In addition to the DoD PKI, the PKIs listed below are approved for use within DoD at the Federal PKI medium hardware assurance level or higher. Some of the PKIs listed in this section are operated by DoD partners exclusively to serve their own organizations, while others act as Federal Shared Service Providers (SSPs) or commercial Non-Federal Issuers (NFIs). The DoD External Certification Authority (ECA) program provides an alternate method for DoD partners to obtain DoD-approved PKI credentials and is also included.
The DoD External Interoperability Plan (EIP) defines three categories of PKIs:
- Category I: U.S. Federal agency PKIs – see https://playbooks.idmanagement.gov/fpki/pivcas-and-agencies/ for a listing of PKIs used by various federal agencies
- Category II: Non-Federal Agency PKIs cross certified with the Federal Bridge Certification Authority (FBCA) or PKIs from other PKI Bridges that are cross certified with the FBCA
- Category III: Foreign, Allied, or Coalition Partner PKIs or other PKIs
The DoD Approved External PKIs Master Document contains the authoritative list of approved partner PKIs (as reflected in the table below), including Certification Authorities (CAs) and assurance levels. The DoD Approved External PKI Certificate Trust Chains zip file contains the corresponding CA certificates. You can find information for a particular PKI by clicking on the PKI’s name in the table.
DoD-Approved External PKIs
| Type/Name | PKI | Highest Assurance Level | Date Tested | Date Retested |
|---|---|---|---|---|
| DoD Sponsored | DoD External Certification Authority (ECA) Program | PIV-I | N/A | |
| Category I | Agencies include, but are not limited to: Department of Energy Department of Justice National Institute of Standards and Technology Health and Human Services | PIV PIV | Feb 2010 Oct 2013 | Jan 2016 |
| Category I | Agencies include, but are not limited to: Environmental Protection Agency | PIV PIV | Dec 2008 Dec 2008 | Jul 2014 |
| Category I | Department of State PKI | PIV | Sep 2008 | May 2020 |
| Category I | Agencies include, but are not limited to: Department of Transportation/Federal Aviation Administration | PIV PIV | Nov 2008 | Oct 2021 |
| Category I | Agencies include: Department of Homeland Security Fiscal Services National Aeronautics and Space Administration Social Security Administration U.S. Treasury Department-OCIO Department of Veteran Affairs | PIV PIV PIV PIV PIV PIV PIV | Sep 2008 Mar 2009 Mar 2009 Mar 2009 Jan 2009 Sep 2008 Mar 2020 | Mar 2020 Jun 2019 |
| Category I | Agencies include: Department of Veteran Affairs | PIV PIV | Oct 2009 | Apr 2019 |
| Category II | Boeing PKI | Medium Hardware | May 2012 | Jul 2019 |
| Category II | Carillon Federal Services PKI | PIV-I | Dec 2015 | Sep 2021 |
| Category II | Carillon Information Security PKI | PIV-I | Sep 2021 | |
| Category II | Entrust Managed Services NFI PKI | PIV-I | Oct 2011 | Apr 2019 |
| Category II | Exostar LLC PKI | Medium Hardware | Sep 2009 | Mar 2021 |
| Category II | IdenTrust NFI PKI | PIV-I | Mar 2016 | |
| Category II | Lockheed Martin PKI | Medium Hardware | Mar 2009 | Dec 2022 |
| Category II | Northrop Grumman PKI | PIV-I | Nov 2008 | Jan 2015 |
| Category II | WidePoint NFI PKI (formerly ORC NFI PKI) | PIV-I | Mar 2012 | Jul 2021 |
| Category II | Raytheon PKI | Medium Hardware | Mar 2009 | Mar 2021 |
| Category II | Organizations include: CSRA (Formerly Computer Sciences Corporation) Eid Passport SureID U.S .Senate | PIV-I Medium Hardware PIV-I PIV-I PIV-I | Apr 2011 Jan 2013 Feb 2013 Mar 2017 Sep 2018 | Jan 2022 Jul 2016 Aug 2014 Jan 2022 |
| Category III | Australian Defence Organisation (ADO) PKI | Medium Hardware | Jun 2013 | Oct 2022 |
| Category III | Netherlands Ministry of Defence PKI | Medium Hardware | Sep 2012 | Feb 2020 |
Interoperability Tools and Documents
This table contains DoD PKI interoperability policy, implementation guidance, and PKE tools that can help facilitate various aspects of configuring DoD systems to support DoD-approved external PKI credentials.
| Title | Size | Updated | |
|---|---|---|---|
|
X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
This Certificate Policy (CP) defines policies for Certification Authorities (CAs) that issue and manage certificates under the Federal Common Policy CA on behalf of federal executive branch agencies.
|
— |
10 Mar 2023
|
|
|
X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)
This Certificate Policy (CP) defines certificate policies for use by the Federal Bridge Certification Authority (FBCA) to facilitate interoperability between the FBCA and other Entity PKI domains. The FBCA enables interoperability among Entity PKI domains in a peer-to-peer fashion. The FBCA issues certificates only to those CAs designated by the Entity operating that PKI (called Principal CAs). The DoD Interoperability Root Certificate Authority (IRCA) is one such Principle CA.
|
— |
10 Mar 2023
|
|
|
Using Commercial PKI Certificates
This slick sheet addresses questions regarding how and where commercial PKI certificates may be used within the DoD.
|
134.79 KB |
21 Apr 2023
|
|
|
Update to DoD CIO Memo on Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites
This memorandum, signed on November 8, 2021, updates and replaces DoD CIO Memorandum "Commercial Public Key Infrastructure Certificates on Public-Facing DoD Websites" dated November 6, 2020. It provides guidance on the use of commercial TLS and code signing PKI certificates on public-facing DoD websites and services.
|
254.16 KB |
10 Mar 2023
|
|
|
United States Department of Defense External Certification Authority X.509 Certificate Policy
This Certificate Policy (CP) governs the operation of the ECA Public Key Infrastructure (PKI), consisting of products and services that provide and manage X.509 certificates for public-key cryptography. The United States (US) DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations. The ECA program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems.
|
1.04 MB |
24 Jun 2022
|
|
|
Trust Anchor Constraints Tool (TACT): 1.2.6 User Guide
This guide provides usage instructions for TACT.
|
2.26 MB |
30 Nov 2018
|
|
|
Trust Anchor Constraints Tool (TACT): 1.2.6 Installation Instructions
This guide provides installation instructions for TACT.
|
784.07 KB |
30 Nov 2018
|
|
|
The DoD PKI External Interoperability Landscape - Version 5.5
This diagram provides an overview of the Federal PKI Interoperability Landscape and illustrates the cross certificate trust relationships between DoD PKI and External PKIs.
|
747.58 KB |
30 Nov 2018
|
|
|
Raytheon PKI Technical Information
|
— |
13 Mar 2019
|
|
|
PKI Interoperability Test Tool (PITT): 2.0.6 User Guide
This guide provides usage instructions for PITT.
|
1.88 MB |
30 Nov 2018
|
|
|
ORC ECA Support
|
— |
01 Mar 2019
|
|
|
OMB Memorandum 11-11, Continued Implementation of HSPD-12
OMB M-11-11 requires that all federal agencies continue implementing the requirements outlined in Homeland Security Presidential Directive (HSPD) 12 to enable agency-wide use of the Personal Identity Verification (PIV) card. This includes enabling agency IT systems, applications, and facilities to be capable of using the PIV card as the mechanism for granting user access.OMB M-11-11, Continued Implementation of HSPD-12
|
— |
21 Feb 2019
|
|
|
OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies
OMB M-04-04 requires requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication.OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies OMB M-04-04 requires requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication.OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies
|
— |
21 Feb 2019
|
|
|
NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV
NIST SP 800-78-4 specifies the cryptographic algorithms and key sizes for PIV systems and is a companion document to FIPS 201.NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for PIV
|
— |
21 Feb 2019
|
|
|
NIST SP 800-63-3
|
— |
24 Feb 2019
|
|
|
IdenTrust ECA Support
|
— |
01 Mar 2019
|
|
|
HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
HSPD 12 is a presidential directive requiring all Federal Executive Departments and Agencies to implement a government-wide standard for secure and reliable forms of identification for employees and contractors, for access to Federal facilities and information systems.HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
|
— |
21 Feb 2019
|
|
|
FIPS PUB 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors
FIPS PUB 201-3 specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. This standard specifies a PIV system within which a common identity credential can be created and later used to verify a claimed identity. FIPS PUB 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors (Download Link)
|
— |
10 Mar 2023
|
|
|
FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors
FIPS PUB 201-1 specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. This standard specifies a PIV system within which a common identity credential can be created and later used to verify a claimed identity.FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors (Download Link)
|
— |
21 Feb 2019
|
|
|
Editing CRLAutoCache Source Locations
This Quick Reference Guide (QRG) describes how to edit source location and DNLookupTable URLs used by CRLAutoCache for Windows to fetch and cache CRLs.
|
326.54 KB |
23 Aug 2019
|
|
|
DoD Memorandum - Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials
This DoD Memorandum provides Federal Government Guidance on acceptance and use of Non-Federal Issuer (NFI) identity credentials and specific DoD policies and practices for accepting credentials for logical access to DoD applications and websites.
|
2.41 MB |
30 Nov 2018
|
|
|
DoD Memorandum - Department of Defense Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials
This DoD Memorandum permits acceptance of PIV-I credentials for authentication and access when DoD relying parties, installation commanders, and facility coordinators determine that granting access is appropriate and the appropriate vetting requirements are met.
|
654.83 KB |
30 Nov 2018
|
|
|
DoD Instruction 8520.03, Identity Authentication for Information Systems
DoDI 8520.03 is a new instruction that requires that all authentications of users be conducted with an appropriate credential that is approved for use by a DoD authority and has been verified as active (not revoked) and not expired by the credential issuing authority. It defines four levels of data sensitivity granularity for sensitive but unclassified information, and three levels of data sensitivity granularity for Secret or Confidential information. It then provides specific requirements for authentication credentials based on these levels of sensitivity. Policy related to authentication requirements was previously found in DoDI 8520.2 which has been obsoleted by DoDI 8520.02.DoD Instruction 8520.03, Identity Authentication for Information Systems (Web Link)
|
— |
21 Feb 2019
|
|
|
DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling
DoDI 8520.02 is a re-release of DoDI 8520.2 that establishes the availability of the Coalition PKI for Combatant Commands (COCOMS), refers to the SIPRNET PKI that will be transitioned to operate under Committee for National Security Systems (CNSS) authority, provides specific guidance on issuance of alternate logon tokens (ALTs) to Flag-level officers or Senior Executives, and incorporates the DoD CIO "Approval of External PKIs" memorandum (circa July 2008) into the instruction. It also contains two other major changes. The first is that all policy related to authentication requirements has been moved to DoDI 8520.03. The second major change impacts pursuing waivers to DoDI 8520.02. Previously, Component CIOs had the authority to approve waivers to the instruction
|
— |
21 Feb 2019
|
|
|
DoD Approved External PKIs Master Document - Version 10.0
This document provides Certification Authority (CA) certificate trust chain and assurance level information for all Department of Defense (DoD) approved Public Key Infrastructures (PKIs).
|
1.18 MB |
19 Apr 2023
|
|
|
DoD Approved External PKIs Category 3 Certificate Trust Chains (Foreign, Allied, Coalition Partner and Other PKIs) - Version 1.3
This zip file contains certificate trust chains for DoD Approved External Category 3 PKIs (Foreign, Allied, Coalition Partner and Other PKIs).
|
— |
07 Nov 2022
|
|
|
DoD Approved External PKIs Category 2 Certificate Trust Chains (Non Federal Issuers) - Version 1.14
This zip file contains certificate trust chains for DoD Approved External Category 2 PKIs (Non Federal Issuers).
|
81.56 KB |
19 Apr 2023
|
|
|
DoD Approved External PKIs Category 1 Certificate Trust Chains (Federal Agencies) - Version 1.10
This zip file contains certificate trust chains for DoD Approved External Category 1 PKIs (Federal Agencies).
|
62.79 KB |
01 Aug 2022
|
|
|
DoD Approved External PKI Certificate Trust Chains - Version 10.0
This zip file contains certificate trust chains for DoD Approved External PKIs.
|
217.71 KB |
19 Apr 2023
|
|
|
DoD Approved External OCSP URLs - Version 1.15
This file provides a listing of all On-line Certificate Status Protocol (OCSP) URLs from DoD approved partner PKI OCSP responders. OCSP responders are represented by HTTP URLs that are asserted in the Authority Information Access certificate extension. OCSP validation is one of the mechanisms used by DoD relying party applications to validate certificates.
|
3.14 KB |
19 Apr 2023
|
|
|
DoD Approved External CRL Distribution Points (CRLDPs) - Version 1.16
This file provides a listing of CRLDPs from DoD approved partner PKIs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
|
5.96 KB |
19 Apr 2023
|
|
|
DoD Approved Assurance Levels from External Partner PKIs - Version 1.15
This file provides a listing of all DoD approved assurance levels from approved partner PKIs. Assurance levels are represented by Certificate Policy Object Identifiers (OIDs) which are asserted in the Certificate Policies x509 certificate extension. DoD relying party applications can only accept certificates with OIDs that map to FBCA medium hardware assurance level or higher (includes PIV and PIV-I OIDs).
|
12.1 KB |
19 Apr 2023
|
|
|
DoD and ECA CRL Distribution Points (CRLDPs)
This file provides a listing of all DoD and ECA CRLDPs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
|
4.47 KB |
20 Jan 2023
|