If your organization is interested in obtaining test certificates, please read the information below and then contact the JITC PKI Team.


NOTE: The DoD PKI compliant certificate materials provided by the JITC PKI enclave are intended only for application testing, development, training, experimentation, and other related NON-PRODUCTION purposes. These materials are not intended nor authorized for live use in applications and systems that presently or will imminently operate in a production/operational capacity serving a "real-world" mission for the general DoD public community..


DoD groups that require a large number of certificates should appoint and use their own Local Registration Authority (LRA) or Registration Authority (RA). This allows the production of certificates at the discretion of your designated LRA/RA..



If this is your first certificate request, please E-mail the JITC PKI/PKE Test Officer for authorization..



User certificates are generated by LRAs. Our lab can act as an LRA for modest DoD requests if a test LRA is not available for your organization. In the case of commercial non-DoD vendors, JITC will always act as the LRA. The test LRA will instruct you on downloading the certificate once the request has been processed.

At a minimum, the following information will be required to obtain test certificates:

USER CERTIFICATES Step 1 - Gather the following information for each user you wish to register: (NOTE - Numbers and most symbols are not allowed in the naming fields, with the exception of the e-mail address.) Last Name First Name Middle Initial or Name (optional) Generation [Jr., Sr., II, III, etc] (optional) E-mail address Organization (military/government or contractor) City State Country The user information should be fictitious. You can also elect to use one of the naming fields to include the name of the project for which the user certificates are to be used, or perhaps the name of your organization. Such a convention would really only need to be exercised for organizational purposes. Step 2 - Provide the fictitious user information to the JITC PKI Team. The user test certificates will be generated and you will receive the instructions for retrieving them.

E-mail certificates are generated by any user with a valid user identity test certificate. E-mail certificate pairs consist of: identification and encipherment certificates. To generate e-mail certificates, open the following URL with Firefox 3.0+:

https://email-ca-27.c3pki.nit.disa.mil/ca/emailauth.html

Once a user certificate has been obtained, a fictitious email address is needed to process the request for e-mail certificates. The only requirement is access to the user identity test certificate. Once the request has been submitted, contact the JITC Test Officer for authorization and include the certificate request numbers..



Server certificates, such as certificates for web sites, should be requested from the server they are intended for, as they are tied to the machine generating the request. You will be required to generate a certificate request on your server and upload it to the Certificate Authority. Specific instructions can be found at the appropriate link below and with your server software documentation. Once the request has been submitted, contact the JITC Test Officer for authorization and include the certificate request numbers. The JITC can act as the RA if you do not have a JITC TEST RA. The RA will provide instructions for retrieving the certificate.

The same information and authorization requirements for a user certificate are also necessary for a server certificate.

SERVER CERTIFICATES Step 1 - Contact the JITC Test Officers. Step 2 - Gather the information required to submit a server Certificate Signing Request (CSR) - fully qualified host name and must be a military/government organization. Step 3 - Open the following URL with Firefox 3.0+: https://ca-27.c3pki.nit.disa.mil/ca/ - towards the middle of the page select "Regular 2048-bit SSL Server Enrollment" Step 4 - When generating a PKCS# 10 formatted certificate request and its associated key pair, use the RSA key algorithm with a *2048-bit* key length and the SHA1 with RSA signature algorithm if the selection is available. These are the algorithms designated for use in the DoD PKI. Server certificates issued by JITC will, in accordance with DoD PKI policy, have a distinguished name (DN) containing the following elements, in order: CN=(server DNS name or IP), OU=(military/government organization), OU=PKI, OU=DoD, O=U.S. Government, C=US Step 5 - Contact the JITC Test Officers when you've submitted any server certificate requests and provide the certificate request numbers.

LRA certificates must be requested from the JITC Test Officers.

LRA CERTIFICATES Step 1 - Obtain a LRA number from your RA or the JITC PKI Lab. Step 2 - Open https://ca-27.c3pki.nit.disa.mil/ras.html using Firefox 3.0+. It's important to use the Firefox browser as Internet Explorer is yet unable to properly generate certificate signing requests (CSRs) compatible with DoD PKI!!! Step 3 – Fill in the LRA certificate request form. When completing the form, using the LRA number from Step 1. Please enter this number in the associated field. The middle name and suffix (e.g. Jr, Sr, II, III, etc) are optional, and the middle name may be substituted with an initial (no period) if desired. Step 4 - Inform the JITC Test Officers of the request to expedite processing. Instructions for retrieving the certificate will be provided when the certificate is issued.

Top of Page