ECA Program


IA News	What's New	Consent Notice

ECA PKI Program

Relying Parties/Applications

Subject Matter Links:

ECA Home Page

Obtain an ECA Certificate

Updates

Upcoming Changes/Capabilities

Users/Subscribers

Certificate Types

Assurance Levels

Relying Parties/Applications

Documents

Policy Change Process

FAQ

A relying party as an entity who, by using another’s certificate to verify the integrity of a digitally signed message, to identify the creator of a message, or to establish confidential communications with the holder of the certificate, relies on the validity of the binding the Subscriber’s name to a public key.

DoD Instruction 8520.2, “Public Key Infrastructure (PKI) and Public Key (PK)-Enabling” requires DoD Information Systems who have users who are not eligible to receive certificates from the DoD PKI accept certificates issued by DoD-approved external PKIs, including ECA certificates.

The ECA PKI is a hierarchical PKI with 1024 and 2048 bit Root CA trust anchors and a single layer of Subordinate CAs. The Root CAs are hosted by the National Security Agency (NSA) and the Subordinate CAs are owned and operated by commercial vendors who have been approved by the DoD as meeting all ECA technical, policy, and security requirements.

Allowing ECA certificates to be used for client-authentication to a web server requires installing the ECA Root CA and ECA Root CA 2 certificates into the web server’s local trust list and downloading the ECA Root CA and ECA Root CA 2 CRLs and all Subordinate CA CRLs. Some web servers may also require installing Subordinate CA certificates into the local trust list.

In order to obtain ECA CA certificates, and the CRLs via http, visit the following sites:

ECA Root CA Certificate
- Global Directory Service (GDS)
  * Download and Installation instructions.
- PKE (DoD PKI CAC Certificate is required to access)
  * Download and install the "Install Root" executable
ECA Subordinate CA Certificate
CRLs

In order to obtain ECA CRLs using direct LDAP, visit the following sites:

For ECA Root CAs use GDS:

Host:Port- crl.disa.mil:389
Base DN- ou=ECA, O=U.S. Government, C=US
Common Names "ECA ROOT CA" and "ECA ROOT CA 2"
Attribute- certificaterevocationlist;binary

For Vendor Subordinate CAs:

Host:Port- crl.disa.mil:389
Base DN- ou=Certification Authorities, ou=ECA, O=U.S. Government, C=US
Attribute- certificaterevocationlist;binary
Common Names Below:
"ORC ECA", "ORC ECA 2" and "ORC ECA Foreign Nationals CA 1"
"Verisign Client External Certification Authority"
"IdenTrust ECA 1"

In order to obtain ECA Revocation Status using OCSP, visit the following sites:

For Vendor Subordinate CAs:

IdenTrust

URL of OCSP Service http://eca.ocsp.identrust.com
Port for OCSP Service- 80
Model of Operation- Delegated Trust
Supported CAs- Identrust ECA2

ORC

URL of OCSP Service http://eva.orc.com
Port for OCSP Service- 80
Model of Operation- Direct Trust (VA certificate issued from ECA hierarchy)
Supported CAs- ORC ECA, ECA 2, ECA FN, ECA SW 3 and ECA HW 3

Verisign

URL of OCSP Service http://eca-client-ocsp.verisign.com
Port for OCSP Service- 80
Model of Operation- Delegated Trust
Supported CAs- Verisign Client External Certification Authority, original and version G2

An Adobe Acrobat Reader is required to view PDF files.
Security, Privacy and Accessibility Notice

Home

IASE Support Desk
Webmaster:IA-web@disa.mil
Page Revised: 02-Sep-09