The moment you use it you can never lose it. However, if the private key is lost, compromised or the passphrase to use it is forgotten, then the certificate needs to be revoked and a new key can be generated as well as the digital certificate that will be associated with it.
What if the subscriber resigns, retires or exits from government service?
If it is a soft token, surrendering it is not necessary. The revocation can be easily done by the CA. However, if it is a cryptographic token and the company or CA owns it, then it needs to be surrendered. Individual owners may continue to use the certificates for transactions outside the concerned agency.
What are my responsibilities as digital certificate holder?
You have the responsibility to protect the certificate from misuse and abuse. You cannot, for example, lend it to other people or use it to forge documents or commit illegal acts with it. Unauthorized and illegal use are punishable according to the severity of the offense. A policy will be issued detailing the punishment for each administrative or criminal offense committed in the use of a digital certificate.
How long is the application process?
Upon completion of all the requirements by the applicant, a verification process will start. This process will take a minimum of one day and a maximum of two days, depending on the completion of requirements. After submission of documents (complete), the certificate is issued within a day or two. According to the policy (Section 4.2.3 of the RootCA-CP), issuance of the digital certificate should not exceed five calendar days after successful identity verification.
Is it possible to have multiple certificates?
A person may have two digital certificates: one for authentication and another for digital signing. He or she may get a third certificate, which is still to be offered, for PKI-enabled machines.
How big is a digital certificate?
A digital certificate takes up only 7kb to 10kb of computer memory.
What is the best browser to use when using PKI?
Firefox is recommended as it works well with Java, which is needed to run the digital certificates. Google Chrome, on the other hand, usually can't recognize Java.
What is the best email provider to use when encrypting and signing emails?
It is recommended to use email providers, such as Thunderbird and Outlook, for your digital certificates.