Skip Ribbon Commands Skip to main content

SIPRNet PKI

*PKI = DoD PKI Certificate Required
 

 DoD & Federal

 
Description
This memorandum deems the SafeNet Model SC650 smart card tokens "acceptable for use" on the NSS PKI SECRET-high network under the NSS Root CA and provides operational guidance for the use and proper handling of the SIPR token. (PDF Download) Date: 02/17/2011 | Size: 1,953 KB
The Committee on National Security Systems Instruction (CNSSI) No. 1300, "Instruction for National Security Systems (NSS) Public Key Infrastructure (PKI) X.509 Certificate Policy, Under CNSS Policy No. 25," states the requirements for issuing and managing certificates that Relying Parties can use in making decisions regarding what assurance they can place in a certificate issued by a NSS PKI CA. (LINK to PDF Download)
This memorandum establishes and implements policy, assigns responsibilities, and provides deadlines for enhancing the security of the SIPRNet by enabling DISA's SIPRNet networks and applications to use the SIPRNet token for authentication, digital signature, and encryption. (PDF Download) 91 KB
DoD CIO SIPRNet PKI Cryptographic Logon and PKE of SIPRNet Applications and Web Servers *PKI
This memorandum outlines several key deadlines related to PK-enablement of SIPRNet including completing issuance of the SIPRNet token, configuring and enforcing cryptographic logon using the SIPRNet Token, and enabling SIPRNet applications and web servers to support cryptographic authentication. (PDF Download) Date: 10/14/2011 | Size: 104 KB
This Certification Practice Statement (CPS) covers the operation of PKI Online Certificate Status Protocol (OCSP) Responders that are operated by the Defense Information Systems Agency (DISA) to provide DoD Enterprise-wide PKI certificate validation services. (PDF Download) Date: 02/14/2011 | Size: 947 KB
This memorandum from the DoD PKI Program Management Office provides additional clarification guidance for the DoD regarding CNSS Memo CNSS-014-2011: Approval of Continued Use of SC650 Token-Decision Memorandum, issued 17 Feb 2011. (PDF Download) Date: 3/28/2011 | Size: 1,338 KB
DoD PKI Registration Authority/Local Registration Authority Certification Practice Statement *PKI
This Certification Practice Statement (CPS) defines the practices, policies and procedures under which the DoD Registration Authorities (RAs) and Local Registration Authorities (LRAs) operate. It also specifies security, nomination and credential issuance procedures for Non-Person Entity (NPE) Verifying Officials (NVOs). (PDF Download) Date: 05/20/2015 | Size: 1,018 KB
This document contains the DoD Certification Practice Statement (CPS) for the Second Layer of Certification Authorities (CAs). (PDF Download) Date: 04/24/2013 | Size: 1,386 KB
This memorandum provides an extension for CCEB nations to implement classified domain PKI and outlines current progress reporting requirements. (PDF Download) Date: 05/19/2014 | Size: 49 KB
NSS PKI DoD and CSP Subordinate Certification Authority System Certification Practice Statement *PKI
This document defines the practices and procedures under which the United States (US) Department of Defense (DoD) National Security Systems (NSS) Public Key Infrastructure (PKI) Subordinate Certification Authority Systems (CAS) operates. (PDF Download) Date: 12/18/2014 | Size: 1,218 KB
This RPS applies to all Registration Authorities (RA) from the CC/S/A that participate in the issuance process for all certificates issued under the DoD NSS PKI. This RPS also applies to the individuals responsible for these certificates, persons operating an RA System, and Trusted Agents (TAs) appointed by an RA Officer operating under this RPS. (PDF Download) Date: 12/19/2014 | Size: 958 KB
This DoD Memorandum provides instructions for the issuance and use of Non-Person Entity (NPE) PKI certificates for devices both within and outside of key terrain. (PDF Download) Date: 05/10/2013 | Size: 461 KB
The metrics identified in the SIPRNet PKE Reporting Metrics Template for token issuance and cryptographic logon replace reporting in the Vulnerability Management System (VMS) as originally directed in USCYBERCOM TASKORD J3-12-0863. (XLSX Download) Date: 06/2013 | Size: 18 KB
This document is provided as a supplement to USCYBERCOM TASKORD J3-12-0863 and as clarification to the DoD CIO Memorandum: DoD SIPRNet Public Key Infrastructure Cryptographic Logon and Public Key Enablement of SIPRNET applications and Web Servers. (PDF Download) Date: 06/14/2013 | Size: 438 KB
The S-Interoperability Certificate Policy outlines the policy for the secret level multi-domain Public Key Infrastructure created by the S-Interop Root CA and defines the procedures for the approval and issuance of cross-certificates to member Certification Authorities. (PDF Download) Date: 01/05/2012 | Size: 449 KB
(U//FOUO) This CAM outlines activities that DoD Components must undertake to prepare for the rollout and use of the SIPRNet PKI tokens. A future document will be released establishing compliance dates. CAM 11_004 (LINK to PDF Download)
 

 Guides

 
Description
This guide provides instructions for configuring 90meter middleware to exclusively accept SIPR- or NIPR-only hardware tokens. (PDF Download) Date: 09/02/2012 | Size: 395 KB
This guide provides instructions for configuring 90meter middleware to allow the user to publish their SIPR hardware certificates to the GAL. The default settings of this middleware do not allow this action to occur. (PDF Download) Date: 09/02/2012 | Size: 425 KB
This guide provides instructions for PK-enabling Apache HTTP server on Linux using both NSS/mod_nss and OpenSSL/mod_ssl on both NIPRNet and SIPRNet. (PDF Download) Date: 07/09/2015 | Size: 847 KB
This guide provides instructions for PK-enabling Apache 2.4 HTTP server on Linux using both NSS/mod_nss and OpenSSL/mod_ssl on both NIPRNet and SIPRNet. (PDF Download) Date: 07/09/2015 | Size: 980 KB
This guide provides instructions for configuring Citrix XenDesktop for secure authentication and communications using DoD PKI. (PDF Download) Date: 07/25/2012 | Size: 442 KB
This document provides step-by-step guidance on configuring CoreStreet Validation Authority (VA) to support various tactical environment scenarios. (PDF Download) Date: 04/19/2013 | Size: 638 KB
DoD NSS PKI Token Supported Workstation Configuration Guidance v1.3 *PKI
The NSS PKI Token PMO Confirmed Supported Configurations guide provides recommended workstation configurations for the National Security Systems (NSS) PKI tokens within the DoD computing environment. (PDF Download) Date: 09/16/2014 | Size: 653 KB
This guide provides instructions for resetting a Personal Identification Number (PIN) associated with a SIPR hardware token. This process differs from the method followed for Common Access Card as it requires intervention by a higher-level person with specific system privileges. (PDF Download) Date: 08/08/2012 | Size: 120 KB
This guide provides instructions for configuring thin clients that utilize the HP ThinPro operating system. (PDF Download) Date: 12/17/2013 | Size: 444 KB
Java Keystore: Obtaining a DoD PKI Certificate *PKI
This guide provides instructions for obtaining a DoD or NSS PKI certificate for use with Java-based servers and applications (e.g. Apache Tomcat, Oracle WebLogic, IBM Websphere) that rely on Java keystores for certificate management. (PDF Download) Date: 06/30/2015 | Size: 535 KB
This guide aids in configuring Firefox and Thunderbird on Linux operating systems for use with DoD websites and S/MIME capabilities using the CAC and/or SIPRNet Token with the CoolKey PKCS #11 module. (PDF Download) Date: 07/24/2013 | Size: 1,164 KB
The procedures in this document guide the reader in configuring Linux for Smart Card Login (SCL) using Centrify Suite 2012.4. (PDF Download) Date: 02/12/2014 | Size: 466 KB
Linux: OpenSSH Public Key Authentication *PKI
The procedures in this document guide the reader in configuring OpenSSH to use public key authentication. (PDF Download) Date: 02/17/2016 | Size: 556 KB
The procedures in this document guide the reader in configuring Mac OS X for Smart Card Logon (SCL) using the Centrify Suite of products. (PDF Download) Date: 02/12/2014 | Size: 444 KB
Mac OS X: Enabling Smart Card Logon Using Thursby ADmitMac PKI *PKI
The procedures in this document guide the reader in configuring Mac OS X for smart card logon (SCL) using the Thursby ADmitMac PKI software. (PDF Download) Date: 12/19/2014 | Size: 526 KB
This document provides guidance on configuring the Microsoft CAPI2 native OCSP client component to support various DoD/National Security Systems (NSS) environments. (PDF Download) Date: 05/19/2014 | Size: 430 KB
Microsoft Internet Information Services (IIS) 6.0: Public Key Enabling *PKI
This guide provides instructions for PK-enabling Microsoft IIS 6.0 on both NIPRNet and SIPRNet. (PDF Download) Date: 08/11/2014 | Size: 875 KB
This guide provides instructions for PK-enabling Microsoft IIS 7.0/7.5 on both NIPRNet and SIPRNet. (PDF Download) Date: 08/11/2014 | Size: 854 KB
This guide provides instructions for PK-enabling Microsoft IIS 8.0 on both NIPRNet and SIPRNet. (PDF Download) Date: 08/11/2014 | Size: 881 KB
Microsoft OCSP Responder: Public Key Enabling *PKI
This guide provides instructions for configuring the Microsoft OCSP Responder for use as a local OCSP responder to provide revocation status for DoD and/or NSS PKI certificates to local enclaves. (PDF Download) Date: 08/13/2014 | Size: 477 KB
This guide provides instructions for configuring Microsoft Remote Desktop Services (RDS) for secure authentication and communications using DoD PKI. (PDF Download) Date: 01/21/2013 | Size: 1,149 KB
Microsoft Windows Server 2003: Enabling Smart Card Logon *PKI
 
This guide provides instructions for configuring Windows Server 2003 for Smart Card Login on both NIPRNet and SIPRNet. (PDF Download) Date: 09/27/2017 | Size: 680 KB
Microsoft Windows Server 2008: Enabling Smart Card Logon *PKI
 
This guide provides instructions for configuring Windows Server 2008 for Smart Card Login on both NIPRNet and SIPRNet. (PDF Download) Date: 09/27/2017 | Size: 648 KB
Microsoft Windows Server 2012: Enabling Smart Card Logon *PKI
 
The procedures in this document guide the reader in configuring Windows Server 2012 for smart card logon (SCL). (PDF Download) Date: 09/27/2017 | Size: 583 KB
NSS PKI Token Handling Best Practices Guide *PKI
The National Security Systems (NSS) Public Key Infrastructure (PKI) Token Handling Best Practices Guide includes best practices related to the usage and storage of NSS PKI tokens. (PDF Download) Date: 08/13/2014 | Size: 249 KB
NSS PKI Token Troubleshooting Procedures Guide *PKI
The NSS PKI Token Troubleshooting Procedures Guide provides steps for troubleshooting and analysis of NSS PKI tokens as well as the NSS Token Troubleshooting Form. (PDF Download) Date: 11/25/2014 | Size: 527 KB
 
This guide provides instructions for obtaining a PKI certificate for a unclassified or secret DoD server, including submitting a certificate signing request, requesting approval from your organization's Registration Authority (RA), and retrieving the issued certificate. (PDF Download) Date: 09/27/2017​ | Size: 622 KB
Oracle Weblogic Server: Public Key Enabling
The purpose of this reference guide is to provide guidance to the DoD user community on the process to secure and Secure Socket Layer (SSL)/Transport Layer Security (TLS)-enable an Oracle Weblogic server. (PDF Download) Date: 03/04/2015 | Size: 399 KB
Red Hat Enterprise Linux: Configuring Local Smart Card Logon *PKI
The procedures in this document guide the reader in configuring Red Hat Enterprise Linux (RHEL) smart card logon (SCL) to a local Linux user account. (PDF Download) Date: 07/14/2015 | Size: 374 KB
Solaris 10/11: SSH Public Key Authentication *PKI
The procedures in this document guide the reader in configuring SSH on Solaris to use public key authentication. (PDF Download) Date: 06/06/2016 | Size: 514 KB
1 - 30Next
 

 SSs & White Papers

 
Description
This quick reference guide provides instructions on how to apply PK-enabling guidance developed for NIPRNet to SIPRNet systems and environments. (PDF Download) Date: 08/20/2012 | Size: 224 KB
This slick sheet provides an overview of the capabilities provided by the Robust Certificate Validation Services (RCVS). (PDF Download) Date: 03/26/2014 | Size: 453 KB
This slick sheet provides an overview of the SIPR hardware token and addresses frequently asked questions about its distribution and use. (PDF Download) Date: 10/15/2013 | Size: 551 KB
This slick sheet contains information about the test materials available to support SIPRNet PK-enablement and how to obtain them. (PDF Download) Date: 08/15/2012 | Size: 205 KB
This white paper discusses the approach to implementing revocation checking in various limited and unique network environments. (PDF Download) Date: 08/07/2013 | Size: 944 KB
 

 Tools

 
Description
The documentation included in this zip file contains administration and configuration instructions for 90meter Certificate Issuance Workstation - Batch (CIW-B) v1.0.21.11 as well as troubleshooting and maintenance FAQs. (ZIP Download) Size: 9,260 KB
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version *Downloads available on SIPRNet URL Only
This zip file contains software and documentation for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version, including full install and upgrade files, an upgrade README, administration guide, release notes, and ADM/ADMX templates for policy settings. (Downloads available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/rlts.html)
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version Release Notes *PKI
These release notes detail new product features and changes for this release of 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 572
This guide provides administration and configuration instructions for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 2,264 KB
90meter Smart Card Manager
DoD personnel who use up-to-date DoD-approved 90meter Smart Card Manager products on DoD networks must have a valid licensing agreement with 90meter. Due to licensing agreements, DoD cannot provide 90meter Smart Card Manager version 1.4.32S on the IASE website. Users may acquire DoD-approved 90meter products directly from sales1@90meter.com.
CRLAutoCache for Linux 2.05 - SIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The SIPRNet version of the tool retrieves the NSS PKI and legacy DoD SIPRNet PKI CRLs by default. (Downloads available on SIPRNet Only - URL http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html)
CRLAutoCache for Linux 2.06 - NIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The NIPRNet version of the tool retrieves the DoD PKI NIPRNet CRLs by default. (TAR.GZ Download) Size: 10 KB
SHA256 Hash of the TAR.GZ is a44d328b66a055f22ce4dd022320345c8afbc89256c24eb09c9c7a8efc0bdf40
CRLAutoCache for Linux User Guide *PKI
This guide provides installation and usage instructions for both the NIPRNet and SIPRNet versions of CRLAutoCache for Linux. (PDF Download) Date: 01/03/2018 | Size: 583 KB
Domain Controller Certificate Request Generation *Downloads available on SIPRNet URL Only
This script can be used to generate domain controller certificate requests. The script generates a PKCS10 request and displays the domain controller GUID information. (Download available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/siprnet_pki.html)
InstallRoot 5.0.1: SIPR Windows Installer *Downloads available on SIPRNet URL Only
 
This tool allows users to install the National Security Systems (NSS) PKI root, intermediate and subordinate CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.0.1 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows XP, Vista, Windows 7, Windows 8 and 8.1, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. This version should only be run on machines connected to Secret networks, and is only available from the DoD PKE SIPRNET site.
 

 Training

 
Description
DoD PKI Basic Overview v5.5 *PKI
This training module provides an overview of basic PKI concepts and the DoD PKI.

KRA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on key recovery processes and the duties of a Key Recovery Agent (KRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 3/26/2015 | Size: 6,646 KB
LRA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on certificate issuance processes and the duties of a Local Registration Authority (LRA) on both NIPRNet and SIPRNet. (PDF Download) Date: 03/26/2015 | Size: 14,934 KB
This training module provides an overview of the general responsibilities and PKI responsibilities of privileged users. Privileged User IA Responsibilities (Link)
RA Training for NSS and DoD PKI v5.2.0 *PKI
This training module provides instruction on certificate issuance, revocation, suspension and restoration processes and the duties of a Registration Authority (RA) on both NIPRNet and SIPRNet. (PDF Download) Date: 03/26/2015 | Size: 18,751 KB
Token Management System (TMS) Training *PKI
This training is for TMS users who want information on how to use the TMS Release 5/6. These topics include Inventory, Group Update, Rekey, and Advance Reporting System
PKI-PKE