Effective 6:30 PM EST, Thursday, 28 February 2008, DVS Web site (DVS-WS) will be PK-Enabled to require client based certificate authentication. When implemented, the cryptographic log-on process will require the use of a Common Access Card (CAC) and embedded PKI certificates to authenticate a user's identification. Contractors or other individuals not eligible for DoD PKI certificates must obtain a valid External Certification Authority (ECA) PKI certificate. Detailed information on PKI policy and PKI certificates follows. Note: DVS Users will still use their current User ID and Password to access the DVS-WS application.
Download DVS Security User Guide (PDF, 994KB) 
Download DOD Root Certificate Authority (CA) Certificates.
What is Public Key Infrastructure?
A Public Key Infrastructure (PKI) is the framework and services that provide for the generation, production, distribution, control, accounting and destruction of public key certificates. Components of a PKI include system components such as one or more Certification Authorities and a certificate repository; documentation including a Certificate Policy document and one or more Certification Practice Statements; and trained personnel performing trusted roles to operate and maintain the system.
PKI integrates digital certificates, public-key cryptography, and Certification Authorities into a total, enterprise-wide network security architecture. A typical enterprise PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.
DoD Instruction 8520.2, "Public Key Infrastructure and Public Key Enabling" establishes the requirements for PK-enabling all activities (i.e., e-mail, private web servers, and networks).
Public Key-Enabling
Public Key-enabling (PK-Enabling) is the process of configuring systems and applications to use certificates for security services such as authentication, confidentiality, data integrity, and non-repudiation. PK-enabling of the DVS Web server(s) provides us with the capability to rely on digital certificates, in lieu of existing technologies such as usernames and passwords.
Certificate-based authentication consists of three steps: establishing an encrypted communication channel, validating the subscriber�s certificate, and performing a challenge-response between the DVS Web server and the DVS client to ensure that the user is the subscriber named in the certificate. If these three steps are successful, the DVS Web server can trust that the identity of the user is the same as the identity stated in the certificate and can then map that identity to authorizations.
What is DoD PKI?
DoD PKI is a fundamental component of the DoD�s Net-Centric vision and is essential to providing enhanced Information Assurance and Identity Management capabilities. It provides the base level of identification and authentication, integrity, non-repudiation and confidentiality for the Global Information grid. The DoD use of PKI in our Identity Management capability is recognized as the world leader in this area.
The DoD PKI is operated under the requirements of the DoD X.509 Certificate Policy. The Root Certification Authority (CA) is operated by NSA in an off-line state. This Root CA issues certificates to on-line Subordinate CAs on both the NIPRNet and the SIPRNet. Subordinate CAs issue certificates to subscribers, including both human and non-human entities such as web servers who have been authenticated by trusted individuals including Registration Authorities, Local Registration Authorities, and Verification Officers.
The DoD PKI issues certificates to both software and hardware tokens. The primary token for individuals within the DoD on the NIPRNet is the Common Access Card.
DoD PKI Certificates
Who may obtain a DoD PKI certificate?
DoD eligible users are active duty uniformed services personnel, members of the Selected Reserve, DoD civilian employees, and personnel working on site at DoD facilities using DoD network and e-mail services.
For personnel who are not DoD military or civilian employees, eligibility is determined based on the interaction of the individual with the DoD rather than on the type of individual. These personnel include DoD support contractors, non-US nationals, and volunteers. Individuals who access DoD information systems from a remote location, such as accessing web servers, are not generally eligible for DoD PKI certificates. Individuals who have a duty station within a DoD facility and who require direct access to DoD networks are generally eligible for DoD PKI certificates.
Obtaining a DoD PKI Certificate
DoD eligible users are active duty uniformed services personnel, members of the Selected Reserve, DoD civilian employees, and personnel working on site at DoD facilities using DoD network and e-mail services.
For personnel who are not DoD military or civilian employees, eligibility is determined based on the interaction of the individual with the DoD rather than on the type of individual. These personnel include DoD support contractors, non-US nationals, and volunteers. Individuals who access DoD information systems from a remote location, such as accessing web servers, are not generally eligible for DoD PKI certificates. Individuals who have a duty station within a DoD facility and who require direct access to DoD networks are generally eligible for DoD PKI certificates.
Common Access Card (CAC)
The Common Access Card (CAC) is the primary token for protecting private keys associated with identity, signature, and encryption certificates issued by the DoD PKI to DoD eligible users. CACs are issued by Verification Officials who are recognized as trusted agents of the DoD PKI for issuing certificates to human applicants.
CACs are issued at RAPIDS terminals. To locate the nearest RAPIDS office, visit the http://www.dmdc.osd.mil/rsl/ and search by city, state, or zip code. Note that a smart card reader and middleware are required to enable a workstation to use certificates on a CAC, in order to access the CAC PKI certificates.
Software certificates are issued by Local Registration Authorities.
Who Is Not Eligible for a DoD PKI Certificate?
DoD eligible users are active duty uniformed services personnel, members of the Selected Reserve, DoD civilian employees, and personnel working on site at DoD facilities using DoD network and e-mail services. Individuals who access DoD information systems from a remote location, such as accessing web servers, are not generally eligible for DoD PKI certificates. Individuals who conduct business with, access DoD information systems over the Internet, or exchange e-mail with DoD entities are not eligible for DoD PKI certificates unless they also work on site at DoD facilities. DoD allies and coalition partners are not eligible for DoD PKI certificates unless they work on site at DoD facilities.
DoD PKI External Certification Authorities (ECA)
Department of Defense (DoD) policy requires that many information systems become PK-Enabled. While all individuals who sit at DoD facilities, including military and civilian employees and contractor personnel will be issued a DoD Common Access Card (CAC) containing certificates issued by the DoD Public Key Infrastructure (PKI), there are many external entities and organizations that the DoD communicates with, through access to DoD information systems and via e-mail, that will not be issued DoD PKI digital certificates. The External Certification Authority (ECA) program is designed to provide a mechanism for these external entities and organizations to get certificates that have been approved by the DoD as meeting the required DoD assurance level for binding the identity of the named certificate holder to the public key contained in the certificate.
The ECA program is not restricted for use only by DoD applications.
For more information about the ECA program, see http://iase.disa.mil/pki/eca.
Obtaining an ECA Certificate
ECA Certificates are obtained directly from the vendors. You may purchase an ECA Certificate from one of the following approved vendors:
NOTE: See each vendor�s web site for pricing, system specifications, and instructions for obtaining, maintaining, and revoking your ECA certificate.
For more on how to obtain ECA certificates, see http://iase.disa.mil/pki/eca/certificate.html. For answers to frequently asked questions (FAQs) about the ECA PKI Program, and its offerings, see http://iase.disa.mil/pki/eca/frequently_asked_questions.html.
PKI Policy and Guidance
| Title |
Summary |
| Common Access Card Memorandum, November 10, 1999 |
Subject: "Smart Card Adoption and Implementation," the Department is implementing smart card technology through a common access card (CAC) and has developed four versions as described within this memorandum. |
| DoD Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling," April 1, 2004 |
This Instruction implements policy, assigns responsibilities, and prescribes procedures for developing and implementing a Department-wide Public Key Infrastructure (PKI) and enhancing the security of Department of Defense (DoD) information systems by enabling these systems to use PKI for authentication, digital signatures, and encryption. It aligns DoD PKI and PK (Public Key)-Enabling activities with DoD Directive 8500.1, as implemented by DoD Instruction 8500.2, and the DoD Common Access Card (CAC) program, as specified by DoD Directive 8190.3 |
| FIPS Publication 201-1, March 2006 |
Personal Identity Verification (PIV) of Federal Employees and Contractors |
| Homeland Security Presidential Directive - 12 (HSPD-12), August 27, 2004 |
Subject: Policy for a Common Identification Standard for Federal Employees and Contractors |
Web Sites of Interest
DOD Access Card Office Homepage (for use by DoD personnel only)
DoD IA Strategic Plan Version 1.1, January 2004
FIPS Publications
Mission: Possible, Security to the Edge, August 2005
NIST Computer Security Division, Computer Security Resource Center
Public Key Infrastructure (PKI)
Rapids Site Locator