Public Key Infrastructure (PKI) is a framework established to issue, maintain, and revoke public key certificates, including systems, processes and people. Public key certificates provide digital signature and encryption capabilities, which can be used to implement the following security services:
- Identification and Authentication: PKI provides for identification and authentication through digital signature. If the signature is valid, then the Relying Party (the person or system relying on the presented certificate for authentication or other security services) has assurance that the entity participating in the transaction is the Subscriber (the identity asserted by the certificate).
- Data Integrity: PKI provides for data integrity through digital signature of information. If the recipient of digitally signed information is able verify the signature on the information using the public key of the certificate used to generate the signature, then the recipient knows that the content has not changed since it was signed.
- Confidentiality: PKI provides confidentiality through encryption. If the public key in a certificate is used to encrypt information, only the associated private key, held (and kept secret) by the entity named in the certificate, can decrypt that information.
- Technical Non-Repudiation: PKI assists with technical non-repudiation through digital signatures. Technical non-repudiation can be considered a form of attribution, namely that the digitally signed information can be attributed to the entity identified in the certificate used to generate the signature.
The DoD issues certificates to people and non-person entities (e.g., web servers, network devices, routers, applications) to support DoD missions and business operations. On the Sensitive but Unclassified Internet Protocol Network (NIPRNet), the DoD PKI is a hierarchical system with a Root Certification Authority (CA) at the top of the hierarchy, and a number of issuing CAs that support scalability and provide disaster recovery capabilities. This PKI issues certificates on Common Access Cards (CACs) as well as software certificates to support application needs.
On the Secret Internet Protocol Network (SIPRNet), the DoD operates CAs under the National Security System (NSS) PKI Root CA, which supports all federal agencies that have users or systems on secret networks. The NSS PKI issues certificates on the SIPRNet hardware token as well as software certificates to support application needs. The DoD also continues to operate DoD legacy SIPRNet PKI issuing CAs under the DoD Root CA during a transition period while full functionality is implemented by the NSS PKI.
The DoD PKI and DoD portion of the NSS PKI are centralized infrastructures for the management of keys and certificates throughout their lifecycle (issuance through certificate revocation or expiration). These infrastructures support directory services which provide CA certificates, certificate revocation information, and user encryption certificates.
DoD-Approved External PKIs
Current policy requires that all federal agencies issue Personal Identity Verification (PIV) cards to their employees and affiliates. Some of DoD’s industry partners have implemented internal PKIs, and others have obtained certificates from commercial PKIs. In addition, some of DoD’s international allied and coalition partners have established PKIs to issue certificates to their personnel. As a result, the DoD has implemented an external interoperability strategy for leveraging certificates issued by external PKIs that meet DoD’s requirements to support secure information sharing with external partners.
On the NIPRNet, DoD-approved external PKIs include the following (For a full list of approved PKIs, see the Interoperability page):
- DoD-sponsored External Certification Authority (ECA)
- Federal agency PIV certificate issuers
- Commercial PKIs that have been certified by the Federal PKI Policy Authority as meeting their Medium Hardware requirements, that have been tested for interoperability by the DoD Joint Interoperability Test Command (JITC), and whose operating organizations have signed Memorandum of Agreements (MOA) with the DoD
- Other partner PKIs, such as Combined Communications Electronics Board (CCEB) member nation PKIs, that have been specifically approved by the DoD
On the SIPRNet, DoD-approved external PKIs include the following:
- Federal agency CAs that are operated under the NSS PKI Root CA as part of the NSS PKI
- Other partner PKIs, such as CCEB member nation PKIs, that have been specifically approved by the DoD for interoperability on secret level networks
Public Key Enablement (PKE) is the process of ensuring that applications can use certificates issued by the DoD PKI, the NSS PKI, or DoD-approved external PKIs to support identification and authentication, data integrity, confidentiality and/or technical non-repudiation. Common use cases include enabling:
- Smart card logon to DoD networks and certificate-based authentication to systems
- Secure connections (SSL/TLS) to DoD servers
- Digital signature and encryption of emails from desktop, web, and mobile clients
- Digital signature of forms
DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, provides the overarching policy requirements for the implementation and use of PKI for the DoD, including processes for approving external PKIs. Requirements for using PKI to authentication for accessing DoD resources can be found in
DoD Instruction 8520.03, Identity Authentication for Information Systems. More specific guidance on requirements for the operations of the DoD PKI are described in the
United States Department of Defense X.509 Certificate Policy.
PKI also addresses a number of policies external to the DoD. For unclassified systems on the NIPRNet, CACs are issued in accordance with
Homeland Security Presidential Directive (HSPD) 12 and
Federal Information Processing Standard (FIPS) 201, which is published by the National Institute of Standards and Technology (NIST).
For SIPRNet systems, specific requirements for the implementation and use of PKI can be found in Committee for National Security Systems (CNSS) Policy 28, National Policy For Public Key Infrastructure in National Security Systems, CNSS Directive 506,
National Directive to Implement Public Key Infrastructure for the Protection of Systems Operating on Secret Level Networks, and CNSS Instruction 1300,
National Instruction On Public Key Infrastructure X.509 Certificate Policy, Under
CNSS Policy No. 25.
More information on PKI-related policies can be found on the Policies page.