DoD PKI Management Frequently Asked Questions
- What is the Public Key Infrastructure?
The Public Key Infrastructure (PKI) is the mechanism for distributing a large number of public keys to a large group of users in a trusted manner. These trusted public keys can be used to verify digital signatures on a document (i.e., authentication, document integrity, and non-repudiation) and to encrypt the documents.
- What is a Certification Authority?
A Certification Authority (CA) is the entity that is responsible for issuing and revoking public key certificates and is trusted by the users of the PKI. The main functions it performs are issuance of public key certificates, publishing of user certificates, and promulgation of certificate revocation lists (CRLs).The public key certificates issued to users are signed by the associated CA to ensure that trust can be placed in their authenticity and integrity.
- What is a Root CA?
The root CA is a trusted entity responsible for the issuing and administering of digital certificates that are to be used by subordinate CAs. The digital certificate of the root CA is self-signed, that is, the root CA authenticates its own identity. The root CA signs the digital certificates issued to subordinate CAs in its domain. The DoD root CA is the trust anchor for the DoD PKI subscribers. The DoD PKI subscriber verifies all certification paths starting with the DoD root CA public key. DoD PKI subscribers explicitly trust the DoD root CA public key.
- Why can't I download the certificate for the Root CA via this
The Root CA uses a self-signed certificate and it serves as the trust anchor for other CAs in its domain. Because of security concerns it must not be made available over clear, unprotected, unsecured and non-authenticated links.
- Note: The certificate for a Root CA can be obtained from an appropriate source. However, being a self-signed certificate, it has ABSOLUTELY no security to it. Thus, its integrity must be verified using some trusted means. One must get the thumbprint of the DoD root from a trusted source and verify that the thumbprint of the downloaded root is the same as the thumbprint obtained from trusted source. If one does not do that, the security of the applicable PKI may be compromised. It may be noted that the Microsoft certificate processing tools (native to one's machine) can be used to obtain the thumbprint of any certificate.
- Why do I need to view the CA certificate?
One should view the CA certificate in order to verify its proper ownership and to determine if it is still valid (i.e., it has not expired).
- What is a Certificate Revocation List?
A Certificate Revocation List is a list of revoked certificates and the reason date of revocation. A CRL is periodically updated by each CA and promulgated.
- Why do I need to download the CRL?
To verify if a particular CA or user certificate is still valid (not revoked).
- How often is the CRL updated?
By default this interface checks for CRL updates every 6 hours. The frequency of updates may become more or less dependent on the volatility of the underlying data.
- Why do I need a CA Certificate?
The CA certificate is required to build a certification path (trust chain) from the DoD root (that you explicitly trust) to the user certificate. For example, if you need to verify a signature generated by "John Doe" or send an encrypted e-mail to "John Doe" you need the following certificate chain: DoD root CA -> Signing CA -> John Doe
If you need assistance with the PKI Management Interface, please contact the help desk at 1-800-490-1643 (DSN 339-5600) option 5.
If you have any technical questions about the PKI Management Interface, send inquiries to firstname.lastname@example.org