A certificate is a data file that contains information on the user and their system. Certificates authenticate users to allow them access to secure web sites and documents. Authentication is done through establishing an encrypted communication channel, validating the user’s certificate, and performing a challenge/response between the server and the client to ensure the user’s identity.
WHY DO I NEED A CERTIFICATE?To conduct business with JITC, users will need access to secure websites/documents and can only gain this access with a certificate. Policies are currently being drafted within the DoD requiring all contractors and other organizations doing business with the DoD to use secure means of communication. Certificates can also be used to enable and improve electronic business processes. Having a certificate will allow users to digitally sign required documentation which is more secure and also saves time. Having a certificate also reduces the need to use a username/password to access sites.
WHAT IS A DIGITAL SIGNATURE?A digital signature is a type of electronic signature that encrypts documents with digital codes that are difficult to duplicate. They provide the highest levels of security and are universally accepted. The digital signature will verify the user’s certificate was issued by a trusted Certificate Authority and that the certificate has not been revoked. Digital signatures are marked with the time of signing. If a document is changed after being digitally signed, the digital signature becomes invalid.
IS THERE MORE THAN ONE TYPE OF CERTIFICATE?The Common Access Card (CAC) is the primary token for protecting identity, signature, and encryption certificates issued by the DoD to eligible users. CACs are physical cards that are issued to all individuals who sit at DoD facilities. Information stored on a CAC cannot be accessed without a Personal Identification Number (PIN) or system access to the secure CAC applications required to interpret the data.
There are many external entities and organizations that the DoD communicates with, through access to DoD information systems and via email. The DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved software certificates to industry partners and other external entities and organizations. The ECA program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems.
HOW DO I OBTAIN A CAC?CACs are issued at RAPIDS terminals. To locate the nearest RAPIDS office, visit the site locator and search by city, state, or zip code. Note: that a smart card reader and middleware are required to enable a workstation to use certificates on a CAC access the CAC PKI certificates.
WHICH SOFT CERTIFICATE IS BEST FOR MY ORGANIZATION?There are three different types of certificates available with differing costs, requirements, and security levels.
- Medium Assurance certificate is a browser based software certificate loaded on to a user’s hard-drive. It is not portable from computer to computer. This certificate meets the minimum security requirement for ECA. Medium Assurance level certificates are also available outside the United States. This certificate provides identity/encryption certificates for digital signing and encryption email.
- Medium Token Assurance certificate is a hardware based certificate, and is stored on either a Smart Card or a USB device. This is a portable certificate and can be used on any computer where the utilities drivers have been installed. A Medium Token Assurance certificate is a higher assurance level certificate than a software based certificate and is also available outside the United States.
- Medium Hardware Assurance is the highest security certificate available, and is similar to the DoD CAC. This is a hardware based certificate, and is stored on either a Smart Card or a USB device. This certificate requires a face to face meeting with a trusted agent or a pre-established Trusted Agent within your company. This certificate type is not available outside the United States.
Software certificates are issued by Local Registration Authorities (LRAs). Please visit the information below on the current ECA certificate vendors.
OPERATIONAL RESEARCH CONSULTANTS, INC. (ORC)View the comparison chart and price list to decide which certificate is best for your organization. Once you have decided on the type of certificate, review the requirements checklists and instructions below.
- Medium Assurance Certificates
Requirements
Instructions - Medium Token Certificates
Requirements
Instructions - Medium Hardware Certificates
Requirements
Instructions
View the comparison chart and price list to decide which certificate is best for your organization. Once you have decided on the type of certificate, review the requirements checklists and instructions below.
- Medium Assurance Certificates
Requirements
Instructions - Medium Token Certificates
Requirements
Instructions - Medium Hardware Certificates
Requirements
Instructions
External Links (including Advertising Links): The appearance of external hyperlinks does not constitute endorsement by the Department of Defense of the linked websites, or the information, products or services contained therein. The Department of Defense does not exercise any editorial control over the information you may find at these locations. All links are provided consistent with the stated purpose of these websites.
Disclaimer: Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes. With respect to documents available from this server, neither the United States Government nor any of its service members or employees, makes any warranty, express or implied, including the warranties of merchantability and fitness for a particular purpose, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.