The DoD sponsored External Certification Authority (ECA) program was established to support the issuance of DoD-approved certificates to industry partners and other external entities. Prior to the 2008 DoD CIO memorandum “Approval of External Public Key Infrastructures” the ECA PKI was the only means for DoD partners to interoperate with DoD users and servers. The ECA program is managed by the DoD PKI PMO.

ECA certificates are included in InstallRoot and the PKCS#7 Certificate Bundle for ECA PKI. The Global Directory Service (GDS) hosts ECA information including CA certificates, cross-certificate content, and Certificate Revocation Lists (CRLs). The DoD Robust Certificate Validation Service (RCVS) also provides Online Certificate Status Protocol (OCSP) responses for ECA CA certificates, while individual ECA vendors provide OCSP responses for ECA end entity certificates. More information can be found on the ECA homepage.

Note: Possession of a valid ECA PKI certificate, as demonstrated by successful PKI authentication, provides assured identification of the user. A separate authorization decision verifying that the identified user should have access to the requested content should be made before providing access to DoD information systems.

IdenTrust ECA

Current Certification Authorities (CAs) DetailsSee Section 3.2.1 of DoD Approved External PKIs Master Document
Current CA CertificatesSee _ECA folder in DoD Approved External PKI Certificate Trust Chains zip
Approved Certificate Assurance Levels*See Section 5.2 of DoD Approved External PKIs Master Document
Certificate Revocation List (CRL) Distribution Points**See ECA PKI section of DoD and ECA CRL Distribution Points
Online Certificate Status Protocol (OCSP) Responder URL(s)**See the DoD ECA Program section of DoD Approved External OCSP URLs

WidePoint (formerly ORC) ECA

Current Certification Authorities (CAs) DetailsSee Section 3.2.1 of DoD Approved External PKIs Master Document
Current CA CertificatesSee _ECA folder in DoD Approved External PKI Certificate Trust Chains zip
Approved Certificate Assurance Levels*See Section 5.2 of DoD Approved External PKIs Master Document
Certificate Revocation List (CRL) Distribution Points**See ECA PKI section of DoD and ECA CRL Distribution Points
Online Certificate Status Protocol (OCSP) Responder URL(s)**See the DoD ECA Program section of DoD Approved External OCSP URLs

*As represented by OIDs listed in the Certificate Policies extension of the partner certificate; a certificate must assert at least one approved assurance level to be acceptable for use.

**Note:  These lists are developed and maintained by DoD PKE based on CRLDP and AIA OCSP values asserted in sample certificates provided to DoD by the partner PKI for testing; they are provided for ease of reference and may not be exhaustive in all cases.  Any CRL URL asserted in a CRLDP extension or OCSP URL asserted in an AIA extension of an approved certificate is approved for use by DoD relying parties.

  Title Size Updated
  DoD Approved Assurance Levels from External Partner PKIs - Version 1.15 DoD Approved Assurance Levels from External Partner PKIs - Version 1.15
This file provides a listing of all DoD approved assurance levels from approved partner PKIs. Assurance levels are represented by Certificate Policy Object Identifiers (OIDs) which are asserted in the Certificate Policies x509 certificate extension. DoD relying party applications can only accept certificates with OIDs that map to FBCA medium hardware assurance level or higher (includes PIV and PIV-I OIDs).
12.1 KB 2023 04 19
  DoD Approved External CRL Distribution Points (CRLDPs) - Version 1.16 DoD Approved External CRL Distribution Points (CRLDPs) - Version 1.16
This file provides a listing of CRLDPs from DoD approved partner PKIs. CRLDPs are represented by HTTP URLs that are asserted in the CRL Distribution Points certificate extension. CRLDPs are one of the mechanisms used by DoD relying party applications to validate certificates.
5.96 KB 2023 04 19
  DoD Approved External OCSP URLs - Version 1.15 DoD Approved External OCSP URLs - Version 1.15
This file provides a listing of all On-line Certificate Status Protocol (OCSP) URLs from DoD approved partner PKI OCSP responders. OCSP responders are represented by HTTP URLs that are asserted in the Authority Information Access certificate extension. OCSP validation is one of the mechanisms used by DoD relying party applications to validate certificates.
3.14 KB 2023 04 19
  DoD Approved External PKI Certificate Trust Chains - Version 10.0 DoD Approved External PKI Certificate Trust Chains - Version 10.0
This zip file contains certificate trust chains for DoD Approved External PKIs.
217.71 KB 2023 04 19
  DoD Approved External PKIs Master Document - Version 10.0 DoD Approved External PKIs Master Document - Version 10.0
This document provides Certification Authority (CA) certificate trust chain and assurance level information for all Department of Defense (DoD) approved Public Key Infrastructures (PKIs).
1.18 MB 2023 04 19