Skip to: Content | Footer

  

Site Tools
Welcome to the State Controller's Office Web site
State Controller John Chiang

California Home

Halfdome at Yosemite National Park ca.gov website logo

Frequently Asked Questions Regarding the State’s Payroll Deduction Program

 

This page contains information relevant to clients participating in the State's Payroll Deduction program

Understanding Digital Certificates

Applying For Certificates

"The Certificate Manager encountered an unexpected error while processing your request. The following is a detailed message of the error that occurred.

Missing or malformed KeyGen, PKCS10 or CRMF request.

Please consult your local administrator for further assistance. The Certificate Management System logs may provide further information."

Deduction Files

Computer/Operating System / Browser

Understanding Digital Certificates

How secure is the State Controller’s Office Internet Reporting Process?

  • The State Controller's Office uses Digital Certificates to authenticate and protect data exchanged between our office and Deduction Clients.

Back to top

What are Digital Certificates?

  • Digital Certificates are electronic files that act like a kind of online passport. They are issued by a trusted third party, or certificate authority (CA), which verifies the identity of the certificate's holder. The digital certificates are tamper-proof and cannot be forged. Digital certificates do two things:

    • 1. They authenticate that their holders (people, web sites, etc,.) are truly who they claim to be;
    • 2. They protect data exchanged online from theft or tampering.

Back to top

How do Digital Certificates work?

  • Digital Certificates are based on public/private key technology. Each key is like a unique encryption device. No two keys are ever identical, which is why a key can be used to identify its owner.

    Keys always work in pairs; one is called the private key, and the other is called the public key. What a public key encrypts, only the corresponding private key can decrypt and vice versa. Public keys are distributed freely to anyone who wants to exchange secure information with you. Your private key is never copied or distributed and remains secure on your computer.

    Digital Certificates automate the process of distributing public keys and exchanging secure information. When you install a Digital Certificate on your computer, your computer now has its own private key. Its matching public key is freely available as part of your digital certificate posted on your computer.

    When another computer wants to exchange information with your computer, it accesses your Digital Certificate, which contains your public key. The other computer uses your public key to validate your identity and to encrypt the information to be shared using SSL (Secure Sockets Layer) technology. Only your private key can decrypt this information, so it remains secure from interception or tampering while traveling across the Internet.

Back to top

Applying for Certificates

Where can I obtain a copy of the participation request form?

Back to top

What happens after a participation request form is submitted?

  • The participation form's authorization name and signature are checked against our records. If the name and signature are on file the form will be processed and an email sent to the individual(s) listed on the request form. If the name and signature information is not on file the Deduction Coordinator will contact that individual requesting they provide additional information..

Back to top

Can a group / unit name and/or group/generic email address be used instead of listing each member of the group / unit?

  • Yes. However, when a participant requests a certificate they need to use the group/unit name and/or group / generic email address if the participation request form does not list individual names and/or email addresses.

Back to top

When our company began participating in the State of California voluntary miscellaneous deduction program we were assigned a deduction code without an organization code. After entering this information on the certification form we received "You must supply one ded org pair". Now What?

  • Click the "Ok" button to clear the error message, enter "000" in the organization code field and then click the "Submit" button once again.

Back to top

Internet Explorer users are asked to select a cryptographic provider from a list provided. Which one should be selected?

  • We recommend selecting "Microsoft Base Cryptographic Provider v1.0" then click "Submit" to continue the enrollment process.

Back to top

What are our options if we received the following error message after clicking the "submit" button?:
"The Certificate Manager encountered an unexpected error while processing your request. The following is a detailed message of the error that occurred.
Missing or malformed KeyGen, PKCS10 or CRMF request.
Please consult your local administrator for further assistance. The Certificate Management System logs may provide further information."

  • Internet Explorer users must change the "Active X" settings. For specific information and instructions, please access the "Internet Options" document.

Back to top

How long does it take for a certificate request to be granted?

  • If you have a participation request form already on file, the certification process is usually completed within 24 hours of submission.

Back to top

Deduction Files

How soon will the deduction files become available for downloading?

  • The deduction files will be available as soon as our semi-monthly and monthly business month processes are complete. An e-mail message will be sent notifying you when the files are available. A schedule of when deduction files are scheduled to become available can be found at the Internet File Availability Schedule page.

Back to top

The deduction file server maintains files for only 120 days. How can we obtain deduction information for purged files?

  • You will need to submit a request in writing to State Controller's Office, Data Management Unit (P.O. Box 942850, Sacramento CA 94250-5878). You will be contacted after your request is received to let you know how long it will take and the associated cost to provide the data being requested.

Back to top

Sometimes we experience problems accessing the deduction file server. Is there an alternate site?

  • We recommend you wait 5-10 minutes and try again. If you continue to have problems connecting to the deduction server, you can try https://pid1.sco.ca.gov/.

Back to top

When we access the deduction file server there are files that end with "A", "B", "AP" and/or "BP". What do these designations mean?

  • "A" and "B" are "EBCDIC" (Extended Binary Coded Decimal Internchage Code) formatted files that can be downloaded and used on mainframe computers. "AP" and "BP" are ASCii (American Standard Code for Information Interchange) formatted files that can be downloaded to a personal computer and the information displayed through a text editor, word processor or spreadsheet program.

    For clients receiving files on a semi-monthly basis, files designated as "A" contain information for payments and/or adjustments issued from the 2nd of the month through the 16th of the month. Files designated as "B" contain information for payments and/or adjustments issued from the 17th of the month through the 1st of the following month. For clients receiving files on a monthly basis, files designated as "B" contain information for payments and/or adjustments issued from the 2nd of the month through the 1st of the following month.

Back to top

What are the steps to save an "AP / BP" file?

  • For those using Internet Explorer:
  • Move the mouse to the desired file
  • Windows users click the right mouse button/Macintosh users click the mouse button
  • Select "Save target as"
  • Change "Save in" to desired location
  • Type "File name"
  • Do not change "Save as type"
  • Click "Save"
  • Depending on the size of the file and your internet connection, downloading will take a few seconds to a couple of minutes
  • For those using Netscape:
  • Move the mouse to the desired file
  • Windows users click left or right mouse button/Macintosh users click the mouse button
  • If the browser is Netscape 7.0 or newer select "Save Target File As...", else select "Save to disk"
  • Change "Save in" to desired location
  • Type "File name"
  • Do not change "Save as type"
  • Click "Save"
  • Depending on the size of the file and your internet connection, downloading will take a few seconds to a couple of minutes.

Back to top

Our company has more than one deduction / organization code. How many deduction files will we need to download?

  • When you access the deduction server and see "Directory DXXX Files:" and "Directory DXXX Files:", etc., the deduction and organization codes are in separate files. If there is only one "Directory DXXX Files", all deduction information is contained in one file, separated by the deduction and organization code.

Back to top

Computer / Operating System / Browser

What type of software is required to participate in the Internet Payroll Deduction Reporting process?

  • Access to our server requires a Web browser that supports Secure Socket Layer (SSL) protocols.

Back to top

Can I still participate if I do not use Window Operating System software?

  • Yes, both Macintosh and UNIX operating systems can be used with Netscape browsers..

Back to top

Is there any password protections I need to be aware of?

  • For Netscape browser users, after requesting a certificate, you will create your "private key" that is password protected. The password should be at least 8 characters long and be a combination of alpha and numeric characters.

Back to top

Can I use different computers to access your secure servers?

  • Digital Certificates are actually "resident" in your browser. After installing your certificate in your browser, that browser must be used to connect to our site as the certificate information resides in the requesting/receiving computer's browser.

Back to top

Can we use Windows XP to access the deduction files servers even though it is not one of the supported operating systems?

  • Yes. However, we do not provide support for this operating system.

Back to top

I am using Netscape and have forgotten my password. Can it be reset?

  • No. You will need to request a new certification as password information is encrypted in a secure file on your computer. You will need to search for and delete the file "key3.db". Start Netscape and go to https://sacs.sco.ca.gov (Certificate Manager) to request a new certification.

Back to top

My browser indicates I have a personal certificate as well as a site certificate. What is the difference?

  • There are two types of Digital Certificates: personal certificates and server certificates.

    Personal certificates let us authenticate a visitor’s identity and restrict access to specified content to particular visitors. Personal certificates are perfect for business–to–business communications such as offering our deduction clients controlled access to special Web sites for accessing their particular deduction data.

    Server certificates allow visitors to our Web site by encrypting the information exchanged between their Web browser and our server. Server certificates also allow visitors to our site to authenticate our identity so you can feel secure that you are communicating with us and not with a rogue site impersonating us.

    Server certificates are a must for everyone operating a site designed to exchange confidential information with clients, customers, or vendors.

Back to top

Is there a process for "backing up" my certificate?

  • Yes, both Netscape and Internet Explorer browsers contain processes that allow users to "back up" certificate information. Maintaining a "back up" of your certificate is highly recommended, as you do not have to request a new certification if your computer or its software becomes inoperable or is replaced/upgraded.

Back to top

Every time I access the certificate or deduction server, I receive "Security Error: Domain Name Mismatch". Why?

  • This message appears for Netscape users and means the IP name on the site certificate is different than the name being used to access the secure server. This message should be treated as a warning and click "Ok" to continue.

Back to top

State Controller's Office
Personnel/Payroll Services Division
P.O. Box 942850
Sacramento, CA 94250-5878
Last Modified: July 12, 2007