See the Using Commercial PKI Certificates FAQ for informa​tion on using commercial P​KI certificates for public-facing DoD servers.​​

PKI interoperability is an essential component of secure information sharing between DoD and its partners within the federal government and industry. DoD Instruction 8520.02 provides details on the processes to become a DoD approved PKI. DoD Instruction 8520.03 defines sensitivity levels and credential strengths that must be used to authenticate for access to resources at each sensitivity level. These DoD requirements align with larger federal government initiatives around the implementation and use of federated credentials, including M-04-04, HSPD-12, and FIPS-201. The latest PKI Interoperability Diagram that follows illustrates how DoD interacts with approved external PKIs through the Federal Bridge. For an overview of the Federal PKI and Federal Bridge and to learn more about the usage of External PKIs within the DoD, please read our Working with External PKIs slick sheet.

At the bottom of the page, there is a table that lists all DoD approved external PKIs. By selecting each External PKI you can find additional information including certificate trust chains, acceptable certificate assurance levels, and other useful information.

  Title Size Updated
  X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
This Certificate Policy (CP) defines ten certificate policies for use by the Federal Bridge Certification Authority (FBCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to those CAs designated by the Entity operating that PKI (called Principal CAs). The DoD Interoperability Root Certificate Authority (IRCA) is one such Principle CA.
2019 02 21
  X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)
This Certificate Policy (CP) defines ten certificate policies for use by the Federal Bridge Certification Authority (FBCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to those CAs designated by the Entity operating that PKI (called Principal CAs). The DoD Interoperability Root Certificate Authority (IRCA) is one such Principle CA.
2019 02 21
  Working with External PKIs - Version 5.5 Working with External PKIs - Version 5.5
This slick sheet provides an overview of the Federal PKI/Federal Bridge and discusses the usage of External PKIs within the DoD.
375.7 KB 2018 11 30
Using Commercial PKI Certificates Using Commercial PKI Certificates
136.58 KB 2019 02 26
  Update to DoD CIO Memo on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites Update to DoD CIO Memo on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites
This memorandum, dated October 4, 2018, updates and replaces DoD CIO Memorandum "Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites" dated January 5, 2018. It provides guidance on the use of commercial TLS and code signing PKI certificates on public-facing DoD websites and services.
352.03 KB 2019 02 26
  Trust Anchor Constraints Tool (TACT): 1.2.6 User Guide Trust Anchor Constraints Tool (TACT): 1.2.6 User Guide
This guide provides usage instructions for TACT.
2.26 MB 2018 11 30
  Trust Anchor Constraints Tool (TACT): 1.2.6 Installation Instructions Trust Anchor Constraints Tool (TACT): 1.2.6 Installation Instructions
This guide provides installation instructions for TACT.
784.07 KB 2018 11 30
  The DoD PKI External Interoperability Landscape - Version 5.5 The DoD PKI External Interoperability Landscape - Version 5.5
This diagram provides an overview of the Federal PKI Interoperability Landscape and illustrates the cross certificate trust relationships between DoD PKI and External PKIs.
747.58 KB 2018 11 30
Raytheon PKI Technical Information Raytheon PKI Technical Information
2019 03 13
  PKI Interoperability Test Tool (PITT): 2.0.6 User Guide PKI Interoperability Test Tool (PITT): 2.0.6 User Guide
This guide provides usage instructions for PITT.
1.88 MB 2018 11 30
ORC ECA Support ORC ECA Support
2019 03 01
  OMB Memorandum 11-11, Continued Implementation of HSPD-12 OMB Memorandum 11-11, Continued Implementation of HSPD-12
OMB M-11-11 requires that all federal agencies continue implementing the requirements outlined in Homeland Security Presidential Directive (HSPD) 12 to enable agency-wide use of the Personal Identity Verification (PIV) card. This includes enabling agency IT systems, applications, and facilities to be capable of using the PIV card as the mechanism for granting user access.OMB M-11-11, Continued Implementation of HSPD-12
2019 02 21
  OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies
OMB M-04-04 requires requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication.OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies OMB M-04-04 requires requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication.OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies
2019 02 21
  NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV
NIST SP 800-78-4 specifies the cryptographic algorithms and key sizes for PIV systems and is a companion document to FIPS 201.NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV
2019 02 21
NIST SP 800-63-3 NIST SP 800-63-3
2019 02 24
IdenTrust ECA Support IdenTrust ECA Support
2019 03 01
  HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
HSPD 12 is a presidential directive requiring all Federal Executive Departments and Agencies to implement a government-wide standard for secure and reliable forms of identification for employees and contractors, for access to Federal facilities and information systems.HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
2019 02 21
  FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors​ FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors​
FIPS PUB 201-1 specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. This standard specifies a PIV system within which a common identity credential can be created and later used to verify a claimed identity.FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors (Download Link)
2019 02 21
  Editing CRLAutoCache Source Locations Editing CRLAutoCache Source Locations
This Quick Reference Guide (QRG) describes how to edit source location and DNLookupTable URLs used by CRLAutoCache for Windows to fetch and cache CRLs.
326.54 KB 2019 08 20
  Editing CRLAutoCache Source Locations Editing CRLAutoCache Source Locations
This Quick Reference Guide (QRG) describes how to edit source location and DNLookupTable URLs used by CRLAutoCache for Windows to fetch and cache CRLs.
326.54 KB 2019 08 23
  DoD PKE Tool Configuration File URLs Crosswalk DoD PKE Tool Configuration File URLs Crosswalk
This spreadsheet lists the former IASE and corresponding current GDS locations for configuration files utilized by the DoD PKE InstallRoot and CRLAutoCache tools.
16.84 KB 2019 08 20
  DoD Memorandum - Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials DoD Memorandum - Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials
This DoD Memorandum provides Federal Government Guidance on acceptance and use of Non-Federal Issuer (NFI) identity credentials and specific DoD policies and practices for accepting credentials for logical access to DoD applications and websites.
2.41 MB 2018 11 30
  DoD Memorandum - Department of Defense Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials DoD Memorandum - Department of Defense Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials
This DoD Memorandum permits acceptance of PIV-I credentials for authentication and access when DoD relying parties, installation commanders, and facility coordinators determine that granting access is appropriate and the appropriate vetting requirements are met.
654.83 KB 2018 11 30
  DoD Instruction 8520.03, Identity Authentication for Information Systems DoD Instruction 8520.03, Identity Authentication for Information Systems
DoDI 8520.03 is a new instruction that requires that all authentications of users be conducted with an appropriate credential that is approved for use by a DoD authority and has been verified as active (not revoked) and not expired by the credential issuing authority. It defines four levels of data sensitivity granularity for sensitive but unclassified information, and three levels of data sensitivity granularity for Secret or Confidential information. It then provides specific requirements for authentication credentials based on these levels of sensitivity. Policy related to authentication requirements was previously found in DoDI 8520.2 which has been obsoleted by DoDI 8520.02.DoD Instruction 8520.03, Identity Authentication for Information Systems (Web Link)
2019 02 21
  DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling
DoDI 8520.02 is a re-release of DoDI 8520.2 that establishes the availability of the Coalition PKI for Combatant Commands (COCOMS), refers to the SIPRNET PKI that will be transitioned to operate under Committee for National Security Systems (CNSS) authority, provides specific guidance on issuance of alternate logon tokens (ALTs) to Flag-level officers or Senior Executives, and incorporates the DoD CIO "Approval of External PKIs" memorandum (circa July 2008) into the instruction. It also contains two other major changes. The first is that all policy related to authentication requirements has been moved to DoDI 8520.03. The second major change impacts pursuing waivers to DoDI 8520.02. Previously, Component CIOs had the authority to approve waivers to the instruction
2019 02 21
  DoD Approved External PKIs Master Document - Version 7.3 DoD Approved External PKIs Master Document - Version 7.3
This document contains certificate trust chain and assurance level information for all DoD Approved External PKIs. Version 7.3 adds a rekeyed Treasury PKI root and new NASA issuance chain and removes several expired CAs. Cumulative updates since version 6.5 include new infrastructure for DoT under Symantec SSP PKI, a rekeyed HHS issuing CA under Entrust SSP, a new SHA-256 issuance chain for Boeing PKI, a rekeyed Entrust NFI issuance chain, and a new VA issuing CA under Verizon Business SSP. – August 27, 2019
1.39 MB 2019 10 17
  DoD Approved External PKIs Category 2 Certificate Trust Chains (Non Federal Issuers) - Version 1.9 DoD Approved External PKIs Category 2 Certificate Trust Chains (Non Federal Issuers) - Version 1.9
This zip file contains certificate trust chains for DoD Approved External Category 2 PKIs (Non Federal Issuers).
75.59 KB 2019 10 17
  DoD Approved External PKIs Category 1 Certificate Trust Chains (Federal Agencies) - Version 1.7 DoD Approved External PKIs Category 1 Certificate Trust Chains (Federal Agencies) - Version 1.7
This zip file contains certificate trust chains for DoD Approved External Category 1 PKIs (Federal Agencies).
68.93 KB 2019 10 17
  DoD Approved External PKI Certificate Trust Chains - Version 7.3 DoD Approved External PKI Certificate Trust Chains - Version 7.3
This zip file contains certificate trust chains for DoD Approved External PKIs. Version 7.3 adds a rekeyed Treasury PKI root and new NASA issuance chain and removes several expired CAs. Cumulative updates since version 6.5 include new infrastructure for DoT under Symantec SSP PKI, a rekeyed HHS issuing CA under Entrust SSP, a new SHA-256 issuance chain for Boeing PKI, a rekeyed Entrust NFI issuance chain, and a new VA issuing CA under Verizon Business SSP. – August 27, 2019
246.63 KB 2019 10 17
  DoD Approved External OCSP URLs DoD Approved External OCSP URLs
This file provides a listing of all On-line Certificate Status Protocol (OCSP) URLs from DoD approved partner PKI OCSP responders. OCSP responders are represented by HTTP URLs that are asserted in the Authority Information Access certificate extension. OCSP validation is one of the mechanisms used by DoD relying party applications to validate certificates.
2.1 KB 2019 10 17
  DoD Approved External CRL Distribution Points (CRLDPs) DoD Approved External CRL Distribution Points (CRLDPs)
This file provides a listing of CRLDPs from DoD approved partner PKIs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
5.42 KB 2019 10 17
  DoD Approved Assurance Levels from External Partner PKIs DoD Approved Assurance Levels from External Partner PKIs
This file provides a listing of all DoD approved assurance levels from approved partner PKIs. Assurance levels are represented by Certificate Policy Object Identifiers (OIDs) which are asserted in the Certificate Policies x509 certificate extension. DoD relying party applications can only accept certificates with OIDs that map to FBCA medium hardware assurance level or higher (includes PIV and PIV-I OIDs).
11.75 KB 2019 10 17
  DoD and ECA CRL Distribution Points (CRLDPs) DoD and ECA CRL Distribution Points (CRLDPs)
This file provides a listing of all DoD and ECA CRLDPs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
3.03 KB 2019 06 27
  Department of Defense External Interoperability Plan - Version 1.0 Department of Defense External Interoperability Plan - Version 1.0
The DoD Public Key Infrastructure (PKI) External Interoperability Plan (EIP) outlines the steps to be accomplished in order for External PKIs to be designated as approved for use with DoD relying parties.
1.94 MB 2018 11 30
Interoperability Topics

Type

In addition to the DoD PKI, the PKIs listed below are approved for use within DoD at the Federal PKI medium hardware assurance level or higher. Some of the partners listed in this section maintain their own PKI, referred to as “Legacy PKIs” within the Federal Government, and many obtain their PKI certificates through Federal Shared Service Providers (SSPs) or other commercial Non-Federal Issuers (NFIs). The DoD External Certification Authority (ECA) program was the first DoD approved external PKI and is also included.

The DoD External Interoperability Plan (EIP) defines three categories of PKIs:

  1. Category I: U.S. Federal agency PKIs
  2. Category II: Non-Federal Agency PKIs cross certified with the Federal Bridge Certification Authority (FBCA) or PKIs from other PKI Bridges that are cross certified with the FBCA
  3. Category III: Foreign, Allied, or Coalition Partner PKIs or other PKIs

DoD-Approved External PKIs

Type/NamePKIHighest Assurance LevelDate TestedDate Retested
DoD SponsoredDoD External Certification Authority (ECA) ProgramPIV-IN/A
Category I
Entrust SSP PKI

Agencies include, but are not limited to:

Department of Energy

Department of Justice

National Institute of Standards and Technology

Health and Human Services
PIV









PIV
Feb 2010









Oct 2013
Jan 2016










Category I
ORC SSP PKI

Agencies include, but are not limited to:

Environmental Protection Agency
PIV



PIV
Dec 2008



Dec 2008
Jul 2014




Category IDepartment of State PKIPIVSep 2008Nov 2018
Category I
Symantec SSP PKI (formerly VeriSign SSP PKI)

Agencies include, but are not limited to:

Department of Transportation/Federal Aviation Administration
PIV



PIV
Nov 2008








Dec 2018
Category I
U.S. Treasury SSP PKI

Agencies include:

Department of Homeland Security

Fiscal Services

National Aeronautics and Space Administration

Social Security Administration

U.S. Treasury Department-OCIO

Department of Veteran Affairs
PIV



PIV

PIV

PIV

PIV

PIV

PIV
Sep 2008



Mar 2009

Mar 2009

Mar 2009

Jan 2009

Sep 2008

Pending








Jun 2019






Category I
Verizon Business SSP PKI

Agencies include:

Department of Veteran Affairs

Executive Office of the President
PIV



PIV

PIV
Oct 2009





Oct 2009




Apr 2019


Category IIBoeing PKIMedium HardwareMay 2012Jul 2019
Category IICarillon Federal Services PKIPIV-IDec 2015Oct 2016
Category IIEntrust Managed Services NFI PKIPIV-IOct 2011Apr 2019
Category IIExostar LLC PKIMedium HardwareSep 2009Apr 2014
Category IIIdenTrust NFI PKIPIV-IMar 2016
Category IILockheed Martin PKIMedium HardwareMar 2009Aug 2017
Category IINetherlands Ministry of Defence PKIMedium HardwareSep 2012
Category IINorthrop Grumman PKIPIV-INov 2008Jan 2015
Category IIORC NFI PKIPIV-IMar 2012May 2016
Category IIRaytheon PKIMedium HardwareMar 2009Aug 2015
Category II
Symantec NFI PKI (formerly VeriSign NFI PKI)

Organizations include:

CSRA (Formerly Computer Sciences Corporation)

Eid Passport

SureID

US Senate
PIV-I



Medium Hardware

PIV-I

PIV-I

PIV-I
Apr 2011



Jan 2013

Feb 2013

Mar 2017

Sep 2018




Jul 2016

Aug 2014




Category IIVerizon Business NFI PKIPIV-IJul 2011
Category IIIAustralian Defence Organisation (ADO) PKIMedium HardwareJun 2013Jan 2018