Logbook of the World
Yaesu -- Choice of the World's top DX'ers -- Ad

Managing Callsign Certificates

LoTW uses public-key cryptography to authenticate QSOs submitted by each user. Public-key cryptography employs two separate but mathematically-related keys, one of which is private and one of which is public. Information encrypted with a private key can only be decrypted with its associated public key, proving that the holder of the private key was the source of the information.

When you direct TQSL to request a Callsign Certificate, it generates a private key and a public key. It stores the private key in a folder in your computer, and sends the public key to the ARRL. The ARRL creates a Callsign Certificate that links your callsign with your public key, places this Callsign Certificate in a file with a .tq6 filename extension, and then sends this file to you by email so you can load the Callsign Certificate into TQSL.

When you direct TQSL to digitally sign QSOs to be sent to LoTW, it uses the callsign in the specified Callsign Certificate to select the associated private key. TQSL uses this private key to generate an encrypted signature for each QSO, and sends the signatures and QSOs to LOTW. LoTW decrypts each received QSO signature using your public key, and verifies its consistency with the received QSO -- thereby proving that you are the source of that QSO and that the QSO's details have not been changed.

A Callsign Certificate is thus only useful when running TQSL on a computer on which the associated private key is present. You can copy a Callsign Certificate and its associated private key to another computer using the procedure described here.

If you have a valid Callsign Certificate for a callsign and direct TQSL to request a new Callsign Certificate for that callsign, the existing Callsign Certificate will be invalidated when LoTW processes the request.