Public Key Enabling (PKE) is the process of configuring systems and applications to use certificates issued by the DoD PKI, the NSS PKI, or DoD-approved external PKIs for authentication, digital signature, and encryption. Configuration guides for products filterable by topic (web servers, domain management and smart card logon, thin clients and virtualization, etc.) are available below; a full listing of all of the documents and tools available from the site is available on the PKI/PKE Document LibraryĀ page.

The high-level steps generally required to PKE include:

Install Certification Authority (CA) Certificates

DoD PKI and other approved CA certificates for PKIs that serve the system or application’s user community must be installed in the certificate trust store used by the system or application. Many Windows-based applications, including Microsoft applications as well as Google Chrome on Windows, leverage the Microsoft Cryptographic Application Programming Interface (CAPI) local computer trust store. Other applications such as Mozilla Firefox and Java have their own separate trust stores.

DoD PKE provides the InstallRoot (32-bit, 64-bit or Non-Administrator) tool which can install CA certificates into the CAPI, NT AUTH, Firefox and Java trust stores on Windows platforms.Ā  CA certificates and other information for approved external PKIs are available from the InteroperabilityĀ page. For alternate operating systems such as Mac OS and Linux, certificates can be imported from the PKCS7 files (ForĀ DoD PKI Only, ForĀ ECA PKI Only, ForĀ JITC PKI Only, For SIPR PKI Only (download available on SIPRNet).

NOTE:Ā The DoD PKI releases new CAs on an approximately annual basis and system owners must ensure trust stores are updated to avoid denial-of-service issues for users issued CACs with certificates from the new CAs. For notifications of updates to InstallRoot and other DoD PKE tools, subscribe to theĀ Tools RSS feed. For notifications of changes to approved external PKIs, subscribe to theĀ Interoperability RSS feed.

Obtain and Install a Certificate for the System or Application

Most applications, including web-based systems, require a certificate identifying the system in order to fully PK-enable. A certificate request is generated by the application and submitted to a DoD PKI CA for approval and issuance. A DoD Registration Authority (RA) must be contacted to approve the request. Once the certificate is issued, it can be downloaded and installed by the application owner.

Configure Certificate Revocation Checking

Applications must verify certificates have not been revoked prior to relying on them for security functions such as authentication. The DoD PKI supports two primary revocation checking methods:

  • Certificate Revocation Lists (CRLs)Ā are signed files containing the list of serial numbers of the revoked certificates from each CA. To use CRLs for revocation checking, the system or application must download the appropriate CRL and check the list to verify that the serial number of the certificate being validated is not on it. Many applications provide the capability to download CRLs at the time of certificate validation; however, the size of the DoD PKI CRLs prevents this from being a practical option due to the time necessary to download the files. To use DoD PKI CRLs for revocation checking, they must be downloaded and cached on a periodic basis.
  • TheĀ Online Certificate Status Protocol (OCSP) uses a request-response paradigm in which an OCSP client submits an HTTP certificate status request to an OCSP responder and the responder, in turn, returns an OCSP response indicating whether the certificate status is good, revoked or unknown. OCSP responses are generated from data contained within CRLs; however, since an OCSP response contains status for only one or a small number of certificates, it is a much lighter-weight way to obtain certificate status than downloading a full CRL.

In addition to the primary methods, DoD PKI offers a variety of Axway Tumbleweed and CoreStreet proprietary revocation checking mechanisms that an organization can leverage. The best method for a particular application will depend on the applicationā€™s revocation checking capabilities, network bandwidth and connectivity, and volume of traffic.

DoD PKE also offers the CRLAutoCache tools for Windows and Linux as well as Axway/Tumbleweed Desktop Validator configuration instructions and files for versions 4.10-4.12.

Configure Security Settings to Support PKI Functions (e.g., PKI-Based Client Authentication, TLS)

Systems and applications typically have specific configuration properties to control security settings related to PKI functionality. For example, web servers and other applications that support SSL/TLS have configuration properties to enable the application to listen on a port to accept inbound TLS connections. There will usually be another property that controls PKI certificate-based client authentication to the system, with options to require, allow, or disable that functionality. Other settings may control which protocols and algorithms are used by the system, and have an option to restrict these to only FIPS-approved algorithms; this is generally a STIG requirement as well. Security settings should be configured to support all desired PKI functions and comply with DoD authentication policy and STIG settings.

Configure Certificate Mapping

PKI provides strong assurance that the identity asserted within a PKI certificate is in fact the identity of the certificate holder. However, in order for that identity to be meaningful to a system or application, the identity from the certificate must be mapped to a user account on the system. If a PKI certificate is not mapped to a known system account, there is only strong assurance that the user has a valid certificate; there is no assurance that the application has any knowledge of the specific identity of the certificate holder upon which to base authorization decisions.

Certificate mapping is accomplished by associating data from a validated certificate with a particular user account. PKI certificates have several attributes that can be used, either alone or in combination, as unique identifiers for certificate mapping. For DoD PKI certificate holders, the most common values used for certificate mapping are the Subject Alternative Name (SAN) User Principal Name (UPN) and the certificate subject Common Name (CN). These are the most commonly supported mapping values out-of-the-box for Commercial Off-the-Shelf (COTS) products, are guaranteed unique within DoD due to their contents’ format (EDIPI+6@mil* for the SAN UPN and lastname.firstname.middleinitial.EDIPI for the subject CN), and are persistent across multiple credentials.

However, when expanding the user population to multiple PKIs, CN is no longer guaranteed unique and SAN UPN is not guaranteed to be present in partner PKI credentials, so alternative or secondary mapping methods must be identified.

*EDIPI+6 in the SAN UPN is a 16-digit subset of the Federal Agency Smart Credential Number (FASC-N) that for DoD users is the 10-digit EDIPI followed by a 1 to indicate the card was issued by a federal agency, the 4-digit NIST SP 800-87 Agency Code for the organization with which the user is associated, and a final digit representing the user’s Person/Organization Association (POA) Category (e.g. 2 for Civil, 4 for Uniformed Service, 5 for Contractor).

Additional Considerations

Authorization

PKI provides applications with a more secure way to authenticate the identity of a user, application, or device. However, just because a user authenticates with a certificate, it does not mean they are authorized to access the requested data. Applications should implement an authorization process to ensure only authorized users are allowed access to information.

Interoperability

DoD has implemented an external interoperability strategy for secure information sharing with external partners that reduces cost and overhead for both DoD and its partners. All federal agencies issue Personal Identity Verification (PIV) cards to their employees and affiliates; in addition, some of DoD’s industry partners have implemented corporate PKIs, and others have obtained certificates from approved commercial PKIs. Some of DoD’s international allied and coalition partners also have established PKIs to issue certificates to their personnel. Systems and applications with user populations that hold approved external credentials should be configured to accept those credentials rather than requiring the users to obtain Common Access Cards (CACs) or External Certification Authority (ECA) certificates. The complete list of DoD approved external PKIs as well as interoperability tools and configuration guides are available on theĀ InteroperabilityĀ page.

DoD policy requires that external credentials have an assurance level of medium hardware or higher, so systems accepting external credentials must have an assurance level enforcement capability. Depending on technology, this can be accomplished through use of the Interoperability Root CAs (IRCAs) or implementation of a local certificate policy object identifier (OID) filtering solution such as the DoD PKE Trust Anchor Constraints Tools (TACT) available from the PKI/PKE Tools page. A complete list of approved partner OIDs is available in theĀ DoD Approved Assurance Levels from External Partner PKIsĀ text file.

  Title Size Updated
  Using Commercial PKI Certificates Using Commercial PKI Certificates
This slick sheet addresses questions regarding how and where commercial PKI certificates may be used within the DoD.
129.77 KB 2024 12 03
  Update to DoD CIO Memo on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites Update to DoD CIO Memo on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites
This memorandum, signed on November 8, 2021, updates and replaces DoD CIO Memorandum "Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites" dated November 6, 2020. It provides guidance on the use of commercial TLS and code signing PKI certificates on public-facing DoD websites and services.
254.16 KB 2023 03 10
  Trust Anchor Constraints Tool (TACT): 1.2.6 User Guide Trust Anchor Constraints Tool (TACT): 1.2.6 User Guide
This guide provides usage instructions for TACT.
2.26 MB 2018 11 30
  Trust Anchor Constraints Tool (TACT): 1.2.6 Installation Instructions Trust Anchor Constraints Tool (TACT): 1.2.6 Installation Instructions
This guide provides installation instructions for TACT.
784.07 KB 2018 11 30
Raytheon PKI Technical Information Raytheon PKI Technical Information
2019 03 13
Purebred Registration App Version History Purebred Registration App Version History
2019 02 21
  PKI Interoperability Test Tool (PITT): 2.0.6 User Guide PKI Interoperability Test Tool (PITT): 2.0.6 User Guide
This guide provides usage instructions for PITT.
1.88 MB 2018 11 30
  PKI CA Certificate Bundles: PKCS#7 for WCF B&I PKI Only - Version 5.15 PKI CA Certificate Bundles: PKCS#7 for WCF B&I PKI Only - Version 5.15
This zip file contains the DoD Web Content Filtering (WCF) PKI Certification Authority (CA) certificates in PKCS#7 certificate bundles containing either PEM-encoded or DER-encoded certificates. Instructions for verifying the integrity of all .p7b files using the signed SHA-256 hashes file (.sha256) are included in the README.
20.77 KB 2024 03 08
  PKI CA Certificate Bundles: PKCS#7 for WCF B&I PKI Only - Version 5.14 PKI CA Certificate Bundles: PKCS#7 for WCF B&I PKI Only - Version 5.14
This zip file contains the DoD Web Content Filtering (WCF) PKI Certification Authority (CA) certificates in PKCS#7 certificate bundles containing either PEM-encoded or DER-encoded certificates. Instructions for verifying the integrity of all .p7b files using the signed SHA-256 hashes file (.sha256) are included in the README.
68.11 KB 2023 03 02
PKI CA Certificate Bundles: PKCS#7 for JITC PKI Only - Version 5.16 PKI CA Certificate Bundles: PKCS#7 for JITC PKI Only - Version 5.16
108.13 KB 2024 11 07
  PKI CA Certificate Bundles: PKCS#7 for ECA PKI Only - Version 5.11 PKI CA Certificate Bundles: PKCS#7 for ECA PKI Only - Version 5.11
This zip file contains the External Certification Authority (ECA) PKI Certification Authority (CA) certificates in PKCS#7 certificate bundles containing either PEM-encoded or DER-encoded certificates. Separate PKCS#7 certificate bundles are also included for each root CA, for relying parties who may wish to only accept certificates issued with the key and signature hash combinations (e.g. RSA-2048/SHA-256) issued by a given root. Instructions for verifying the integrity of all .p7b files using the signed SHA-256 hashes file (.sha256) are included in the README.
18.86 KB 2024 11 07
PKI CA Certificate Bundles: PKCS#7 for DoD PKI Only - Version 5.13 PKI CA Certificate Bundles: PKCS#7 for DoD PKI Only - Version 5.13
49.28 KB 2023 11 03
NIPRNet Test Material FAQ NIPRNet Test Material FAQ
131.38 KB 2023 11 03
  InstallRoot 5.6: User Guide InstallRoot 5.6: User Guide
This guide provides installation and usage instructions for the DoD PKE InstallRoot tool.
1.43 MB 2024 01 10
  InstallRoot 5.6 NIPR Non-Administrator 64-bit Windows Installer InstallRoot 5.6 NIPR Non-Administrator 64-bit Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.5 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows 10, Windows 11, and Windows Server 2012, 2016, 2019, and 2022.
28.29 MB 2024 01 11
  InstallRoot 5.6 NIPR Non-Administrator 32-bit Windows Installer InstallRoot 5.6 NIPR Non-Administrator 32-bit Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.5 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows 10, Windows 11, and Windows Server 2012, 2016, 2019, and 2022.
25.95 MB 2024 01 11
  InstallRoot 5.6 NIPR 64-bit Windows Installer InstallRoot 5.6 NIPR 64-bit Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.5 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows 10, Windows 11, and Windows Server 2012, 2016, 2019, and 2022.
26.96 MB 2024 01 11
  InstallRoot 5.6 NIPR 32-bit Windows Installer InstallRoot 5.6 NIPR 32-bit Windows Installer
This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 5.5 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows 10, Windows 11, and Windows Server 2012, 2016, 2019, and 2022.
25.79 MB 2024 01 11
  FBCA Cross-Certificate Remover 1.18 FBCA Cross-Certificate Remover 1.18
This tool removes certificates which cause the cross-certificate chaining issue for DoD (and optionally ECA) users from Microsoft Local Computer and User Certificate stores. The following Operating Systems are supported: Windows Server 2003, Windows Server 2003R2, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10.
38.95 KB 2019 10 24
  FBCA Cross-Certificate Remover 1.15 User Guide FBCA Cross-Certificate Remover 1.15 User Guide
This guide provides usage instructions for the FBCA Cross-Certificate Remover tool.
234.46 KB 2018 11 30
  FAQ: DoD Cross-Certificate Chaining Problem FAQ: DoD Cross-Certificate Chaining Problem
This FAQ discusses the issue of DoD certificates chaining improperly via cross-certificates to the Federal Common Policy Certification Authority (CA) and other partner roots cross-certified with the DoD and provides steps to resolve the issue.
175.7 KB 2023 11 01
  Editing CRLAutoCache Source Locations Editing CRLAutoCache Source Locations
This Quick Reference Guide (QRG) describes how to edit source location and DNLookupTable URLs used by CRLAutoCache for Windows to fetch and cache CRLs.
326.54 KB 2019 08 23
  Editing Certificate Group Locations for InstallRoot via the GUI Editing Certificate Group Locations for InstallRoot via the GUI
This Quick Reference Guide (QRG) describes how to edit the default InstallRoot certificate group locations using the InstallRoot graphical user interface (GUI).
243.26 KB 2019 08 20
  DoD PKI NIPRNet Certificate Profiles - Version 3.0 DoD PKI NIPRNet Certificate Profiles - Version 3.0
This document defines NIPRNet profiles for DoD Public Key Infrastructure (PKI) Certificates and Certificate Revocation Lists (CRLs).
615.67 KB 2023 10 25
  DoD CIO Memo: Curtail Issuance of Entrust Non-Person Entity, Public Key Infrastructure Certificates DoD CIO Memo: Curtail Issuance of Entrust Non-Person Entity, Public Key Infrastructure Certificates
This DoD CIO memo, dated 29 Oct 2024, provides guidance that Entrust NPE PKI certificates issued after 11 Nov 2024 should not be used to credential DoD public websites.
259.9 KB 2024 12 03
DoD Approved External PKIs Types 5 & 6 Certificate Trust Chains (Foreign, Allied, Coalition Partner and Other PKIs) - Version 1.5 DoD Approved External PKIs Types 5 & 6 Certificate Trust Chains (Foreign, Allied, Coalition Partner and Other PKIs) - Version 1.5
28.58 KB 2024 12 09
DoD Approved External PKIs Types 3 & 4 Certificate Trust Chains (Non Federal Issuers) - Version 1.18 DoD Approved External PKIs Types 3 & 4 Certificate Trust Chains (Non Federal Issuers) - Version 1.18
76.84 KB 2024 12 09
DoD Approved External PKIs Types 1 & 2 Certificate Trust Chains (Federal Agencies) - Version 1.13 DoD Approved External PKIs Types 1 & 2 Certificate Trust Chains (Federal Agencies) - Version 1.13
81.35 KB 2024 12 09
  DoD Approved External PKIs Master Document - Version 11.2 DoD Approved External PKIs Master Document - Version 11.2
This document provides Certification Authority (CA) certificate trust chain and assurance level information for all Department of Defense (DoD) approved Public Key Infrastructures (PKIs).
1.1 MB 2024 12 09
  DoD Approved External PKI Certificate Trust Chains - Version 11.2 DoD Approved External PKI Certificate Trust Chains - Version 11.2
This zip file contains certificate trust chains for DoD Approved External PKIs.
245.25 KB 2024 12 09
DoD Approved External OCSP URLs - Version 1.19 DoD Approved External OCSP URLs - Version 1.19
3.46 KB 2024 12 09
DoD Approved External CRL Distribution Points (CRLDPs) - Version 1.21 DoD Approved External CRL Distribution Points (CRLDPs) - Version 1.21
7.14 KB 2024 12 09
DoD Approved Assurance Levels from External Partner PKIs - Version 1.17 DoD Approved Assurance Levels from External Partner PKIs - Version 1.17
12.35 KB 2024 12 09
  DoD and ECA CRL Distribution Points (CRLDPs) DoD and ECA CRL Distribution Points (CRLDPs)
This file provides a listing of all DoD and ECA CRLDPs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
3.7 KB 2024 06 18
Admins Topics

Type