A relying party as an entity who, by using another’s certificate to verify the integrity of a digitally signed message, to identify the creator of a message, or to establish confidential communications with the holder of the certificate, relies on the validity of the binding the Subscriber’s name to a public key.
DoD Instruction 8520.2, “Public Key Infrastructure (PKI) and Public Key (PK)-Enabling” requires DoD Information Systems who have users who are not eligible to receive certificates from the DoD PKI accept certificates issued by DoD-approved external PKIs, including ECA certificates.
The ECA PKI is a hierarchical PKI with 2048 bit Root CA trust anchors and a single layer of Subordinate CAs. The Root CAs are hosted by the National Security Agency (NSA) and the Subordinate CAs are owned and operated by commercial vendors who have been approved by the DoD as meeting all ECA technical, policy, and security requirements.
Allowing ECA certificates to be used for client-authentication to a web server requires installing the ECA Root CA2 and ECA Root CA 4 certificates into the web server’s local trust list and downloading the ECA Root CA and ECA Root CA 2 CRLs and all Subordinate CA CRLs. Some web servers may also require installing Subordinate CA certificates into the local trust list.
ECA Root CA Certificate
- Global Directory Service (GDS)
* Download and Installation instructions - PKE (DoD PKI CAC Certificate is required to access)
* Download and install the “Install Root” executable
ECA Subordinate CA Certificate
CRLs
In order to obtain ECA CRLs using direct LDAP, visit the following sites:
For ECA Root CAs use GDS:
- Host:Port- crl.disa.mil:389
- Base DN- ou=ECA, O=U.S. Government, C=US
- Attribute- certificaterevocationlist;binary
- Common Names “ECA ROOT CA 2”
For Vendor Subordinate CAs:
- Host:Port- crl.disa.mil:389
- Base DN- ou=Certification Authorities, ou=ECA, O=U.S. Government, C=US
- Attribute- certificaterevocationlist;binary
- Common Names Below:
- “ORC ECA SW 3” “ORC ECA HW 3” “ORC ECA SW 4” “ORC ECA HW 4” “VeriSign External Client Certification Authority G2” “VeriSign External Client Certification Authority G3” “IdenTrust ECA 2” “IdenTrust ECA 3”
In order to obtain ECA Revocation Status using OCSP, visit the following sites:
For Vendor Subordinate CAs:
IdenTrust
- OCSP Service
- Model of Operation – Delegated Trust
- Supported CAs – Identrust ECA 2, IdenTrust ECA 3
ORC
- OCSP Service
- Port for OCSP Service – 80
- Model of Operation – Direct Trust (VA certificate issued from ECA hierarchy)
- Supported CAs – ORC ECA SW 3, ORC ECA HW 3, ORC ECA SW 4, ORC ECA HW 4
Symantec, Inc.
- OCSP Service
- Port for OCSP Service – 80
- Model of Operation – Delegated Trust
- Supported CAs – Verisign Client External Certification Authority G2, VeriSign External Client Certification
- Authority – G3