Skip Ribbon Commands Skip to main content

PKI and PKE (A to Z)

*PKI = DoD PKI Certificate Required
 

 Briefs

 
Description
Ask the PKE Expert 2012 *PKI
A moderated panel of PKI experts from the DoD Services and Agencies answer the top policy questions and address technical challenges. (PDF Download) Size: 256 KB
Ask the PKE Expert 2011 *PKI
This presentation was the introduction to a moderated panel with PKI experts from the Services and Agencies; it highlights current top PKE-related issues each panelist's organization faces. (PDF Download) Size: 325 KB
Authorization and Authentication for Web Servers *PKI
An in-depth discussion of the distinction between authentication and authorization including the principles and definitions of both and the implications to identity management in the big picture. Second half of presentation focuses on practical applications by describing things to look for in a PKE server configuration (trusting roots, TLS, CVC, MDS, CTLs, access control and PKI implications with Server 2k8 release 2). (PDF Download) Size: 1,954 KB
This presentation provides an overview of Coalition PKI and discusses the certificate issuance process, capability demonstrations and the deployment schedule. (PDF Download) Size: 1,752 KB
Crypto Migration Team Update on SHA-256: DoD/VA North Chicago Case Study *PKI
This presentation provides a case study on the interoperability issues faced by (and proposed resolution for) DoD and Veterans Affairs systems which need to interoperate in support of the joint medical efforts in the North Chicago area. In particular, the study examines the challenges presented by the VA infrastructure having migrated to SHA-256 while the DoD infrastructure has not. NOTE: This is not the complete session brief from the conference, only the case study portion presented by the PKE team. (PDF Download) Size: 171 KB
Department of Defense Public Key Enabling 101 *PKI
This presentation introduces the terms and concepts surrounding PK-Enabling while debunking many of the myths and misuse of the terminology. This includes topics like PK-Enabling vice CAC-Enabling, Certificate Validation vice OCSP Enabling, and what it really means to PK-Enable an application or system. (PDF Download) Size: 1,978 KB
DoD PKE Tools Expo *PKI
What tools are available to enable systems to use DoD and DoD-approved PKI? This presentation provides an overview of the current tool offerings from DoD PKE. (PDF Download) Size: 1,898 KB
IDAM 101 *PKI
This presentation focuses on introducing the terms and concepts surrounding Identity and Access Management. (PDF Download) Size: 1,064 KB
The inspection of TLS is becoming an increasing topic of conversation. Commercial products exist to allow for TLS inspection but potentially place identity management at risk. This presentation explores various options and discusses concerns. (PDF Download) Size: 2,799 KB
Interoperability with Department of State *PKI
An informative presentation on the DoD and DoS PKI Programs covering the history, interoperability operational requirements, processes for establishing interoperability with the DoD and DoS PKIs, and achievements and efforts to date. (PDF Download) Size: 803 KB
Java and Public Key Enablement 2011 *PKI
This presentation provides an overview of Java's PKI capabilities and how they are configured. It will include discussion of options for revocation-checking configuration in light of Java's limited CRL size support, and configuration for FIPS 140-2 compliance. (PDF Download) Size: 617 KB
Java and Public Key Enabling 2012 *PKI
This presentation provides an overview of Java’s PKI capabilities and how they are configured. It includes a discussion of options for revocation-checking configuration in light of Java’s limited CRL size support, and configuration for FIPS 140-2 compliance. (PDF Download) Size: 629 KB
PKE 101 *PKI
This presentation focuses on introducing the terms and concepts surrounding PK-Enabling while debunking many of the myths and misuse of the terminology. This includes topics like PK-Enabling vice CAC-Enabling, Certificate Validation vice OCSP-Enabling, and what it really means to PK-Enable an application or system. (PDF Download) Size: 1,892 KB
PKI Interoperability: What Every DAA and System Owner Needs to Know *PKI
This presentations provides an overview of the policies surrounding interoperability in the DoD, discusses how interoperability works, and what implementation considerations and current tools exist to help. (PDF Download) 1,139 KB
Public Key Enabling SIPRNet *PKI
This presentation covers considerations and steps for configuring SIPRNet systems to use NSS PKI, with a focus on how PK-enabling on SIPRNet differs from PK-enabling on NIPRNet. (PDF Download) Size: 621 KB
State of Commercial Mobile Devices (CMD) in the DoD PKI *PKI
This presentation discusses the current state of CMDs in the DoD and the challenges enabling the use of the DoD PKI on CMDs. (PDF Download) 610 KB
TACT: Trust Anchor Constraints Tool *PKI
TACT is a set of web server plugins and management applications for Microsoft Internet Information Services (IIS) and Apache HTTPD servers that aim to enable interoperability and enhance security when using mutually authenticated SSL/TLS. This presentation introduces TACT and provides an overview on when and how to use the tool. (PDF Download) Size: 2,216 KB
The DoD PKE team is currently evaluating a variety of thin clients for usability with the SIPRNet Hardware Token as well as consolidating information from evaluation efforts across the DoD community. Please contact dodpke@mail.mil if your organization is evaluating a thin client or if you don't see your thin client on the list. (PDF Download) Size: 248 KB
Thin Client Use with SIPRNet PKI *PKI
This presentation discusses thin clients in use throughout the DoD and their current functionality with the new DoD SIPRNet hardware token. (PDF Download) Size: 765 KB
Trust Store Management *PKI
This presentation focuses on the various PKI certificate trust stores a system can leverage for PK-enabling applications and services. This will include topics of how to manage (add/remove, lockdown, control) PKI Root and Subordinate CA certificates, and which applications/services leverage which trust stores. (PDF Download) 1,737 KB
 

 DoD & Federal Guidance

 
Description
This memorandum deems the SafeNet Model SC650 smart card tokens "acceptable for use" on the NSS PKI SECRET-high network under the NSS Root CA and provides operational guidance for the use and proper handling of the SIPR token. (PDF Download) Date: 02/17/2011 | Size: 1,953 KB
The Committee on National Security Systems Instruction (CNSSI) No. 1300, "Instruction for National Security Systems (NSS) Public Key Infrastructure (PKI) X.509 Certificate Policy, Under CNSS Policy No. 25," states the requirements for issuing and managing certificates that Relying Parties can use in making decisions regarding what assurance they can place in a certificate issued by a NSS PKI CA. (LINK to PDF Download)
Department of Defense External Interoperability Plan - Version 1.0
The DoD Public Key Infrastructure (PKI) External Interoperability Plan (EIP) outlines the steps to be accomplished in order for External PKIs to be designated as approved for use with DoD relying parties. (PDF Download) Date: 08/20/2010 | Size: 1,984 KB
This memorandum establishes and implements policy, assigns responsibilities, and provides deadlines for enhancing the security of the SIPRNet by enabling DISA's SIPRNet networks and applications to use the SIPRNet token for authentication, digital signature, and encryption. (PDF Download) 91 KB
DoD CIO Memo on Migration to Stronger Cryptographic Algorithms *PKI
This DoD CIO memo, dated 14 October 2010, directs all Combatant Command, Service and Agency (CC/S/A) CIOs to begin evaluation of their system portfolios in anticipation of the federal mandate to transition to using the SHA-256 hashing algorithm. (PDF Download) Date: 10/14/2010 | Size: 836 KB
DoD CIO SIPRNet PKI Cryptographic Logon and PKE of SIPRNet Applications and Web Servers *PKI
This memorandum outlines several key deadlines related to PK-enablement of SIPRNet including completing issuance of the SIPRNet token, configuring and enforcing cryptographic logon using the SIPRNet Token, and enabling SIPRNet applications and web servers to support cryptographic authentication. (PDF Download) Date: 10/14/2011 | Size: 104 KB
This document describes the functional interface to the Department of Defense (DoD) Public Key Infrastructure to support development of applications capable of interacting with the DoD PKI. (PDF Download) Date: 9/2010 | Size: 877 KB
 
DoDI 8520.02 is a re-release of DoDI 8520.2 that establishes the availability of the Coalition PKI for Combatant Commands (COCOMS), refers to the SIPRNET PKI that will be transitioned to operate under Committee for National Security Systems (CNSS) authority, provides specific guidance on issuance of alternate logon tokens (ALTs) to Flag-level officers or Senior Executives, and incorporates the DoD CIO "Approval of External PKIs" memorandum (circa July 2008) into the instruction. It also contains two other major changes. The first is that all policy related to authentication requirements has been moved to DoDI 8520.03. The second major change impacts pursuing waivers to DoDI 8520.02. Previously, Component CIOs had the authority to approve waivers to the instruction.
 
DoDI 8520.03 is a new instruction that requires that all authentications of users be conducted with an appropriate credential that is approved for use by a DoD authority and has been verified as active (not revoked) and not expired by the credential issuing authority. It defines four levels of data sensitivity granularity for sensitive but unclassified information, and three levels of data sensitivity granularity for Secret or Confidential information. It then provides specific requirements for authentication credentials based on these levels of sensitivity. Policy related to authentication requirements was previously found in DoDI 8520.2 which has been obsoleted by DoDI 8520.02.DoD Instruction 8520.03, Identity Authentication for Information Systems (Web Link)
The official DoD web site for DoD Issuances including Directives, Instructions and Memos.DOD Issuances (Link)
DoD Memorandum - Department of Defense Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials
This DoD Memorandum permits acceptance of PIV-I credentials for authentication and access when DoD relying parties, installation commanders, and facility coordinators determine that granting access is appropriate and the appropriate vetting requirements are met. (PDF Download) Date: 06/28/2012 | Size: 663 KB
DoD Memorandum - Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials
This DoD Memorandum provides Federal Government Guidance on acceptance and use of Non-Federal Issuer (NFI) identity credentials and specific DoD policies and practices for accepting credentials for logical access to DoD applications and websites. (PDF Download) Date: 03/04/2013 | Size: 2,465 KB
DoD Partner PKI Interoperabilty Test Plan - Version 2.0 *PKI
In addition to the requirements specified in the aforementioned documents, each intended external PKI must be tested and evaluated by JITC to prove it is technically interoperable prior to approval for use in DoD. This document provides the guidance and steps necessary to conduct Public Key Enabled interoperability testing of external partner Public Key Infrastructures (PKIs) with which the DoD desires to interoperate. This document focuses on usage of both the direct trust model and the cross certification trust model as the means of achieving interoperability. Results of all JITC Partner PKI testing are available on the JITC DoD PKI Interagency/Partner Interoperable Testing page at http://jitc.fhu.disa.mil/pki/pke_lab/partner_pki_testing/partner_pki_status.html (link). IDManagement.gov provides a one-stop shop for citizens, businesses, and government entities interested in identity management activities, including topics related to Homeland Security Presidential Directive 12 (HSPD-12); Federal Public Key Infrastructure (FPKI); Identity, Credential, and Access Management (ICAM); and Acquisitions. http://www.idmanagement.gov/ (link) (PDF Download) Date: 11/15/2010 | Size: 1,640 KB
This document contains the procedures DOD PKI LRA operations closing down must perform in order to comply with the requirements stated in the DOD RA/LRA SOP and the Reference RA/LRA CPS. (PDF Download) Date: 04/09/2015 | Size: 144 KB
 
This Certification Practice Statement (CPS) covers the operation of PKI Online Certificate Status Protocol (OCSP) Responders that are operated by the Defense Information Systems Agency (DISA) to provide DoD Enterprise-wide PKI certificate validation services. (PDF Download) Date: 02/11/2017 | Size: 878 KB
This memorandum from the DoD PKI Program Management Office provides additional clarification guidance for the DoD regarding CNSS Memo CNSS-014-2011: Approval of Continued Use of SC650 Token-Decision Memorandum, issued 17 Feb 2011. (PDF Download) Date: 3/28/2011 | Size: 1,338 KB
This document contains the procedures Service or Agency DOD PKI RA operations closing down must perform in order to comply with the requirements stated in the DOD RA SOP, the DOD PKI Reference RA CPS and the Service or Agency approved CPS. (PDF Download) Date: 04/09/2015 | Size: 147 KB
DoD PKI Registration Authority/Local Registration Authority Certification Practice Statement *PKI
 
This Certification Practice Statement (CPS) defines the practices, policies and procedures under which the DoD Registration Authorities (RAs) and Local Registration Authorities (LRAs) operate. It also specifies security, nomination and credential issuance procedures for Non-Person Entity (NPE) Verifying Officials (NVOs). (PDF Download) Date: 06/14/2017 | Size: 1.03 MB
 
This document contains the DoD Certification Practice Statement (CPS) for the Second Layer of Certification Authorities (CAs). (PDF Download) Date: 06/14/2017 | Size: 1.46 MB
DoD SHA-256 Assessment and Test Process *PKI
This document serves as the testing strategy document referenced in the Attachment to the DoD CIO Memo regarding DoD's Migration to Use of Stronger Crytographic Algorithms, dated October 14 2010. It provides additional detail regarding how the evaluation efforts will be conducted and coordinated. (PDF Download) Date: 11/18/2010 | Size: 213 KB
1 - 20Next
 

 FAQs

 
Description
FAQ: "Configuration Not Supported" Message in Firefox While Downloading Certificates
This FAQ discusses a configuration error received by Registration Authorities (RAs) and end users while trying to download certificates in Firefox. (PDF Download) Date: 07/31/2015 | Size: 132 KB
This FAQ discusses causes and recommended resolution to I/O errors experienced by the BlackBerry Enterprise Server (BES) when trying to communicate with RCVS (http://ocsp.disa.mil). (PDF Download) Date: 07/31/2012 | Size: 124 KB
FAQ: Blackberry I/O Error While Communicating with Proxy *PKI
This FAQ discusses causes and recommended resolution to I/O errors experienced by the BlackBerry Enterprise Server (BES) when trying to communicate with RCVS (http://ocsp.disa.mil). (PDF Download) Date: 07/31/2012 | Size: 124 KB
This FAQ discusses the issue of DoD certificates chaining improperly to cross-certificates or the Common Policy Root Certification Authority (CA), and provides steps to resolve the issue. (PDF Download) Date: 04/24/2013 | Size: 237 KB
This FAQ discusses common usage scenarios and handling requirements for group/role certificates. (PDF Download) Date: 07/31/2012 | Size: 132 KB
This FAQ discusses the enforcement of a password on the domain controller private key causing smart card logon errors. (PDF Download) Date: 07/31/2012 | Size: 158 KB
This FAQ provides troubleshooting tips and steps for the scenario in which the LRA application is not recognizing a USB printer. (PDF Download) Date: 07/31/2012 | Size: 171 KB
This FAQ addresses questions on several topics, including general PKI/PKE , DoD-specific PKI, interoperability, policy and implementation. (PDF Download) Size: 450 KB
This FAQ provides preliminary guidance on configuration of RA workstations on the Windows Vista and Windows 7 operating systems. (PDF Download) Date: 07/31/2012 | Size: 124 KB
FAQ: Smart Card Logon Fails Due to Certificates Missing from the NTAuth Store *PKI
This FAQ discusses an issue with the disablement of Windows Task Scheduler preventing proper certificate replication to the NTAuth store, causing smart card logon failure. (PDF Download) Date: 04/30/2012 | Size: 159 KB
This FAQ discusses common causes for logon issues with new CACs. Smart card logon typically fails with the message "Your credentials could not be verified." (PDF Download) Date: 07/31/2012 | Size: 170 KB
 

 Guides

 
Description
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version Release Notes *PKI
These release notes detail new product features and changes for this release of 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 572
This guide provides administration and configuration instructions for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 2,264 KB
This guide provides instructions for configuring 90meter middleware to exclusively accept SIPR- or NIPR-only hardware tokens. (PDF Download) Date: 09/02/2012 | Size: 395 KB
This guide provides instructions for configuring 90meter middleware to allow the user to publish their SIPR hardware certificates to the GAL. The default settings of this middleware do not allow this action to occur. (PDF Download) Date: 09/02/2012 | Size: 425 KB
ActivClient 7: Configuration Guide *PKI
The procedures in this document guide the reader in configuring the ActivClient 7 middleware for use on workstations/desktop systems and servers. (PDF Download) Date: 02/22/2013 | Size: 517 KB
ActivClient and Spyrus: Changing Smart Card PIN *PKI
This guide instructs users on how to change a valid Personal Identification Number (PIN) in ActivClient and Spyrus Middleware. (PDF Download) Date: 09/02/2012 | Size: 486 KB
This guide documents the steps to configure Adobe to leverage MS CAPI for verifying certificate trust and revocation when performing digital signature validation. (PDF Download) Date: 11/20/2013 | Size: 822 KB
Android (Dell): Good Mobile Control and End User S/MIME Configuration *PKI
This appendix to the Android 2.2 (Dell) STIG Technology Overview provides instructions for configuring S/MIME capabilities on Android devices using the Good Mobile Control solution. Both server-side and end user device configuration instructions are provided, including configuring the Good Mobile Control server for use with DoD PKI and S/MIME support, pairing the Dell Android device with a baiMobile 3000MP Bluetooth smart card reader and installing user certificates on the device. (PDF Download) Date: 11/23/2011 | Size: 280 KB
This guide provides instructions for PK-enabling Apache HTTP server on Linux using both NSS/mod_nss and OpenSSL/mod_ssl on both NIPRNet and SIPRNet. (PDF Download) Date: 07/09/2015 | Size: 847 KB
This guide provides instructions for PK-enabling Apache 2.4 HTTP server on Linux using both NSS/mod_nss and OpenSSL/mod_ssl on both NIPRNet and SIPRNet. (PDF Download) Date: 07/09/2015 | Size: 980 KB
Apple iOS: Good Mobile Control and End User S/MIME Configuration *PKI
This appendix to the Apple iOS 4 ISCG Technology Overview provides instructions for configuring S/MIME capabilities on iOS devices (including iPhone, iPad and iPod Touch) using the Good Mobile Control solution. Both server-side and end user device configuration instructions are provided, including configuring the Good Mobile Control server for use with DoD PKI and S/MIME support, pairing the iOS device with a baiMobile 3000MP Bluetooth smart card reader and installing user certificates on the device. (PDF Download) Date: 10/20/2011 | Size: 281 KB
This guide provides instructions for configuring Apple's email program (Mail.app) to use DoD PKI certificates for sending and receiving signed and/or encrypted email messages. (PDF Download) Date: 01/04/2013 | Size: 577 KB
This quick reference guide provides instructions on how to apply PK-enabling guidance developed for NIPRNet to SIPRNet systems and environments. (PDF Download) Date: 08/20/2012 | Size: 224 KB
Axway Desktop Validator 4.12 Workstation and Server Configuration *PKI
 
This guide provides instructions for configuring Axway Desktop Validator 4.12 according to DoD best practices. Configuration files for DoD, ECA, DoD Approved External CAs, and NSS and SIPRNET Legacy CAs are also available as separate downloads. The below configuration files have been prepared by the DoD PKE team to support high-volume servers operating in NIPRNet or SIPRNet environments. These files are intended for servers only. For workstation configuration information, please review the guidance in the Axway configuration guide.
BlackBerry Desktop Manager: Configuring OCSP and LDAP Servers *PKI
This guide provides instructions on adding and configuring Online Certificate Status Protocol (OCSP) and Lightweight Directory Access Protocol (LDAP) server URLs within the Certificate Synchronization Options of BlackBerry Desktop Manager. (PDF Download) Date: 7/2009 | Size: 263 KB
BlackBerry Enterprise Server: DoD Public Key Enabling for System Administrators *PKI
This guide defines the procedures for deploying the BlackBerry DoD Root Certification Authority (CA) application and provides BES administrators with step-by-step guidance on how to verify that the necessary software and drivers are installed, ensure that the correct certificate server settings have been configured on a device, pair a handheld device with a smart card reader, import CAC certificates to a device, and digitally sign/encrypt email. It also discusses how to deploy the BlackBerry Expired OCSP Certificate Remover to address digital signing and encryption issues. (PDF Download) Date: 1/2013 | Size: 1,978 KB
BlackBerry: Associating a Secondary Email Address to a Certificate *PKI
This guide provides instructions for sending an encrypted email to a recipient at an email address that does not match the email address in their public certificate. (PDF Download) Date: 08/06/2012 | Size: 231 KB
BlackBerry: Certificate Fetching Troubleshooting *PKI
This guide provides troubleshooting steps for instances when BlackBerry devices cannot automatically fetch public certificates for sending encrypted emails. (PDF Download) Date: 08/06/2012 | Size: 233 KB
BlackBerry: Deleting Expired OCSP Certificates *PKI
This guide provides instructions for manually removing expired OCSP certificates whose presence will prevent revocation checking from completing successfully. (PDF Download) Date: 04/02/2015 | Size: 357
BlackBerry: Importing Smart Card Certificates *PKI
This guide provides instructions on importing smart card certificates to a BlackBerry handheld device using a smart card reader, allowing for secure email signing/encrypting and application authentication using the CAC certificates. (PDF Download) Date: 08/07/2012 | Size: 192 KB
1 - 20Next
 

 Infrastructure Documentation

 
Description
The documentation included in this zip file contains administration and configuration instructions for 90meter Certificate Issuance Workstation - Batch (CIW-B) v1.0.21.11 as well as troubleshooting and maintenance FAQs. (ZIP Download) Size: 9,260 KB
DoD NSS PKI Token Supported Workstation Configuration Guidance v1.3 *PKI
The NSS PKI Token PMO Confirmed Supported Configurations guide provides recommended workstation configurations for the National Security Systems (NSS) PKI tokens within the DoD computing environment. (PDF Download) Date: 09/16/2014 | Size: 653 KB
NSS PKI Token Handling Best Practices Guide *PKI
The National Security Systems (NSS) Public Key Infrastructure (PKI) Token Handling Best Practices Guide includes best practices related to the usage and storage of NSS PKI tokens. (PDF Download) Date: 08/13/2014 | Size: 249 KB
NSS PKI Token Troubleshooting Procedures Guide *PKI
The NSS PKI Token Troubleshooting Procedures Guide provides steps for troubleshooting and analysis of NSS PKI tokens as well as the NSS Token Troubleshooting Form. (PDF Download) Date: 11/25/2014 | Size: 527 KB
 

 Newsletters

 
Description
This newsletter includes topics such as "Authentication vs Content Inspection", "PKE for Mac", "Bouncy Castle, Spongy Castle, and Android", It's Time to Update Your Trust Stores!", and "Choosing the Right Data for Certificate Mapping". (PDF Download) Date: 04/2013 | Size: 1,563 KB
This newsletter includes topics such as "Smart Phones Need Smart Security", "Combined Endeavor", "Risks of Software Certificates", and "Alternate Revocation Checking Options".(PDF Download) Date: 11/2012 | Size: 1,313 KB
This newsletter includes topics such as "PIV-I: A Primer", "Evaluating Thin Clients for SIPRNet", "New Rich Revocation Checking Capabilities for Weblogic Server", and "Wireless Update". (PDF Download) Date: 08/2012 | Size: 1,408 KB
This newsletter includes topics such as "New PKE Tools Roundup", "Working Toward a More Streamlined CAC", "New DOD-Approved External PKIs", and "Thin Client SIPRNet Token Support".(PDF Download) Date: 03/2012 | Size: 2,024 KB
This newsletter includes topics such as "New SIPRNet PK-Enablement Deadlines", "Cross-Certificate Chaining Issue Recap", "Time to Update Your Trust Store!", "Combined Endeavor 2011", "Updated 90meter Evaluation and Distribution Process" and "Testing Thin Client Support for the SIPRNet Token". (PDF Download) Date: 01/2012 | Size: 1,079 KB
This newsletter includes topics such as "New DoD Authentication Policy", "JPAS Transitioning to Certificate-Based Authentication", "Federal Bridge 2.0", "SIPRNet RCVS DTM Migration", "Air Force Offline Certificate Request Tool", and "DoD PKE Web Site Refresh". (PDF Download) Date: 09/2011 | Size: 2,538 KB
This newsletter includes topics such as "DoD's Migration to SHA-256", "Ensuring Security and Interoperability with DoD Partners: 2048-bit RSA Certificates", "Security Awareness", "Wireless Update", and "OCSP Trust Models". (PDF Download) Date: 04/2011 | Size: 1,655 KB
This newsletter includes topics such as "Enforcing Certificate Assurance Levels for Secure Interoperability," Missing Encryption Certificates in Outlook 2007," "Wireless Update," "InstallRoot Overview" and "DoD PKI Test Certificates."(PDF Download) Date: 12/2010 | Size: 2,274 KB
This newsletter includes topics such as "Authentication is having an Identity Crisis," "PKE Support for External PKIs," "Smartphones Need Smart Security," "Mobile Code Signing Certificates," "When a Good Card Goes Bad," and "ActivClient and Remote Desktop Protocol."(PDF Download) Date: 7/2010 | Size: 842 KB
This newsletter includes topics such as "Why isn't my favorite touch screen device part of a DOD approved unclassified mobile messaging solution?," "New SECRET level PKI for the DOD and our Federal Partners," "Coalition PKI," "The DoD External Certification Authority (ECA) Program," and "The Combined Endeavor Experience."(PDF Download) Date: 3/2010 | Size: 537 KB
This newsletter includes topics such as "SIPRNET Hardware Token Pilot Begins," "The Non-Person Entity (NPE) Initiative," "Using CRLAutoCache to Locally Cache CRLs," and "Using Your BlackBerry: How to Send and Receive Secure Email."(PDF Download) Date: 12/2009 | Size: 459 KB
PKE Post: Summer 2016 *PKI
This newsletter includes topics such as "DoD's Migration to SHA-256", "Initial Findings from Software Certificate Testing at DISA", and "InstallRoot 5.0: A Whole New InstallRoot". (PDF Download) Date: 07/27/2016 | Size: 1,478 KB
 

 Slick Sheets & White Papers

 
Description
This slick sheet provides an overview of the DoD Alternate Logon Token (ALT) including what it is used for, why it is needed, who is eligible for one and how to obtain it. (PDF Download) Date: 05/20/2014 | Size: 246 KB
This slick sheet provides an overview of the X.509 PKI certificates on the Common Access Card (CAC). (PDF Download) Date: 10/09/2012 | Size: 617 KB
This slick sheet provides an overview of the logical interfaces of the DoD Common Access Card. (PDF Download) Date: 10/09/2012 | Size: 313 KB
This slick sheet provides an overview of certificate revocation checking, including methods and implementation best practices. (PDF Download) Date: 10/09/2012 | Size: 333 KB
Commercial Mobile Devices PKI Capabilities Assessment *PKI
This document provides an overview of observed PKI capabilities on BlackBerry, iOS and Android mobile platforms as of June 2011, addressing support for authentication and Secure/Multi-purpose Internet Mail Extensions (S/MIME) capabilities. Configurability of PKI-related functions is also discussed. (PDF Download) Date: 10/12/2012 | Size: 347 KB
This white paper discusses various interoperability trust models (direct trust, direct cross certification, and cross certification with a bridge), describes the steps necessary to accept external PKI certificates, identifies the risks associated with accepting external PKI certificates, and provides best practices for achieving interoperability. (PDF Download) Date: 2/2009 | Size: 476 KB
This slick sheet provides an overview of DoD PKI resources for end users, system administrators, PKI sponsors, RAs, LRAs, and KRAs. (PDF Download) Date: 02/28/2014 | Size: 401 KB
Interfacing with DoD Partners *PKI
This slick sheet discusses solutions to common issues DoD partners may experience in communicating via email with DoD personnel and accessing DoD web sites. (PDF Download) Date: 10/12/2012 | Size: 243 KB
This slick sheet contains information about the test materials available to support NIPRNet PK-enablement and how to obtain them. (PDF Download) Date: 08/19/2013 | Size: 224 KB
This slick sheet provides information on the Pass-the-Hash (PtH) attack and steps that can be taken to mitigate the risks of being compromised. (PDF Download) Date: 01/30/2014 | Size: 301 KB
This slick sheet provides a checklist of common steps necessary to PK-enable applications. (PDF Download) Date: 10/12/2012 | Size: 409 KB
This FAQ discusses steps for secure handling of P12/PFX files. (PDF Download) Date: 10/12/2012 | Size: 266 KB
This slick sheet provides an overview of the capabilities provided by the Robust Certificate Validation Services (RCVS). (PDF Download) Date: 03/26/2014 | Size: 453 KB
Secure Email in DoD *PKI
This slick sheet provides an overview of how and when to use PKI capabilities (digital signature and encryption) for email. (PDF Download) Date: 03/15/2013 | Size: 312 KB
This slick sheet provides an overview of the SIPR hardware token and addresses frequently asked questions about its distribution and use. (PDF Download) Date: 10/15/2013 | Size: 551 KB
This slick sheet contains information about the test materials available to support SIPRNet PK-enablement and how to obtain them. (PDF Download) Date: 08/15/2012 | Size: 205 KB
This white paper discusses the approach to implementing revocation checking in various limited and unique network environments. (PDF Download) Date: 08/07/2013 | Size: 944 KB
The DoD and SHA-256 *PKI
This slick sheet provides some helpful facts about the DoD and SHA-256. (PDF Download) Date: 01/02/2014 | Size: 329 KB
This slick sheet discusses general configuration considerations for OCSP clients. It also describes the different trust models that OCSP responder infrastructures can employ, their configuration implications, and which are in use in the DoD today. (PDF Download) Date: 10/12/2012 | Size: 505 KB
This slick sheet provides an overview of the Trust Anchor Constraints Tool (TACT). TACT is a set of web server plug-ins and management applications that facilitates interoperability, enhances security and enables DoDI 8520.02 and 8520.03 compliance for web servers using TLS to authenticate DoD and DoD-approved external partners. (PDF Download) Date: 08/15/2012 | Size: 312 KB
This document addresses frequently asked questions regarding how and where commerical PKI certificates may be used within the DoD. (PDF Download) Date: 10/09/2018 | Size: 139 KB
This slick sheet provides an overview of how PKI technology can be used within WLANs. (PDF Download) Date: 10/12/2012 | Size: 795 KB
Using Your BlackBerry with a First-Generation Smart Card Reader *PKI
This slick sheet describes how to pair a BlackBerry device with a first-generation smart card reader to digitally sign and encrypt email using your CAC certificates. (PDF Download) Date: 10/12/2012 | Size: 396 KB
Using Your BlackBerry with a Second-Generation Smart Card Reader *PKI
This slick sheet describes how to pair a BlackBerry device with a second-generation smart card reader to digitally sign and encrypt email using your CAC certificates. (PDF Download) Date: 10/12/2012 | Size: 394 KB
This white paper discusses methods for improving the efficiency of the revocation checking portion of the certificate validation process. (PDF Download) Date: 10/2012 | Size: 309 KB
Why is my BlackBerry not working? *PKI
This slick sheet discusses common BlackBerry email error messages, their causes and resolutions. (PDF Download) Date: 08/15/2012 | Size: 277 KB
Working with External PKIs - Version 5.5
This slick sheet provides an overview of the Federal PKI/Federal Bridge and discusses the usage of External PKIs within the DoD. (PDF Download) Date: 06/09/2016 | Size: 376 KB
 

 Tools

 
Description
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version *Downloads available on SIPRNet URL Only
This zip file contains software and documentation for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version, including full install and upgrade files, an upgrade README, administration guide, release notes, and ADM/ADMX templates for policy settings. (Downloads available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/rlts.html)
90meter Smart Card Manager (SCM) and Certificate Issuance Workstation (CIW)
DoD personnel who use 90meter Smart Card Manager (SCM) and Certificate Issuance Workstation (CIW) products on DoD networks must have a valid licensing agreement with 90meter. Due to licensing agreements, DoD cannot provide 90meter software on the IASE website. Users may acquire DoD-approved 90meter products and documentation directly from sales1@90meter.com.
BlackBerry Expired OCSP Certificate Remover *PKI
This tool removes expired OCSP signing certificates from BlackBerry devices to prevent digital signature and encryption problems. (ZIP Download) Size: 66 KB
This tool gives administrators several methods for detecting and managing user certificates published to the Microsoft Exchange GAL that are nearing expiration or have already expired. (ZIP Download) Size: 5.6 MB
CRLAutoCache 4.2: Windows Installers *PKI
This tool provides administrators with a flexible solution to create local enclave CRL caches by downloading and publishing CRLs to local LDAP directory servers, web servers, and network file shares. The following Operating Systems are supported (both 32- and 64-bit): Windows XP, Windows Vista, Windows 7, Windows 8.x, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
CRLAutoCache for Linux 2.05 - SIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The SIPRNet version of the tool retrieves the NSS PKI and legacy DoD SIPRNet PKI CRLs by default. (Downloads available on SIPRNet Only - URL http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html)
CRLAutoCache for Linux 2.06 - NIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The NIPRNet version of the tool retrieves the DoD PKI NIPRNet CRLs by default. (TAR.GZ Download).
Date: March 2 2018. Size: 10 KB
SHA256 Hash of the file is be852ce21bf8b47df6c10d101d1bc89b62cfa44bf786e185151d67eaaae7d229
DoD Approved Assurance Levels from External Partner PKIs *PKI
This file provides a listing of all DoD approved assurance levels from approved partner PKIs. Assurance levels are represented by Certificate Policy Object Identifiers (OIDs) which are asserted in the Certificate Policies x509 certificate extension. DoD relying party applications can only accept certificates with OIDs that map to FBCA medium hardware assurance level or higher (includes PIV and PIV-I OIDs). (TXT Download) Date: 3/5/2018 | Size: 12 KB
Domain Controller Certificate Request Generation
 
This script can be used to generate domain controller certificate requests. The script generates a PKCS10 request and displays the domain controller GUID information.
  • NIPR Download *PKI - (ZIP Download) Size: 11 KB
  • SIPR Download *Downloads available on SIPRNet URL Only - (ZIP Download) Size: 9 KB
    (Download available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/siprnet_pki.html)
FBCA Cross-Certificate Remover 1.15
 
This tool removes certificates which cause the cross-certificate chaining issue for DoD (and optionally ECA) users from Microsoft Local Computer and User Certificate stores. The following Operating Systems are supported: Windows Server 2003, Windows Server 2003R2, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. (ZIP Download) Size: 49 KB
InstallRoot 5.2: NIPR Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.1 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
InstallRoot 5.2: SIPR Windows Installer *Downloads available on SIPRNet URL Only
This tool allows users to install the National Security Systems (NSS) PKI root, intermediate and subordinate CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.2 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows XP, Vista, Windows 7, Windows 8 and 8.1, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. This version should only be run on machines connected to Secret networks, and is only available from the DoD PKE SIPRNET site.
MailCrypt 3.1 Windows Installers *PKI
This tool performs bulk decryption and re-encryption of Microsoft Outlook message stores, giving users the ability to update old encrypted email to be accessible using a new CAC. The following Operating Systems are supported: Windows Vista, 7, and 8.x. 64-bit support requires a 64-bit version of Microsoft Office. If you are running a 64-bit version of Windows with a 32-bit installation of Microsoft Office, the 32-bit installer is required; otherwise please select the installer that matches your Windows installation.
This script facilitates population of trusted Certification Authority (CA) certificates in an NSS database on Linux operating systems. The script extracts all certificates from a specified PKCS#7 file, converts them to PEM format as necessary, then loads them into a specified NSS database. (ZIP Download) Size: 2 KB
This script facilitates population of trusted Certification Authority (CA) certificates in an NSS database on Windows operating systems. The script extracts all certificates from a specified PKCS#7 file, converts them to PEM format as necessary, then loads them into a specified NSS database. (ZIP Download) Size: 2 KB
Online Certificate Status Protocol (OCSP) Test Suite *PKI
The OCSP Test Suite is designed to facilitate testing commonly used features and standards compliance of OCSP clients. This installer is used to install test artifacts and, optionally, test responders. The test artifacts include trust anchors, CA certificates, end entity certificate, CRLs, and PKCS12 files. (MSI Download) Date: 11/10/2014 | Size: 5,616 KB
Online Certificate Status Protocol (OCSP) Test Utilities *PKI
The OCSP Test Utilities facilitate using the OCSP Test Suite with OCSP clients integrated with Microsoft CAPI. This installer includes two utilities: CapiRevStatusTest and CapiRevStatusTestCleaner. CapiRevStatusTest initiates a certificate validation action through Microsoft CAPI and CapiRevStatusTestCleaner is used to "clean up" test artifacts after the CapiRevStatusTest utility has been executed. (MSI Download) Date: 11/10/2014 | Size: 944 KB
The DoD PKE Password Hash Refresh script can be used to periodically change passwords (and by extension, their associated hashes) for smart card-enforced accounts within specific OU containers and Groups in Microsoft Active Directory (AD). (ZIP Download) Size: 2 KB
PKI CA Certificate Bundles: PKCS#7
These zip files contain three PKCS#7 files that contain all the Certification Authority (CA) certificates for the specified PKI in different formats. One PKCS#7 file contains the certificates in DER format, another in PEM, and the last also in PEM but with a signature applied to the PKCS#7 file. Instructions for verifying the integrity of all three files using OpenSSL are included in the README
PKI Interoperability Test Tool (PITT): 2.0.6 Linux Installer *PKI
The PKI Interoperability Test Tool version 2 (PITTv2) is a utility intended to assist with evaluating interoperability alternatives to establish trust with prospective partner PKIs and to troubleshoot certification path processing problems. The following operating systems are supported: Red Hat Enterprise Linux 5.x and 6.x.
1 - 20Next
 

 Training

 
Description
DoD PKI Basic Overview v5.5 *PKI
This training module provides an overview of basic PKI concepts and the DoD PKI.

DoD PKI End User Training
This training presents separate PKI Overview and Using PKI Certificates courses, each with its own course completion certificate. Upon completing the PKI Overview course, Department of Defense (DoD) information systems users will be able to identify what PKI is and why it is important to the DoD, as well as which pieces of Congressional legislation, Federal policy, and DoD guidance mandate the use of PKI. This presentation identifies the different components of PKI and how they are implemented in the DoD. When DoD information system users have completed the Using PKI Certificates course, they will understand how to safely and securely authenticate their identity to access DoD unclassified networks using the PKI certificates contained on their Common Access Card or Alternate Token. (Link)

DoD RA KRA Training v2 *PKI
This training module provides instruction on certificate issuance, revocation, suspension and restoration processes and the duties of a Registration Authority (RA) on both NIPRNet and SIPRNet. It also provides instruction on key recovery processes and the duties of a Key Recovery Agent (KRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 09/15/2016 | Size: 19,774 KB
KRA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on key recovery processes and the duties of a Key Recovery Agent (KRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 3/26/2015 | Size: 6,646 KB
LRA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on certificate issuance processes and the duties of a Local Registration Authority (LRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 03/26/2015 | Size: 14,934 KB
NSS LRA RA KRA Training v2 *PKI
This training module provides instruction on certificate issuance, revocation, suspension and restoration processes and the duties of a Registration Authority (RA) on both NIPRNet and SIPRNet. It also provides instruction on certificate issuance processes and the duties of a Local Registration Authority (LRA) on both NIPRNet and SIPRNet as well as the key recovery processes and the duties of a Key Recovery Agent (KRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 09/15/2016 | Size: 19,594 KB
This training module provides an overview of the general responsibilities and PKI responsibilities of privileged users. Privileged User IA Responsibilities (Link)
RA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on certificate issuance, revocation, suspension and restoration processes and the duties of a Registration Authority (RA) on both NIPRNet and SIPRNet. (PDF Download) Date: 03/26/2015 | Size: 18,751 KB
Token Management System (TMS) Training *PKI
This training is for TMS users who want information on how to use the TMS Release 5/6. These topics include Inventory, Group Update, Rekey, and Advance Reporting System
 

 Videos

 
Description
(WMV Download) Size: 18,704 KB
(WMV Download) Size: 24,655 KB
PKI-PKE