Topics
Lock

Certificate Servers

Overview

A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

PKI

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.

On the Internet, a PKI refers to a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. Certificates can be implemented in software securely distributed and managed or in physical tokens. A popular token in use today is the Comman Access Card (CAC).

More information on PKI is available here.

Web Site Wikipedia: Public-key Infrastructure

Web Site DISA IASE: About PKI and PKE

Web Site Wikipedia: Common Access Card

DoD PKI

To avoid a certificate error accessing secure DoD web sites, you must install the DoD Root Certificates. DoD operates its own certificate system to avoid the exposures from commercially purchased certificates. Follow these instructions and links to download and install the DoD Root Certificate Authorities.

Web Site DoD: Root Certificate Authority Installation Instructions on DISA website

Web Site DoD: Download Root CA 2 Certificate from DISA website

Web Site DoD: Download External Certification Authority (ECA) Root CA Certificate from DISA website

Web Site DoD: Download External Certification Authority (ECA) Root CA 2 Certificate from DISA website

For questions or problems with the DoD website please contact the DISA OKC OST at 1-800-490-1643 or by email at disa-esmost@csd.disa.mil.

The Defense Information System Agency (DISA) provides its Information Assurance Support Environment (IASE) website was established to support DoD's goals to assist users in accessing secure DoD Internet services.

PKI is a service of products which provide and manage X.509 certificates for public key cryptography. Certificates identify the individual named in the certificate, and bind that person to a particular public/private key pair. DoD PKI provides the data integrity, user identification and authentication, user non-repudiation, data confidentiality, encryption and digital signature services for programs and application, which use the DoD networks.

The purpose of the DoD PKI program is to improve information assurance, using a hierarchical cryptographic structure, providing the basis of trust needed for the user to be assured that their communications remain private, are legitimate, and are received as sent.

PKE is the process of ensuring that applications work with the DoD Public Key Infrastructure (PKI). The methods of PK-enablement are PK-enabling existing software, buying COTS PK-enabled software, and using PK-enabled hardware devices. DISA provides a set of tools to assist users of DoD PKI systems in working with certificates. These are available at the following website.

Web Site DISA IASE: PKI and PKE Tools Website

If you need assistance with any of these tools and products, DISA provides the following contact information.

Web Site DISA IASE: Contact information

External Certification Authority (ECA)
Operational Research Consultants (ORC)

ECA - DoD

As a U.S. Government ECA, Operational Research Consultants (ORC) is authorized to provide digital certificates for:

  • Identification/Digital Signature for people and devices
  • Encryption to secure email and digital files
  • Server Authentication for identification of web sites and other devices
  • Domain Controllers for securing your Windows domain, and
  • Signing of Code

The ORC ECA supports medium, medium-token, and medium-hardware assurance levels, as defined in the U.S. Government ECA Certificate Policy. ORC ECA offers 1 and 3 year validity periods on all certificate types.

ORC ECA Subscribers include DoD contractors, vendors, allied partners, North Atlantic Treaty Organization (NATO) allies, foreign nationals, members of other Government agencies and their trading partners. The use of ECA certificates is not restricted to the conducting of business with the DoD.

Web Site ORC: ECA Certificates

Web Site ORC: ECA Repository


DoD Common Access Card (CAC)

CAC Front
CAC Back

The DoD Common Access Card (CAC), a "smart" card about the size of a credit card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems.

DoD provides the following reference center for information on DoD CAC and other ID Cards.

Web Site DoD CAC Reference Center HID OMNIKEY

Using a CAC card with a computer requires the use of a CAC Card Reader. There are a variety of reasnably priced products available, most using a Universal Serial Bus (USB) interface that is easy to connect to any recent computer. At the company offices, we use the HID Omnikey 3121 USB Desktop Reader. You will find this product installed on one of the company hotdesks at our Annapolis Junction offices.

Web Site OMNIKEY 3121 USB

Corporate PKI

To avoid a certificate error accessing our corporate secure web sites and servers, you must install our corporate Root Certificate. We operate our own private certificate system, similar to other companies. Follow these instructions and links to download and install the certificate for our Root Certificate Authority (CA).

Web Site Web Site Security: Installing our Root Certificate

PGP Certificate Servers

Pretty Good Privacy (PGP) is a product of the PGP Corporation. Its products provide a set of encryption services for desktops and enterprises.

Web Site Additional information about PGP

PGP key certificate services are available from PGP. Install in your PGP application as ldap://keyserver.pgp.com. Keyservers can also be searched on the web at:

Web Site https://keyserver.pgp.com

The Massachussetts Institute of Technology (MIT) also operates a PGP key certificate server.

Web Site http://pgpkeys.mit.edu:11371/