If your organization is interested in obtaining test certificates, please read the information below.
NOTE: Test certificate and materials are not intended nor authorized for live use in applications and systems that presently or will imminently operate in a production/operational capacity serving a "real-world" mission for the general DoD public community.
Agencies, groups, departments that require certificates should appoint and use their own Local Registration Authority (LRA) or Registration Authority (RA). This allows the production of certificates at the discretion of your designated LRA/RA.
The process for test certificate issuance begins with the Sponsor Agency as indicated at the PKI/PKE Help website https://cyber.mil/pki-pke/help/ (Section: Help-PKI/PKE Contact Information).
The intent is for the Sponsor Agency of the product/test be the entity issuing the test certificate. This ensures a valid requirement exists for that particular test. Organizations can obtain FREE Registration Authority (RA) training through the DoD Cyber Exchange: https://cyber.mil/pki-pke/rlkt/?_dl_facet_pkipke_type=training.
Use of your own LRAs/RAs allows customers to obtain JITC test certificates at the discretion of the designated LRAs/RAs. Organizations who do not currently have a Sponsor LRA or RA need to establish internal resources no later than April 22, 2022. This includes organizations not listed in the COMBATANT COMMAND/SERVICE/AGENCY REGISTRATION AUTHORITY (RA) OPERATIONS OFFICES list located on at https://cyber.mil/pki-pke/help/.
Customers who desire to obtain JITC test certificates directly from the DISA Public Key Infrastructure Joint Interoperability Test Command laboratory (PKI JITC laboratory) are required to enter into a support agreement with the DISA Public Key Infrastructure Program Management Office (DISA PKI PMO).
Questions about each Agency RA process should be directed to that Agency (emails and phone numbers are available on the website).
At a minimum, the following information will be required to obtain test certificates:USER CERTIFICATES
User certificates are available from https://ee-sw-ca-60.c3pki.nit.disa.mil/ca/ee/ca/ under the User Certificate Enrollment profile.
Step 1 - Gather the following information for each user you wish to register:
(NOTE - Numbers and most symbols are not allowed in the naming fields, with the exception of the e-mail address.)
- Last Name
- First Name
- Middle Initial or Name (optional)
- Generation [Jr., Sr., II, III, etc] (optional)
- E-mail address
- Organization (military/government or contractor)
The user information should be fictitious. You can also elect to use one of the naming fields to include the name of the project for which the user certificates are to be used, or perhaps the name of your organization. Such a convention would really only need to be exercised for organizational purposes.
Step 2 - Provide the request IDs to your corresponding Sponsor RA. The requests will be approved and you will receive the instructions for retrieving them.
This will generate two (2) certificates, an ID/Signing certificate used for authentication and email signing, and an encryption certificate for encrypting emails.
Server certificates, such as certificates for web sites, should be requested from the server they are intended for, as they are tied to the machine generating the request. You will be required to generate a certificate request on your server and upload it to the Certificate Authority. Specific instructions can be found at the appropriate link below and with your server software documentation. Once the request has been submitted, contact your Test RA or JITC Test Officer for authorization and include the certificate request numbers. The JITC can act as the RA if you do not have a JITC TEST RA. The RA will provide instructions for retrieving the certificate.The same information and authorization requirements for a user certificate are also necessary for a server certificate.
The same information and authorization requirements for a user certificate are also necessary for a server certificate.SERVER CERTIFICATES
Step 1 - Contact your Test RA or JITC Test Officers.
Step 2 - Gather the information required to submit a server Certificate Signing Request (CSR) - fully qualified host name and must be a military/government organization. Send the CSR directly to your Test RA or JITC Test Officers.
NOTE: The following URL in Step 3 is only available to users on the NIPRNet/DREN, and is not accessible to the commercial Internet. If you are submitting your request from a commercial network, please send your CSR directly to your Test RA or JITC Test Officers, who will submit the request for you.
Step 3 - Open the following URL with Firefox 3.0+: https://npe-portal.c3pki.nit.disa.mil or https://ee-sw-ca-53.c3pki.nit.disa.mil - and select "2048-bit SSL Server Enrollment profile" or the "Manual PKCS10 Domain Controller 2048-bit Certificate enrollment" profile.
Step 4 - When generating a PKCS# 10 formatted certificate request and its associated key pair, use the RSA key algorithm with a *2048-bit* key length and the SHA1 with RSA signature algorithm if the selection is available. These are the algorithms designated for use in the DoD PKI. Server certificates issued by JITC will, in accordance with DoD PKI policy, have a distinguished name (DN) containing the following elements, in order:
- CN=(server DNS name or IP),
- OU=(Please select either of the following (see example below): Military Affiliations- CONTRACTOR, USA, USAF, USCG, USMC, USN, USPHS, NOAA, OTHER. DoD Civilians Affiliations- please choose one of the following: AFIS, CCEB, CENTCOM, CIA, DARPA, DCAA, DCMA, DeCA, DFAS, DHS, DIA, DISA, DLA, DLSA, DNI, DoDEA, DoDHRA, DoDIG, DOE, DOJ, DOS, DPMO, DSCA, DSS, DTIC, DTRA, EUCOM, JS, JFCOM, MDA, MEPCOM, NGA, NORTHCOM, NRO, NSA/CSS, OEA, OSD, PACOM, PFPA, POW/MP, SOCOM, SOUTHCOM, SPACECOM, STRATCOM, TMA, TRANSCOM, TREA, WHS.),
- O=U.S. Government,
EXAMPLE using a Military Affiliation
- O=U.S. Government
Step 5 - Contact your Test RA or the JITC Test Officers when you've submitted any server certificate requests and provide the certificate request numbers.
LRA certificates must be requested from the JITC Test Officers.LRA CERTIFICATES
Step 1 - Obtain a LRA number from your RA or the JITC PKI Lab.
Step 2 - Open https://ee-sw-ca-53.c3pki.nit.disa.mil using Firefox 3.0+. It's important to use the Firefox browser as Internet Explorer is yet unable to properly generate certificate signing requests (CSRs) compatible with DoD PKI!!!
Step 3 - Fill in the LRA certificate request form. When completing the form, use the LRA number from Step 1. Please enter this number in the associated field. The middle name and suffix (e.g. Jr, Sr, II, III, etc) are optional, and the middle name may be substituted with an initial (no period) if desired.
Step 4 - Inform your Test RA or the JITC Test Officers of the request to expedite processing. Instructions for retrieving the certificate will be provided when the certificate is issued.