You can log in remotely using the certificates on your Common Access Card (CAC). This article will show you how to download and install these certificates on your computer. Network devices must verify that user certificates presented for identification and authentication are valid by checking with an OCSP responder. This requirement supports non-repudiation.
How Do DoD PKI Certs Work?
PKI is a set of digital certificates that allow you to encrypt incoming information and then decrypt it with a key only known by the sender. This means that any unauthorized party that intercepts the message in transit will only see gibberish. It also allows you to verify that the incoming information has not been altered during transmission. This capability is often referred to as integrity verification.
The certificate is tied to an identity through a private and public key pair, which are both securely stored. The private key can only be accessed by the owner of the certificate, and they decide where to share their public key with. The Junos OS device retrieves these certificates from a certificate authority (CA) server and stores them in its ca-profile.
In addition to the public key, the certificate contains important details about the entity that is identified. This helps prevent spoofing or hijacking of the certificate. It also ensures that the certificate holder is who they claim to be and are not using malicious software or a fake identity.
The root certificates that are signed by a CA form the heart of PKI. The majority of operating systems and browsers come with a trusted root store pre-set, and all other certificates are validated against the root store. This allows you to have one set of trust rules that apply across all operating systems and browsers, allowing them all to authenticate each other.
Why Do I Need to Install DoD PKI Certs?
DoD certificates are required to establish a secure connection with DoD sites. This is necessary when logging in to AKO/DKO and using other DoD resources like the Army Portal.
A certificate is a digital document that proves the identity of a website or individual. When you log in to AKO/DKO or other DoD sites, you are asked for your CAC or PIV certificate. This is because the site is checking that the certificates on your computer match the certificates on the server.
If you are having trouble connecting to a DoD site, you may need to install the dod pki certs on your computer. This is a quick and easy process that can resolve many issues. To do this, go to the AKO/DKO homepage and click the DoD Certificate Information area. Follow the instructions there to download and install the certs.
DoD is seeking sources to provide a modernization solution for its Department of Defense (DoD) Public Key Infrastructure (PKI). The contract scope includes:
- Engineering.
- Transition to the new solution.
- Continued support of the existing PKI system.
The DoD PKI program also requires developing custom tools to address specific requirements that relying parties have when using the DoD PKI. The project includes development activities that will produce a set of new capabilities for the DoD PKI, including online certificate status protocol and global directory services.
How Do I Reinstall Them?
Many enterprise IT systems use certificates issued by DoD. You may need to reinstall these if you encounter issues such as your CAC-enabled browser prompting you with “There is a problem with this website’s security certificate / site is not trusted”, or if the DoD websites worked previously but don’t anymore. To reinstall these certificates, click the link below to download the InstallRoot 3.16a file and follow the instructions. This file was created by DISA, and if you have any problems, please contact them.
For those using Junos OS, you can also find instructions on installing these certificates within the IKE Gateway configuration. This is required if your device is configured to utilize a DoD PKI tunnel for Internet Key Exchange (IKE).
The root and intermediate certificates are important because they help verify the authenticity of the end-entity certificates (such as those issued to web sites and individual users). Without these certificates, an adversary could attempt to falsify a certificate chain and cause a false trust anchor to be used by a victim, which could allow them to gain access to a system or network.
To install these certificates on your device, you can run the InstallRoot utility (32-bit or 64-bit NIPR, Non-Administrator) on Windows devices to make the certificates available to the operating system and browsers. To learn more about InstallRoot, read the user guide.
What If They Don’t Work?
When a PIV/CAC card is inserted into a CAC reader on any computer, and you attempt to visit a government site (or system) that requires PIV/CAC authentication, the certificates on the PIV/CAC are used to authenticate. Each PIV/CAC contains at least one certificate used to identify the user, which is signed by a root certificate the Government Agency maintains.
If you have a faulty certificate or the root certificates have been revoked for some reason, then the sites requiring PIV/CAC authentication will fail. To resolve this issue, close the web browser, remove the PIV/CAC from the reader, reinsert, and try again.
Sometimes, the certificates on a PIV/CAC can be written over by certain Microsoft updates. When this happens, you will be unable to sign any forms using Pure Edge. To correct this, you will need to manually find and delete the old certificates from the following locations:
FBCA Cross-Certificate Remover – This utility removes certificates that cause the cross-certificate chaining problem for DoD users from the local computer and user certificate stores. To use this tool, you will need administrator access. The tool can be downloaded from the PKI/PKE Document Library > Tools > FBCA Cross-Certificate Removal Tool. You can also contact your local IT support staff if you need assistance with this tool.