JITC

JOINT INTEROPERABILITY TEST COMMAND

Seal of DoD Seal of DISA Seal of JITC
JITC PUBLIC KEY INFRASTRUCTURE (PKI)
DoD PKI INTERAGENCY / PARTNER INTEROPERABILITY TESTING
Updated: 11/17/2021 10:39:03 AM
OVERVIEW

Secure information sharing between the Department of Defense (DoD) and its external partners requires Public Key Infrastructure (PKI) interoperability. Like the DoD, many Federal Agencies and DoD partners have implemented a PKI to secure their applications and networks. In the past, these external PKIs were designed to operate independently. Internal policies, technical challenges and vendor selection have all contributed to these different identity management and information protection solutions.

Homeland Security Presidential Directive (HSPD)-12, Federal Information Processing Standards (FIPS)-201, and the Federal Bridge Certificate Authority (FBCA) have been implemented to synchronize identity management and information protection across the federal government. These initiatives aid the federal government and private industry in building PKI-based solutions that interoperate moving forward.

As deployed PKIs transition to full compliance, the need to share information cannot wait. Legacy PKIs in the near term will have to interoperate with PKIs that fall in line with the FBCA. The DoD is currently evaluating these external PKIs for implementation on DoD systems. Per DoD CIO Memo, SUBJECT: Approval of External Public Key Infrastructures, the DoD PKI Program Management Office (PMO), the DoD Public Key Enabling (PKE) Team and the DoD External Interoperability Working Group will be responsible for interoperability testing and approval.

SUBMITTING CERTIFICATES FOR TESTING

The DoD test team must obtain the following test materials from the intended partner:

  • Partner Root Certificate Authority (CA) certificate(s)

  • Partner Intermediate/Subordinate CA certificate(s)

  • A valid set of ALL the certificates on the end-user’s card (i.e. ID or PIV(I) Auth Cert, Signature Cert, Encryption Cert, Card Auth Cert)

  • A revoked set of ALL the certificates on the end-user’s card (i.e. ID or PIV(I) Auth Cert, Signature Cert, Encryption Cert, Card Auth Cert and the revoked certificates should be from the same issuing CA as the valid set of Certificates)

The reason that a vendor is required to submit a revoked copy of all the user certificates for each Subordinate CA is because when testing the revoked user certificates, in addition to verifying the revocation function is correctly identifying revoked certificates, which we only need one certificate to do, we are also validating the CRLDP information contained within each certificate template.

When submitting certificates to JITC via email, certificates should be placed in to separate folders, the trust chain in one folder labeled “Trust Chain” followed by the user certificates in another folder labeled “User Certificates”. Both folders should then be compressed into a single ZIP file with the extension “.txt” added to the end (Example: Certificate_Package.zip.txt) to prevent our email filter from stripping your attachment off the email.

Each end-user certificate should be labeled with the usage and the revocation status for that particular certificate. For example, the following name conventions should be utilized for a certificate that will be used for E-mail signing and Smart Card Logon:

  • Valid_Sign_SCL.cer

  • Revoked_Sign_SCL.cer

Completed packages should be sent via a digitally signed e-mail to disa.jitc.pke@mail.mil

PROCEDURE

DoD External Interoperability Plan, version 1.0 specifies the process by which an external PKI can be approved to interoperate with the DoD PKI. The process differs according to the classification of the external PKI:

  • DoD Sponsored - DoD Sponsored External Certificate Authorities (ECAs) approved by the DoD to issue certificates to the relying parties.

  • Category I - U.S. Federal Agency PKIs.

  • Category II - Non-Federal Agency PKIs cross-certified with the FBCA or PKIs from other PKI Bridges that are cross-certified with the FBCA.

  • Category III - Foreign, Allied, or Coalition Partner PKIs or other PKIs.

The interoperability testing phase of this process is conducted by the Joint Interoperability Test Command PKE Lab according to the DoD PKI Interoperability Test Plan, verison 2.0. Two key trust models are tested:

  • Direct Trust Model - The DoD PKE test application will be required to trust the root certificate of the target PKI and have access to its revocation information in order to determine the validity of the target PKI's certificates.

  • Cross Certificate Trust Model - The DoD PKI and the target PKI will each issue a certificate to a Certification Authority (CA) in the other PKI, or a third party CA trusted by both, creating a cross-certificate pair or pairs providing bi-directional trust. Trust can also be one-way if only one CA signs a certificate for the other CA.

EXTERNAL PKI TESTING STATUS

The following table contains information on external PKIs that have completed interoperability testing with the DoD PKI.

More detailed information can be found at https://iase.disa.mil/pki-pke/interoperability/index.html.

Test Status Color Codes
Not Tested Test In Progress Test Complete Not Interoperable Interoperable
This trust model was not tested. Testing is in progress. Testing is complete. External PKI is non-interoperable

using this trust model.
External PKI is interoperable

using this trust model.



External PKI PKI Category Federal Bridge Relationship Date Certified Direct Trust Model Cross Certified Trust Model
SHA-1 SHA-256 SHA-1 SHA-256
Australian Defence Organisation (ADO) NIPRNet Category III Member through CCEB 03/2013 Interoperable Not Tested Interoperable Not Tested
Australian Defence Organisation (ADO) SIPRNet Category III Member through CCEB 06/2013 Interoperable Not Tested Interoperable Not Tested
Boeing PKI Category II CertiPath Bridge Member 07/2019 Not Tested Interoperable Not Tested Interoperable
Booz Allen Hamilton Inc. Category II Member through Symantec NFI 12/2012 Interoperable Interoperable Interoperable Not Tested
Canada Department of National Defence (DND) SIPRNet Category III Member through CCEB 11/2013 Interoperable Not Tested Interoperable Not Tested
Carillon Federal Services PKI Category II CertiPath Bridge Member 12/2015 Not Tested Interoperable Not Tested Interoperable
Cassidian Communications Category II CertiPath Bridge Member 06/2014 Not Tested Interoperable Not Tested Interoperable
Computer Sciences Corp Category II Member through Symantec NFI 01/2013 Not Tested Interoperable Not Tested Interoperable
Department of Energy Category I Member through Entrust SSP 02/2010 Interoperable Interoperable Not Tested Not Tested
Department of Homeland Security Category I Member through U.S. Treasury SSP 03/2009 Interoperable Interoperable Not Tested Not Tested
Department of Justice Category I Member through Entrust SSP 09/2008 Interoperable Interoperable Not Tested Not Tested
Department of State Category I Federal Bridge Member 06/2011 Interoperable Interoperable Not Tested Not Tested
Department of Transportation / Federal Aviation Administration Category I Member through Symantec SSP 01/2019 Not Tested Interoperable Not Tested Interoperable
Department of Treasury Category I Federal Bridge Member 12/2008 Interoperable Interoperable Not Tested Not Tested
Department of Veterans Affairs Category I Federal Bridge Member 04/2019 Not Tested Interoperable Not Tested Interoperable
Eid Passport RAPIDGate Premier CA Category II Member through Symantec NFI 08/2014 Not Tested Interoperable Not Tested Interoperable
Eid Passport RAPIDGate PIV-I CA Category II Member through Symantec NFI 10/2013 Not Tested Interoperable Not Tested Interoperable
Entrust NFI Category II Member through Symantec NFI 04/2019 Not Tested Interoperable Not Tested Interoperable
Entrust Shared Services Provider SSP Category I Federal Bridge Member 11/2019 Not Tested Interoperable Not Tested Interoperable
Environmental Protection Agency Category I Member through ORC SSP 12/2008 Interoperable Interoperable Not Tested Not Tested
Exostar SHA-256 Category II Federal Bridge Member 04/2014 Not Tested Interoperable Not Tested Interoperable
General Services Administration Managed Service Office Category I Member through Entrust SSP 05/2011 Interoperable Interoperable Not Tested Not Tested
IdenTrust ECA DoD Sponsored Member through DoD 12/2014 Interoperable Not Tested Interoperable Not Tested
IdenTrust NFI Category II Federal Bridge Member 03/2016 Not Tested Interoperable Not Tested Interoperable
Human Health Services Category I Member through Entrust SSP 11/2013 Not Tested Interoperable Not Tested Interoperable
Lockheed Martin Category II Certipath Bridge Member 07/2013 Interoperable Not Tested Interoperable Not Tested
Lockheed Martin (Non-Production) Category II TSCP Bridge Member 08/2015 Interoperable Not Tested Interoperable Not Tested
Lockheed Martin (Production)
* Encryption Certificate not certified
Category II TSCP Bridge Member 04/2016 Not Tested Interoperable Not Tested Interoperable
National Aeronautics and Space Administration Category I Member through U.S. Treasury SSP 08/2019 Not Tested Interoperable Not Tested Interoperable
National Institute of Standards and Technology Category I Member through Entrust SSP 02/2009 Interoperable Interoperable Not Tested Not Tested
Netherlands Ministry PKI Category II Certipath Bridge Member 09/2012 Not Tested Interoperable Not Tested Not Tested
Northrop Grumman Corporation Category II Certipath Bridge Member 06/2013 Interoperable Not Tested Interoperable Not Tested
Northrop Grumman Corporation
(Non-Production)
Category II TSCP Bridge Member 08/2015 Not Tested Interoperable Not Tested Interoperable
Nuclear Regulatory Commission (NRC) Category I Member through Symantec SSP 04/2015 Not Tested Interoperable Not Tested Interoperable
Operational Research Consultants ECA DoD Sponsored Member through DoD 01/2016 Interoperable Interoperable Interoperable Interoperable
Operational Research Consultants Non-Federal Issuer Category II Federal Bridge Member 03/2012 Not Tested Interoperable Not Tested Interoperable
Operational Research Consultants Shared Services Provider (SSP) 3 Category I Federal Bridge Membership 07/2014 Not Tested Interoperable Not Tested Interoperable
Operational Research Consultants Shared Services Provider (SSP) 4 Category I Federal Bridge Membership Pending Not Tested Testing is in Progress Not Tested Testing is in Progress
Raytheon Category II Certipath Bridge Member 08/2015 Interoperable Interoperable Interoperable Interoperable
Social Security Administration Category I Member through U.S. Treasury SSP 01/2009 Interoperable Interoperable Not Tested Not Tested
Symantec ECA DoD Sponsored Member through DoD 06/2014 Interoperable Not Tested Interoperable Not Tested
Verizon Non-Federal Issuer Category II Federal Bridge Member 07/2011 Not Tested Interoperable Not Tested Not Tested

Top of Page

DISA / JITC 2023