Secure information sharing between the Department of Defense (DoD) and its external partners requires Public Key Infrastructure (PKI) interoperability. Like the DoD, many Federal Agencies and DoD partners have implemented a PKI to secure their applications and networks. In the past, these external PKIs were designed to operate independently. Internal policies, technical challenges and vendor selection have all contributed to these different identity management and information protection solutions.
Homeland Security Presidential Directive (HSPD)-12, Federal Information Processing Standards (FIPS)-201, and the Federal Bridge Certificate Authority (FBCA) have been implemented to synchronize identity management and information protection across the federal government. These initiatives aid the federal government and private industry in building PKI-based solutions that interoperate moving forward.
As deployed PKIs transition to full compliance, the need to share information cannot wait. Legacy PKIs in the near term will have to interoperate with PKIs that fall in line with the FBCA. The DoD is currently evaluating these external PKIs for implementation on DoD systems. Per DoD CIO Memo, SUBJECT: Approval of External Public Key Infrastructures, the DoD PKI Program Management Office (PMO), the DoD Public Key Enabling (PKE) Team and the DoD External Interoperability Working Group will be responsible for interoperability testing and approval.SUBMITTING CERTIFICATES FOR TESTING
The DoD test team must obtain the following test materials from the intended partner:
- Partner Root Certificate Authority (CA) certificate(s)
- Partner Intermediate/Subordinate CA certificate(s)
- A valid set of ALL the certificates on the end-user’s card (i.e. ID or PIV(I) Auth Cert, Signature Cert, Encryption Cert, Card Auth Cert)
- A revoked set of ALL the certificates on the end-user’s card (i.e. ID or PIV(I) Auth Cert, Signature Cert, Encryption Cert, Card Auth Cert and the revoked certificates should be from the same issuing CA as the valid set of Certificates)
- An expired certificate for each Subordinate CA used to issue end-user certificates for pre-existing CAs only. For example if all the end user certificates are issued off the same Subordinate CA, then they will all have the same CRLDP information embedded in the template. If this is the case then we would only need to test one expired certificate for that Subordinate CA. If you have multiple Subordinate CA issuing user certificates; for example, the 3 user certificates used with the DoD CAC's are issues from 2 different Subordinate CA, in this scenario we would need an expired certificate from both Subordinate CAs to test and validate.
The reason that a vendor is required to submit a revoked copy of all the user certificates, but only 1 expired certificate for each Subordinate CA is because when testing the revoked user certificates, in addition to verifying the revocation function is correctly identifying revoked certificates, which we only need one certificate to do, we are also validating the CRLDP information contained within each certificate template. Since the expired certificate and a revoked certificate contain the same CRLDP information, we do not need to re-verify all the CRLDP information in the certificates, just that the revocation checking is correctly identifying expired certificates.
When submitting certificates to JITC via email, certificates should be placed in to separate folders, the trust chain in one folder labeled “Trust Chain” followed by the user certificates in another folder labeled “User Certificates”. Both folders should then be compressed into a single ZIP file with the extension “.txt” added to the end (Example: Certificate_Package.zip.txt) to prevent our email filter from stripping your attachment off the email.
Each end-user certificate should be labeled with the usage and the revocation status for that particular certificate. For example, the following name conventions should be utilized for a certificate that will be used for E-mail signing and Smart Card Logon:
Completed packages should be sent via a digitally signed e-mail to firstname.lastname@example.orgPROCEDURE
DoD External Interoperability Plan, version 1.0 specifies the process by which an external PKI can be approved to interoperate with the DoD PKI. The process differs according to the classification of the external PKI:
- DoD Sponsored - DoD Sponsored External Certificate Authorities (ECAs) approved by the DoD to issue certificates to the relying parties.
- Category I - U.S. Federal Agency PKIs.
- Category II - Non-Federal Agency PKIs cross-certified with the FBCA or PKIs from other PKI Bridges that are cross-certified with the FBCA.
- Category III - Foreign, Allied, or Coalition Partner PKIs or other PKIs.
The interoperability testing phase of this process is conducted by the Joint Interoperability Test Command PKE Lab according to the DoD PKI Interoperability Test Plan, verison 2.0. Two key trust models are tested:
- Direct Trust Model - The DoD PKE test application will be required to trust the root certificate of the target PKI and have access to its revocation information in order to determine the validity of the target PKI's certificates.
- Cross Certificate Trust Model - The DoD PKI and the target PKI will each issue a certificate to a Certification Authority (CA) in the other PKI, or a third party CA trusted by both, creating a cross-certificate pair or pairs providing bi-directional trust. Trust can also be one-way if only one CA signs a certificate for the other CA.
The following table contains information on external PKIs that have completed interoperability testing with the DoD PKI.
More detailed information can be found at https://iase.disa.mil/pki-pke/interoperability/index.html.
|Not Tested||Test In Progress||Test Complete||Not Interoperable||Interoperable|
|This trust model was not tested.||Testing is in progress.||Testing is complete.||
External PKI is non-interoperable|
using this trust model.
External PKI is interoperable|
using this trust model.
|External PKI||PKI Category||Federal Bridge Relationship||Date Certified||Direct Trust Model||Cross Certified Trust Model|
|Australian Defence Organisation (ADO) NIPRNet||Category III||Member through CCEB||03/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Australian Defence Organisation (ADO) SIPRNet||Category III||Member through CCEB||06/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Boeing PKI||Category II||CertiPath Bridge Member||07/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|Booz Allen Hamilton Inc.||Category II||Member through Symantec NFI||12/2012||Interoperable||Interoperable||Interoperable||Not Tested|
|Canada Department of National Defence (DND) SIPRNet||Category III||Member through CCEB||11/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Carillon Federal Services PKI||Category II||CertiPath Bridge Member||12/2015||Not Tested||Interoperable||Not Tested||Interoperable|
|Cassidian Communications||Category II||CertiPath Bridge Member||06/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Computer Sciences Corp||Category II||Member through Symantec NFI||01/2013||Not Tested||Interoperable||Not Tested||Interoperable|
|Department of Energy||Category I||Member through Entrust SSP||02/2010||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Homeland Security||Category I||Member through U.S. Treasury SSP||03/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Justice||Category I||Member through Entrust SSP||09/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of State||Category I||Federal Bridge Member||06/2011||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Transportation / Federal Aviation Administration||Category I||Member through Symantec SSP||01/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|Department of Treasury||Category I||Federal Bridge Member||12/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Veterans Affairs||Category I||Federal Bridge Member||04/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|Eid Passport RAPIDGate Premier CA||Category II||Member through Symantec NFI||08/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Eid Passport RAPIDGate PIV-I CA||Category II||Member through Symantec NFI||10/2013||Not Tested||Interoperable||Not Tested||Interoperable|
|Entrust NFI||Category II||Member through Symantec NFI||04/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|Entrust Shared Services Provider SSP||Category I||Federal Bridge Member||11/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|Environmental Protection Agency||Category I||Member through ORC SSP||12/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Exostar SHA-256||Category II||Federal Bridge Member||04/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|General Services Administration Managed Service Office||Category I||Member through Entrust SSP||05/2011||Interoperable||Interoperable||Not Tested||Not Tested|
|IdenTrust ECA||DoD Sponsored||Member through DoD||12/2014||Interoperable||Not Tested||Interoperable||Not Tested|
|IdenTrust NFI||Category II||Federal Bridge Member||03/2016||Not Tested||Interoperable||Not Tested||Interoperable|
|Human Health Services||Category I||Member through Entrust SSP||11/2013||Not Tested||Interoperable||Not Tested||Interoperable|
|Lockheed Martin||Category II||Certipath Bridge Member||07/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Lockheed Martin (Non-Production)||Category II||TSCP Bridge Member||08/2015||Interoperable||Not Tested||Interoperable||Not Tested|
* Encryption Certificate not certified
|Category II||TSCP Bridge Member||04/2016||Not Tested||Interoperable||Not Tested||Interoperable|
|National Aeronautics and Space Administration||Category I||Member through U.S. Treasury SSP||08/2019||Not Tested||Interoperable||Not Tested||Interoperable|
|National Institute of Standards and Technology||Category I||Member through Entrust SSP||02/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Netherlands Ministry PKI||Category II||Certipath Bridge Member||09/2012||Not Tested||Interoperable||Not Tested||Not Tested|
|Northrop Grumman Corporation||Category II||Certipath Bridge Member||06/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Northrop Grumman Corporation|
|Category II||TSCP Bridge Member||08/2015||Not Tested||Interoperable||Not Tested||Interoperable|
|Nuclear Regulatory Commission (NRC)||Category I||Member through Symantec SSP||04/2015||Not Tested||Interoperable||Not Tested||Interoperable|
|Operational Research Consultants ECA||DoD Sponsored||Member through DoD||01/2016||Interoperable||Interoperable||Interoperable||Interoperable|
|Operational Research Consultants Non-Federal Issuer||Category II||Federal Bridge Member||03/2012||Not Tested||Interoperable||Not Tested||Interoperable|
|Operational Research Consultants Shared Services Provider (SSP) 3||Category I||Federal Bridge Membership||07/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Operational Research Consultants Shared Services Provider (SSP) 4||Category I||Federal Bridge Membership||Pending||Not Tested||Testing is in Progress||Not Tested||Testing is in Progress|
|Raytheon||Category II||Certipath Bridge Member||08/2015||Interoperable||Interoperable||Interoperable||Interoperable|
|Social Security Administration||Category I||Member through U.S. Treasury SSP||01/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Symantec ECA||DoD Sponsored||Member through DoD||06/2014||Interoperable||Not Tested||Interoperable||Not Tested|
|Verizon Non-Federal Issuer||Category II||Federal Bridge Member||07/2011||Not Tested||Interoperable||Not Tested||Not Tested|