DoD Seal DISA Seal JITC Seal
JITC PUBLIC KEY INFRASTRUCTURE (PKI)
OBTAINING JITC ISSUED TEST CERTIFICATES
Updated: 7/14/2016 3:16:11 PM

If your organization is interested in obtaining test certificates, please read the information below and then contact the JITC PKI Team.

NOTE: The DoD PKI compliant certificate materials provided by the JITC PKI enclave are intended only for application testing, development, training, experimentation, and other related NON-PRODUCTION purposes. These materials are not intended nor authorized for live use in applications and systems that presently or will imminently operate in a production/operational capacity serving a "real-world" mission for the general DoD public community.

DoD groups that require a large number of certificates should appoint and use their own Local Registration Authority (LRA) or Registration Authority (RA). This allows the production of certificates at the discretion of your designated LRA/RA.

If this is your first certificate request, please e-mail the JITC PKI/PKE Test Officer for authorization, with the attached customer form for new customers, which can be found HERE. Please spell out all acronyms and please use Microsoft Word to fill out and save all changes. Other applications will not save Microsoft Word data fields!

User certificates are generated by LRAs. Our lab can act as an LRA for modest DoD requests if a test LRA is not available for your organization. In the case of commercial non-DoD vendors, JITC will always act as the LRA. The test LRA will instruct you on downloading the certificate once the request has been processed.

At a minimum, the following information will be required to obtain test certificates:

USER CERTIFICATES

Step 1 - Gather the following information for each user you wish to register:

(NOTE - Numbers and most symbols are not allowed in the naming fields, with the exception of the e-mail address.)

The user information should be fictitious. You can also elect to use one of the naming fields to include the name of the project for which the user certificates are to be used, or perhaps the name of your organization. Such a convention would really only need to be exercised for organizational purposes.

Step 2 - Provide the fictitious user information to the JITC PKI Team. The user test certificates will be generated and you will receive the instructions for retrieving them.

E-mail certificates are generated by any user with a valid user identity test certificate. E-mail certificate pairs consist of: identification and encipherment certificates. To generate e-mail certificates, open the following URL with Firefox 3.0+: https://email-ca-27.c3pki.nit.disa.mil/ca/emailauth.html

Server certificates, such as certificates for web sites, should be requested from the server they are intended for, as they are tied to the machine generating the request. You will be required to generate a certificate request on your server and upload it to the Certificate Authority. Specific instructions can be found at the appropriate link below and with your server software documentation. Once the request has been submitted, contact the JITC Test Officer for authorization and include the certificate request numbers. The JITC can act as the RA if you do not have a JITC TEST RA. The RA will provide instructions for retrieving the certificate.The same information and authorization requirements for a user certificate are also necessary for a server certificate.

The same information and authorization requirements for a user certificate are also necessary for a server certificate.

SERVER CERTIFICATES

Step 1 - Contact the JITC Test Officers.

Step 2 - Gather the information required to submit a server Certificate Signing Request (CSR) - fully qualified host name and must be a military/government organization.

NOTE: The following URL in Step 3 is only available to users on the NIPRNet/DREN, and is not accessible to the commercial Internet. If you are submitting your request from a commercial network, please send your CSR directly to the JITC Test Officers, who will submit the request for you.

Step 3 - Open the following URL with Firefox 3.0+: https://ee-id-sw-ca-37.c3pki.nit.disa.mil - and select "2048-bit SSL Server Enrollment form".

Step 4 - When generating a PKCS# 10 formatted certificate request and its associated key pair, use the RSA key algorithm with a *2048-bit* key length and the SHA1 with RSA signature algorithm if the selection is available. These are the algorithms designated for use in the DoD PKI. Server certificates issued by JITC will, in accordance with DoD PKI policy, have a distinguished name (DN) containing the following elements, in order:

EXAMPLE using a Military Affiliation

Step 5 - Contact the JITC Test Officers when you've submitted any server certificate requests and provide the certificate request numbers.

LRA certificates must be requested from the JITC Test Officers.

LRA CERTIFICATES

Step 1 - Obtain a LRA number from your RA or the JITC PKI Lab.

Step 2 - Open https://ca-27.c3pki.nit.disa.mil/ras.html using Firefox 3.0+. It's important to use the Firefox browser as Internet Explorer is yet unable to properly generate certificate signing requests (CSRs) compatible with DoD PKI!!!

Step 3 – Fill in the LRA certificate request form. When completing the form, use the LRA number from Step 1. Please enter this number in the associated field. The middle name and suffix (e.g. Jr, Sr, II, III, etc) are optional, and the middle name may be substituted with an initial (no period) if desired.

Step 4 - Inform the JITC Test Officers of the request to expedite processing. Instructions for retrieving the certificate will be provided when the certificate is issued.

Top of Page