Skip Ribbon Commands Skip to main content

External and Federal PKI Interoperability

*PKI = DoD PKI Certificate Required

PKI interoperability is an essential component of secure information sharing between DoD and its partners within the federal government and industry. DoD Instruction 8520.02 provides details on the processes to become a DoD approved PKI. DoD Instruction 8520.03 defines sensitivity levels and credential strengths that must be used to authenticate for access to resources at each sensitivity level. These DoD requirements align with larger federal government initiatives around the implementation and use of federated credentials, including M-04-04, HSPD-12, and FIPS-201. The latest PKI Interoperability Diagram that follows illustrates how DoD interacts with approved external PKIs through the Federal Bridge. For an overview of the Federal PKI and Federal Bridge and to learn more about the usage of External PKIs within the DoD, please read our Working with External PKIs slick sheet.

The DoD PKI Interoperability Landscape Diagram 

At the bottom of the page, there is a table that lists all DoD approved external PKIs. By selecting each External PKI you can find additional information including certificate trust chains, acceptable certificate assurance levels, and other useful information.

 

 DoD and Federal PKI Policy Documents

 
Document Title
The table below summarizes all the policy documents that provide the foundation for PKI Interoperability. For a comprehensive list of policy documents, please go to the PKI and PKE Policies page.
DoD Instruction 8520.02
DoD Policy for PKI and PKE. Provides guidance for Public Key Enabling DoD Information Systems and approves the use and acceptance of DoD Approved External PKI certificates
DoD Instruction 8520.03
DoD Policy identifying which credential types to use for different levels of data sensitivity
HSPD-12
Mandates a common identity credential for physical and logical access for federal employees and contractors
NIST 800-63-1
Provides technical details for addressing eAuthentication levels of assurance
NIST FIPS-201
Provides policy and technical guidance for PIV card issuance
NIST SP 800-78-3
Specifies cryptographic algorithms and key sizes for PIV cards
OMB M-04-04
eAuthentication policy identifying which credential types to use for different levels of data sensitivity
OMB M-11-11
Requires all federal agencies implement PIV for physical and logical access
 

 Interoperability Downloads

 
Description
The Interoperability Downloads section that follows has the latest certificate trust chains, a master document that contains trust chain and assurance level information, the DoD External Interoperability Plan, and other important information.
Department of Defense External Interoperability Plan - Version 1.0
 
The DoD Public Key Infrastructure (PKI) External Interoperability Plan (EIP) outlines the steps to be accomplished in order for External PKIs to be designated as approved for use with DoD relying parties. (PDF Download) Date: 08/20/2010 | Size: 1,984 KB
DoD and ECA CRL Distribution Points (CRLDPs)
 
This file provides a listing of all DoD and ECA CRLDPs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates. (TXT Download) Date: 07/21/2016 | Size: 3 KB
DoD Approved Assurance Levels from External Partner PKIs *PKI
This file provides a listing of all DoD approved assurance levels from approved partner PKIs. Assurance levels are represented by Certificate Policy Object Identifiers (OIDs) which are asserted in the Certificate Policies x509 certificate extension. DoD relying party applications can only accept certificates with OIDs that map to FBCA medium hardware assurance level or higher (includes PIV and PIV-I OIDs). (TXT Download) Date: 07/21/2016 | Size: 12 KB
DoD Approved External CRL Distribution Points (CRLDPs)
This file provides a listing of all DoD approved CRLDPs from approved partner PKIs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates. (TXT Download) Date: 06/09/2016 | Size: 6 KB
DoD Approved External OCSP URLs
This file provides a listing of all DoD approved On-line Certificate Status Protocol (OCSP) URLs from approved partner OCSP responders. OCSP responders are represented by HTTP URLs that are asserted in the Authority Information Access certificate extension. OCSP validation is one of the mechanisms used by DoD relying party applications to validate certificates. (TXT Download) Date: 06/09/2016 | Size: 3 KB
DoD Approved External PKI Certificate Trust Chains - Version 6.0 *PKI
This zip file contains certificate trust chains for DoD Approved External PKIs.(ZIP Download) Date: 07/21/2016 | Size: 256 KB
DoD Approved External PKIs Category 1 Certificate Trust Chains (Federal Agencies) - Version 1.2 *PKI
This zip file contains certificate trust chains for DoD Approved External Category 1 PKIs (Federal Agencies)(ZIP Download) Date: 05/18/2016 | Size: 77 KB
DoD Approved External PKIs Category 2 Certificate Trust Chains (Non Federal Issuers) - Version 1.5 *PKI
This zip file contains certificate trust chains for DoD Approved External Category 2 PKIs (Non Federal Issuers (ZIP Download) Date: 07/21/2016 | Size: 82 KB
DoD Approved External PKIs Master Document - Version 6.0
 
This document provides Certification Authority (CA) certificate trust chain and assurance level information for all Department of Defense (DoD) approved Public Key Infrastructures (PKIs). (PDF Download) Date: 07/21/2016 | Size: 1,642 KB
1 - 10Next
 

 Interoperability Tools

 
Description
DoD PKE offers the following tools to facilitate acceptance of DoD Approved External PKI credentials in accordance with DoD policy.
Axway Desktop Validator 4.12 Workstation and Server Configuration *PKI
 
This guide provides instructions for configuring Axway Desktop Validator 4.12 according to DoD best practices. Configuration files for DoD, ECA, DoD Approved External CAs, and NSS and SIPRNET Legacy CAs are also available as separate downloads. The below configuration files have been prepared by the DoD PKE team to support high-volume servers operating in NIPRNet or SIPRNet environments. These files are intended for servers only. For workstation configuration information, please review the guidance in the Axway configuration guide.
CRLAutoCache 4.2: System Administrator Guide *PKI
This guide provides installation and configuration instructions for the DoD PKE CRLAutoCache tool. (PDF Download) Date: 04/19/2016 | Size: 1,713 KB
CRLAutoCache 4.2: Windows Installers *PKI
This tool provides administrators with a flexible solution to create local enclave CRL caches by downloading and publishing CRLs to local LDAP directory servers, web servers, and network file shares. The following Operating Systems are supported (both 32- and 64-bit): Windows XP, Windows Vista, Windows 7, Windows 8.x, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
 
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The NIPRNet version of the tool retrieves the DoD PKI NIPRNet CRLs by default. (TAR.GZ Download) Size: 10 KB SHA256 Hash of the TAR.GZ is a44d328b66a055f22ce4dd022320345c8afbc89256c24eb09c9c7a8efc0bdf40.
CRLAutoCache for Linux 2.05 - SIPRNet *PKI
The CRLAutoCache for Linux utility provides the capability to download DoD and other certificate revocation lists (CRLs) to a local cache on a Linux machine. The tool also has the ability to process downloaded CRLs for use with OpenSSL-based products, such as Apache web server configured with mod_ssl, and Mozilla Network Security Services (NSS). CRLAutoCache for Linux can be scheduled to periodically download CRLs to a local cache automatically. The SIPRNet version of the tool retrieves the NSS PKI and legacy DoD SIPRNet PKI CRLs by default. (Downloads available on SIPRNet Only - URL http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html)
CRLAutoCache for Linux User Guide *PKI
This guide provides installation and usage instructions for both the NIPRNet and SIPRNet versions of CRLAutoCache for Linux. (PDF Download) Date: 06/03/2014 | Size: 546 KB
Trust Anchor Constraints Tool (TACT): 1.2.2 Installation Instructions
This guide provides installation instructions for TACT. (PDF Download) Date: 06/16/2014 | Size: 625 KB
Trust Anchor Constraints Tool (TACT): 1.2.2 User Guide
This guide provides usage instructions for TACT. (PDF Download) Date: 06/16/2014 | Size: 2,554 KB
Trust Anchor Constraints Tool (TACT): 1.2.6 Linux Installer *PKI
This installer provides a web server plug-in and management applications to enable Apache 2.2 and 2.4 to authenticate DoD and DoD-approved external partner certificates with fewer client-side interoperability issues and with enhanced security. TACT allows administrators to configure the web server to enforce additional PKI constraints during the authentication process. The following operating systems are supported: Red Hat Enterprise Linux 5.x and 6.x.
1 - 10Next

In addition to the DoD PKI, the PKIs listed below are approved for use within DoD at the Federal PKI medium hardware assurance level or higher. Some of the partners listed in this section maintain their own PKI, referred to as "Legacy PKIs" within the Federal Government, and many obtain their PKI certificates through Federal Shared Service Providers (SSPs) or other commercial Non-Federal Issuers (NFIs). The DoD External Certification Authority (ECA) program was the first DoD approved external PKI and is also included.

The DoD External Interoperability Plan (EIP) defines three categories of PKIs: *PKI

  1. Category I: U.S. Federal agency PKIs
  2. Category II: Non-Federal Agency PKIs cross certified with the Federal Bridge Certification Authority (FBCA) or PKIs from other PKI Bridges that are cross certified with the FBCA
  3. Category III: Foreign, Allied, or Coalition Partner PKIs or other PKIs
 

 DoD-Approved External PKIs

 
Type/Name
PKI
Highest Assurance Level
Date Tested
Date Retested
Type/Name
 
PKI
 
Highest Assurance Level
Date Tested
Date Retested
DoD Sponsored
Medium Hardware
N/A
Category I
Entrust SSP PKI *PKI
Agencies include, but are not limited to:
Department of Energy
Department of Justice
National Institute of Standards and Technology
Health and Human Services
PIV
 
 
 
 
PIV
Feb 2010
 
 
 
 
Oct 2013
Jan 2016
 
 
 
 
 
Category I
ORC SSP PKI *PKI
​Agencies include, but are not limited to:
Environmental Protection Agency
Federal Election Commission
Federal Trade Commission
PIV
 
PIV
PIV
PIV
Oct 2009
 
Oct 2009
 
 
Category I
PIV
Sep 2008
Category I
Symantec SSP PKI (formerly VeriSign SSP PKI) *PKI
Agencies include:
Department of Transportation / Federal Aviation Administration
Naval Reactors - Department of Energy
Nuclear Regulatory Commission
​PIV

 
PIV

PIV
PIV
Nov 2008

 
Nov 2008

 
Apr 2015
Category I
U.S. Treasury SSP PKI *PKI
Agencies include:
Department of Homeland Security
National Aeronautics and Space Administration
Social Security Administration
U.S. Treasury Department
Department of Veteran Affairs
​PIV
 
PIV
PIV
PIV
PIV
PIV
Sep 2008
 
Mar 2009
Mar 2009
Jan 2009
Sep 2008
Pending
Category I
Verizon Business SSP PKI *PKI
Agencies include:
Department of Veteran Affairs
Executive Office of the President
Human Health Services
PIV
 
PIV
PIV
PIV
Oct 2009
 
Oct 2009
 
 
Category II
​Medium Hardware
​May 2012
Jun 2013
Category II
​PVI-I
Dec 2015
Category II
PIV-I
Oct 2011
Category II
Medium Hardware
Sep 2009
Apr 2014
Category II
IdenTrust NFI PKI *PKI
Organizations include:
Booz Allen Hamilton
PIV-I
 
PIV-I
Mar 2016
 
Mar 2016
Category II
Medium Hardware
Mar 2009
Jun 2013
Category II
Medium Hardware
Sep 2012
Category II
Medium Hardware
Nov 2008
Jan 2015
Category II
PIV-I
Mar 2012
Category II
Medium Hardware
Mar 2009
Aug 2015
Category II
Symantec NFI PKI (formerly VeriSign NFI PKI) *PKI
Organizations include:
Booz Allen Hamilton
California Prison Health Care Services
Computer Sciences Corporation
Eid Passport (RAPIDGate)
ICF International
Millennium Challenge Corporation
US Senate
State of Colorado
State of Kansas
PIV-I
 
PIV-I
Medium Hardware
Medium Hardware
PIV-I
PIV-I
Medium Hardware
Medium Hardware
Medium Hardware
Medium Hardware
Apr 2011
 
Apr 2011
 
Jan 2013
Feb 2013
 
 
 
 
 
 
 
Dec 2012
 
 
Aug 2014
 
 
 
 
 
Category II
PIV-I
Jul 2011
Category III
Medium Hardware
Jun 2013
Jun 2014



PKI-PKE