Skip Ribbon Commands Skip to main content

PKI and PKE Tools

*PKI = DoD PKI Certificate Required
 

 Domain Management

 
Description
The DoD PKE Password Hash Refresh script can be used to periodically change passwords (and by extension, their associated hashes) for smart card-enforced accounts within specific OU containers and Groups in Microsoft Active Directory (AD). (ZIP Download) Size: 2 KB
This guide provides step-by-step instructions for using the DoD PKE Password Hash Refresh script to periodically change passwords (and by extension, their associated hashes) for smart card enforced accounts. (PDF Download) Date: 02/11/2014 | Size: 686 KB
Smart Card Logon (SCL) Troubleshooting Tool 1.0 *PKI
The SCL troubleshooting Tool is designed to identify and diagnose SCL problems that are present on an Active Directory domain controller. The following operating systems are supported: Windows Server 2008, 2008 R2, 2012, and 2012 R2 . (MSI Download) Date: 02/26/2016 | Size: 14,161 KB
Smart Card Logon (SCL) Troubleshooting Tool 1.0 User Guide *PKI
This guide provides usage instructions for the Smart Card Logon (SCL) Troubleshooting Tool. (PDF Download) Date: 02/26/2016 | Size: 605 KB
 

 Certificate Tools

 
Description
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version *Downloads available on SIPRNet URL Only
This zip file contains software and documentation for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version, including full install and upgrade files, an upgrade README, administration guide, release notes, and ADM/ADMX templates for policy settings. (Downloads available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/rlts.html)
90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version Release Notes *PKI
These release notes detail new product features and changes for this release of 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 572
This guide provides administration and configuration instructions for 90meter Certificate Issuance Workstation (CIW) 1.0.17 RA Version. (PDF Download) Date: 10/31/2014 | Size: 2,264 KB
Domain Controller Certificate Request Generation
 
This script can be used to generate domain controller certificate requests. The script generates a PKCS10 request and displays the domain controller GUID information.
  • NIPR Download *PKI - (ZIP Download) Size: 11 KB
  • SIPR Download *Downloads available on SIPRNet URL Only - (ZIP Download) Size: 9 KB
    (Download available on SIPRNet URL http://iase.rel.disa.smil.mil/pki-pke/landing_pages/siprnet_pki.html)
 

 Certificate Validation

 
Description
CRLAutoCache 4.2: System Administrator Guide *PKI
This guide provides installation and configuration instructions for the DoD PKE CRLAutoCache tool. (PDF Download) Date: 04/19/2016 | Size: 1,713 KB
CRLAutoCache 4.2: Windows Installers *PKI
This tool provides administrators with a flexible solution to create local enclave CRL caches by downloading and publishing CRLs to local LDAP directory servers, web servers, and network file shares. The following Operating Systems are supported (both 32- and 64-bit): Windows XP, Windows Vista, Windows 7, Windows 8.x, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
CRLAutoCache for Linux 2.05 - SIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The SIPRNet version of the tool retrieves the NSS PKI and legacy DoD SIPRNet PKI CRLs by default. (Downloads available on SIPRNet Only - URL http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html)
CRLAutoCache for Linux 2.06 - NIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The NIPRNet version of the tool retrieves the DoD PKI NIPRNet CRLs by default. (TAR.GZ Download) Size: 10 KB
SHA256 Hash of the TAR.GZ is a44d328b66a055f22ce4dd022320345c8afbc89256c24eb09c9c7a8efc0bdf40
CRLAutoCache for Linux User Guide *PKI
This guide provides installation and usage instructions for both the NIPRNet and SIPRNet versions of CRLAutoCache for Linux. (PDF Download) Date: 01/03/2018 | Size: 583 KB
FBCA Cross-Certificate Remover 1.15
 
This tool removes certificates which cause the cross-certificate chaining issue for DoD (and optionally ECA) users from Microsoft Local Computer and User Certificate stores. The following Operating Systems are supported: Windows Server 2003, Windows Server 2003R2, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. (ZIP Download) Size: 49 KB
FBCA Cross-Certificate Remover 1.15 User Guide
 
This guide provides usage instructions for the FBCA Cross-Certificate Remover tool. (PDF Download) Date: 09/19/2017 | Size: 235 KB
Online Certificate Status Protocol (OCSP) Test Suite *PKI
The OCSP Test Suite is designed to facilitate testing commonly used features and standards compliance of OCSP clients. This installer is used to install test artifacts and, optionally, test responders. The test artifacts include trust anchors, CA certificates, end entity certificate, CRLs, and PKCS12 files. (MSI Download) Date: 11/10/2014 | Size: 5,616 KB
Online Certificate Status Protocol (OCSP) Test Suite User Guide *PKI
This document provides test assertions and test cases for testing OCSP client software behavior with the OCSP Test Suite. Tests focus on commonly used features and standards compliance. (PDF Download) Date: 11/10/2014 | Size: 1,065 KB
Online Certificate Status Protocol (OCSP) Test Utilities *PKI
The OCSP Test Utilities facilitate using the OCSP Test Suite with OCSP clients integrated with Microsoft CAPI. This installer includes two utilities: CapiRevStatusTest and CapiRevStatusTestCleaner. CapiRevStatusTest initiates a certificate validation action through Microsoft CAPI and CapiRevStatusTestCleaner is used to "clean up" test artifacts after the CapiRevStatusTest utility has been executed. (MSI Download) Date: 11/10/2014 | Size: 944 KB
1 - 10Next
 

 Email

 
Description
This guide provides installation and usage instructions for the DoD PKE CertAdmin tool. (PDF Download) Date: 05/20/2009 | Size: 826 KB
This tool gives administrators several methods for detecting and managing user certificates published to the Microsoft Exchange GAL that are nearing expiration or have already expired. (ZIP Download) Size: 5.6 MB
This guide provides installation and usage instructions for the DoD PKE MailCrypt tool. (PDF Download) Date: 07/13/2016 | Size: 1,072 KB
MailCrypt 3.1 Windows Installers *PKI
This tool performs bulk decryption and re-encryption of Microsoft Outlook message stores, giving users the ability to update old encrypted email to be accessible using a new CAC. The following Operating Systems are supported: Windows Vista, 7, and 8.x. 64-bit support requires a 64-bit version of Microsoft Office. If you are running a 64-bit version of Windows with a 32-bit installation of Microsoft Office, the 32-bit installer is required; otherwise please select the installer that matches your Windows installation.
 

 Middleware

 
Description
90meter Smart Card Manager
DoD personnel who use up-to-date DoD-approved 90meter Smart Card Manager products on DoD networks must have a valid licensing agreement with 90meter. Due to licensing agreements, DoD cannot provide 90meter Smart Card Manager version 1.4.32S on the IASE website. Users may acquire DoD-approved 90meter products directly from sales1@90meter.com.
 

 Mobile Devices

 
Description
BlackBerry Expired OCSP Certificate Remover *PKI
This tool removes expired OCSP signing certificates from BlackBerry devices to prevent digital signature and encryption problems. (ZIP Download) Size: 66 KB
BlackBerry: Running the BlackBerry Expired OCSP Certificate Remover *PKI
This document provides DoD BlackBerry users step-by-step instructions for using the BlackBerry Expired OCSP Certificate Remover to correct a known error in validating email signatures and sending encrypted email. (PDF Download) Date: 1/2013 | Size: 385 KB
InstallRoot for Blackberry 5.0.0.828
This tool allows users to manually install DoD and ECA CA certificates into their BlackBerry certificate stores. (ZIP Download) Size: 44 KB
InstallRoot for Windows Mobile 5
This tool installs the current DoD PKI Certification Authority (CA) certificates on Windows Mobile 5 devices, thereby establishing trust of the DoD PKI on the device. (CAB Download) Size: 31 KB
InstallRoot for Windows Mobile 6
This tool installs the current DoD PKI Certification Authority (CA) certificates on Windows Mobile 6 devices, thereby establishing trust of the DoD PKI on the device. (CAB Download) Size: 31 KB
InstallRoot for Windows Mobile Installation Guide *PKI
This guide provides steps to download, verify, and load InstallRoot for Windows Mobile devices running Windows Mobile version 5 or 6. (PDF Download) Date: 1/2013 | Size: 755 KB
 

 Trust Store

 
Description
InstallRoot 5.0.1: SIPR Windows Installer *Downloads available on SIPRNet URL Only
 
This tool allows users to install the National Security Systems (NSS) PKI root, intermediate and subordinate CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.0.1 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows XP, Vista, Windows 7, Windows 8 and 8.1, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. This version should only be run on machines connected to Secret networks, and is only available from the DoD PKE SIPRNET site.
InstallRoot 5.2: NIPR Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.1 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
InstallRoot 5.2: User Guide
This guide provides installation and usage instructions for the DoD PKE InstallRoot 5.2 tool. (PDF Download) Date: 11/20/2017 | Size: 2.6 MB
This script facilitates population of trusted Certification Authority (CA) certificates in an NSS database on Linux operating systems. The script extracts all certificates from a specified PKCS#7 file, converts them to PEM format as necessary, then loads them into a specified NSS database. (ZIP Download) Size: 2 KB
This guide provides installation and usage instructions for the NSSdb CertLoader script for Linux environments. (PDF Download) Date: 07/09/2015 | Size: 333 KB
This script facilitates population of trusted Certification Authority (CA) certificates in an NSS database on Windows operating systems. The script extracts all certificates from a specified PKCS#7 file, converts them to PEM format as necessary, then loads them into a specified NSS database. (ZIP Download) Size: 2 KB
This guide provides installation and usage instructions for the NSSdb CertLoader script for Windows environments. (PDF Download) Date: 07/09/2015 | Size: 331 KB
PKI CA Certificate Bundles: PEM Self-Extracting ZIP
These signed self-extracting zip files contain all the Certification Authority (CA) certificates for the specified PKI in PEM format. Instructions for verifying the digital signatures on the files can be found in the Verifying Digital Signatures on DoD PKE Tools guide. Designed to be run on Microsoft Windows
PKI CA Certificate Bundles: PKCS#7
These zip files contain three PKCS#7 files that contain all the Certification Authority (CA) certificates for the specified PKI in different formats. One PKCS#7 file contains the certificates in DER format, another in PEM, and the last also in PEM but with a signature applied to the PKCS#7 file. Instructions for verifying the integrity of all three files using OpenSSL are included in the README
PKI-PKE