Who Needs a Digital Signature 1
How to Apply for Digital Signature Certificates 1
How to Install an ACES Digital Certificate 2
Where the Digital Certificate is Stored 2
Exporting/Backing-up Digital Certificates 2
Importing Digital Certificates 3
Certificate Retrieval Problems 3
Enabling Password Protection on Stored Certificates 4
IdenTrust Technical Support 5
Step-by-Step Guide to Attach Digital Signatures 6
To Form LM-2 and Upload the Signed Form
LM-2 to the DOL Web site
Who Needs a Digital Signature
The union’s President, Treasurer, and Trustees (if the union is in Trusteeship) must sign
Form LM-2 with a Digital Signature, which is electronically applied. In certain
instances, an individual other than the President or Treasurer may electronically sign the
Form LM-2 based upon the responsibilities of that individual.
How to Apply for Digital Signature Certificates
The application process takes place online. The Access Certificates for Electronic
Services (ACES) digital certificates must be purchased through IdenTrust (formerly
known as Digital Signature Trust) at: http://www.identrust.com/certificates/buy_aces.html.
IdenTrust offers more than one type of certificate. Form LM-2 requires an ACES digital
certificate. Individuals required to sign the Form LM-2 may use either an individual or a
business representative certificate.
ACES Unaffiliated Individual Certificate
This certificate enables you to authenticate yourself for personal government
transactions to gain access to restricted Web sites and to send and receive e-mail
communications using your digital certificate to authenticate yourself.
ACES Business Representative Certificate
This certificate enables you to authenticate yourself as an employee of a valid business
for government transactions to gain access to restricted Web sites and to send and
receive e-mail communications using your digital certificate to authenticate yourself.
The charge for a digital signature certificate is $35 for an individual certificate or $119
for a business representative certificate. If 10 or more business representative certificates
are purchased at one time, the price drops to $90 for each business representative
ACES certificates are valid for two years from the date of certificate issuance. The
certificate can be used for filing documents with all government agencies that participate
in the ACES program.
For an ACES individual certificate, applicants will need to provide name, former last
name (if changed in last twelve months), home address, social security number, date of
birth, a valid driver's license number or state ID, e-mail address, work phone, home
phone and a credit card issued to the same name and address provided in the application.
For the ACES business representative certificates, applicants will need to provide name,
job title, organization name, entity type (most unions are typically non-profit or
unincorporated), state of incorporation (if applicable), work mailing address, phone and
fax numbers, e-mail address, social security number, and driver's license number or state
ID. Additionally, all applicants must submit a notarized form authenticating their identity
and an acknowledgement of the certificate application signed by the employer.
Upon approval of the ACES application, a Retrieval Kit will be mailed to the applicant
that will allow for immediate certificate retrieval.
How to Install an ACES Digital Certificate
Upon receipt of the Retrieval Kit, you will need to install the ACES Digital Certificate
1. Go to DST’s secured certificate retrieval page at the following URL:
2. Enter your activation code as provided in your retrieval kit.
3. Enter the passphrase you created during the initial application process.
4. Follow the prompts for the next steps until retrieval is completed.
Where the Digital Certificate is Stored
To confirm that the digital certificate was properly installed, go to the internet browser
and from the Tools menu option choose Internet Options or go to the control panel
under settings on the computer and choose Internet Options. From the Content tab,
click the Certificates box. The certificate should be located under the Personal or
Other People tab. This is where the certificate is stored in your computer.
Exporting/Backing-up Digital Certificates
Exporting Digital Certificates allows you to make a back-up of your certificate. By doing
so, the Digital Certificate can be moved to a different computer if needed.
Exporting from Internet Explorer:
1. Click on Tools menu; on Internet Options; Content tab; Certificates button.
2. Click once on the certificate you wish to export.
3. Click the Export button, and click Next on the first screen.
4. Make sure that Yes, export the private key is chosen, then click Next.
5. Leave the box of Enable strong protection checked. Although not necessary, it
is recommended you check the "Include all certificates in the certification path if
possible" box. Click Next.
6. Type in any password of your choosing (and re-type it in the appropriate
box). Keep in mind that passwords are case-sensitive. Any capital letters you use
will also need to be used later. Click Next.
7. Click the Browse button. Choose a drive (disc or memory stick) and folder you
would like to store the file in. Then type in a name you would like the file to
have. Click Save. Click Next.
8. Click Finish. If it asks you to click OK, do so. If it is asks for a password, then
this would be the same password it asks for when you normally use the certificate
online. NOTE: the saved file will look like an open envelope with a key in front.
Importing Digital Certificates
Importing to Internet Explorer (on different computer):
1. Locate the file you had saved above.
2. Double-click the file. The Certificate Import Wizard will open. Click Next.
3. Click Next.
4. Type in the password that was chosen in step 6 above. The check-boxes are
optional, but it is recommended you check both. Here is the description of each:
a. "Enable Strong Private Key Protection" If not selected, Internet Explorer
stores your certificate (and private key) with low security. If selected, it will
allow you to select "Medium" or "High" security later. High security causes
Internet Explorer to ask you for a password each time the certificate is used.
Medium security causes Internet Explorer to ask if you are sure each time the
certificate is used.
b. "Mark the Private Key As Exportable" This option must be selected to
make the export option available.
5. The "Certificate Store" window should open. (Assuming you put the check
mark in "Include all certificates..." in step 5 of exporting.) Click Next.
6. Click Finish.
7. If "Enable Strong..." in step 4 was selected, "Importing a new private exchange
key" window will open. By default, it is set to Medium security (as described in
step 4a above). If you choose to use High security, then click the "Set Security
Level" button, and follow the instructions displayed.
8. Click OK for "Importing a new private exchange key."
9. A message should appear stating, "The import was successful." Click OK.
Certificate Retrieval Problems
If you retrieved your certificate previously, but are unable to access it, the certificate may
need to be replaced. Following are some potential problems which may require a
1. No certificate listed in Internet Explorer.
a. The certificate may have been retrieved with a different computer, or different
b. The certificate may have been deleted.
2. The export enabling option may not have been selected.
a. The private key may have been deleted.
3. Password not accepted. This may occur if the original password was forgotten or
typed incorrectly. Remember, the password is case-sensitive.
Following are the steps for replacing your certificate if problems with certificate retrieval
cannot be resolved.
Certificate Replacement steps
1. Log on to the Certificate Management Center (CMC) web site at:
2. If it asks you to choose a certificate (the window is titled "Client Authentication"),
3. Log on to CMC by providing your account number, and DST Passphrase. (If
Passphrase is forgotten, you can reset your Passphrase by answering question(s)
that were established during the initial application process).
4. When you successfully log into CMC, look for the drop-down box under the
listing for your "Valid Certificates." Select "I would like to replace my
certificate" and click the Continue button.
5. Select the first option ("Generate a replacement") and click Next.
6. Follow the onscreen instructions to retrieve a new certificate. You will be given a
new activation code to use for certificate retrieval.
7. Upon retrieval of a new certificate, you will need to "Verify" the installation. Be
aware that this will fail the first time because you had to click 'Cancel' in step #2
above. Follow the instructions provided to verify the installation.
Enabling Password Protection on Stored Certificates
Certificate passwords protect your certificate while it is stored in your browser. When a
certificate password is enabled, the browser requires you to enter the password every time
you use your certificate. By default, Netscape provides password protection to stored
certificates. If you use the Internet Explorer browser, you must manually enable
certificate password protection.
You can enable password protection at the certificate retrieval process. To password
protect your certificate, perform the following steps:
1. From Internet Explorer, select Tools, then Internet Options. The system
displays the Internet Options screen.
2. Select the Content tab then click the Certificates button in the Certificates
section of the screen. The system will display the Certificates screen.
3. Highlight the certificate you want to password protect by selecting it, then click
the Export button.
4. The system will display the Certificate Export Wizard window. Click Next.
5. Select the radio button Yes, Export the Private Key. Click Next.
6. Remove check marks from all check boxes and click Next.
7. Enter a certificate export password in both password fields. Click Next.
8. Click the Browse button. Navigate to your desktop. Choose and enter a filename
for the exported certificate. Click Save.
9. Click Next then click Finish. You should receive a message, "The export was
successful." Click OK. The system will re-display the Certificates screen.
10. Highlight the certificate that was exported. Click Remove. The system will
prompt you to confirm that you want to delete the certificate. Click Yes. The
system will delete the certificate and re-display the Certificates screen.
11. Select Import. The system will display the Certificate Import Wizard window.
12. Click on Browse. Navigate to your desktop and select the certificate that was
exported. Click Open, then Next.
13. Enter the certificate export password. Place check marks in BOTH check boxes,
then click Next.
14. Click the Next button twice, and then Finish. The system will display the
Importing a New Private Exchange Key window. Click Set Security Level.
Select the High option and click Next.
15. The system will prompt to enter the password to access your certificate.
16. In the Password for: box, type in a name for Internet Explorer to use when
prompting for a password. In the Password: and Confirm: boxes, enter
password. Click Finish.
17. Click OK. You should receive a message, "The import was successful."
Your certificate is now password protected. You may delete the certificate file on your
desktop or move it onto backup media.
IdenTrust Technical Support
IdenTrust will only speak with the certificate holder/owner for issues relating to a
specific certificate. The technical hotline number is 1-888-248-4447 and calls are taken
from 7:00 AM to 6:00 PM Mountain Time.
Step-by-Step Guide to Attach
Digital Signatures to Form LM-2 and
Upload the Signed Form LM-2
to the DOL Web site
The guide assumes that the digital signature certificates have been installed onto the
computer(s). We provide clients with an LM-2 file on a READ ONLY CD. Please
copy the file onto the computer that has the signatures installed (i.e. desktop or
other place on the computer). Once the file is copied to the computer, the CD can be
removed from the drive as it will not be used for the remaining steps.
How to Attach Digital Signatures to the LM-2
Open the LM-2 File. The following “Document Status” message will appear. Click
The following screen will appear.
Click on Validate Form button.
A box will appear indicating the Form has passed the validation check. Click OK.
Please note that the telephone numbers and dates for the President and Treasurer
cannot be added to the Form LM-2. The telephone numbers are embedded in the
digital certificates which are applied to the Form LM-2 automatically (although you
cannot see it) and the date is automatically applied when the digital signatures are
attached to the Form LM-2.
The signature blocks will be added. Red arrows will appear in the signature blocks.
Click on the signature line for the President.
A message that says “Alert - Document Is Not Certified” will appear. Click the
Continue Signing button.
A Data Exchange File - Digital ID Selection box should appear.
Normally, there will be a choice of digital signatures to select. Our example just
shows one signature.
Highlight the certificate to be used. Click OK.
A message that says “Signing data with your private exchange key” will appear. Enter
the password for the President. The password is the one created when the digital
signature was retrieved from IdenTrust and installed on the computer. Click OK.
A message that says “Apply Signature to Document” will appear. Click the Sign and
Save As button. The program will browse to the directory wherever the file was
originally saved on the computer. Highlight the LM-2 file when prompted and save over
the existing file.
A message will say “You have successfully signed this document” Click OK.
Upon successfully signing the Form LM-2, a green checkmark should appear on the
signature, replacing the red arrow. The green checkmark indicates that the form has been
signed, and there have been no changes to the form since the signature was applied.
There may also be a blue question mark or a yellow triangle (with an exclamation symbol
inside) with the red pen over the signatures. These symbols are acceptable and will not
interrupt the submission of the LM-2.
Please note that if you see a RED “X,” the signature has not been attached and there
may be a problem with the Form LM-2.
Proceed to the second signature for the Treasurer. Repeat the above steps.
Union in Trusteeship: If you are filing the Form LM-2 for a union in trusteeship, click
on the Add Signature Block button on the first page of the form. A new page will be
added to the end of the form with two additional signature blocks for trustees. Follow the
above steps to apply signatures.
How to Upload the Signed Form LM-2 to the DOL
Go to the following website address: http://erds.dol-esa.gov/filer/SelectForm.do. The
following screen should appear.
1. Select the Browse button and locate your signed Form LM-2 on your computer.
Highlight the LM-2 File and select Open.
2. Click on the Click Here to Start Uploading button.
3. Upon successful completion, you will receive a confirmation receipt.