Skip Ribbon Commands Skip to main content

IASE content is currently preparing to migrate to the DoD Cyber Exchange.
Please see for updates to PKI/E content until the DoD Cyber Exchange goes live.

Relying Parties/Applications

A relying party as an entity who, by using another's certificate to verify the integrity of a digitally signed message, to identify the creator of a message, or to establish confidential communications with the holder of the certificate, relies on the validity of the binding the Subscriber's name to a public key.

DoD Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key (PK)-Enabling" requires DoD Information Systems who have users who are not eligible to receive certificates from the DoD PKI accept certificates issued by DoD-approved external PKIs, including ECA certificates.

The ECA PKI is a hierarchical PKI with 1024 and 2048 bit Root CA trust anchors and a single layer of Subordinate CAs. The Root CAs are hosted by the National Security Agency (NSA) and the Subordinate CAs are owned and operated by commercial vendors who have been approved by the DoD as meeting all ECA technical, policy, and security requirements.

Allowing ECA certificates to be used for client-authentication to a web server requires installing the ECA Root CA and ECA Root CA 2 certificates into the web server's local trust list and downloading the ECA Root CA and ECA Root CA 2 CRLs and all Subordinate CA CRLs. Some web servers may also require installing Subordinate CA certificates into the local trust list.

In order to obtain ECA CA certificates, and the CRLs via http, visit the following sites:

ECA Root CA Certificate

ECA Subordinate CA Certificate


In order to obtain ECA CRLs using direct LDAP, visit the following sites:

For ECA Root CAs use GDS:

  • Host:Port-
  • Base DN- ou=ECA, O=U.S. Government, C=US
  • Attribute- certificaterevocationlist;binary
  • Common Names "ECA ROOT CA 2"

For Vendor Subordinate CAs:

  • Host:Port-
  • Base DN- ou=Certification Authorities, ou=ECA, O=U.S. Government, C=US
  • Attribute- certificaterevocationlist;binary
  • Common Names Below:
  • "ORC ECA SW 3" "ORC ECA HW 3" "ORC ECA SW 4" "ORC ECA HW 4" "VeriSign External Client Certification Authority G2" "VeriSign External Client Certification Authority G3" "IdenTrust ECA 2" "IdenTrust ECA 3"

In order to obtain ECA Revocation Status using OCSP, visit the following sites:

For Vendor Subordinate CAs:


  • URL of OCSP Service –
  • Model of Operation – Delegated Trust
  • Supported CAs – Identrust ECA 2, IdenTrust ECA 3


  • URL of OCSP Service –
  • Port for OCSP Service – 80
  • Model of Operation – Direct Trust (VA certificate issued from ECA hierarchy)
  • Supported CAs – ORC ECA SW 3, ORC ECA HW 3, ORC ECA SW 4, ORC ECA HW 4

Symantec, Inc.