DoD PKI Management Help
Due to improper revocation checking configurations, the DoD PKI Network Infrastructure is being stressed during peak times due to high numbers of customer requests for CRLs of significant size from GDS. These requests are automatically generated during certificate validation. Currently there are 37 Certificate Authorities (CA’s) issuing CRLs, which when combined are over 100MB in size. Due to the demands of CRL based certificate validation, it is impractical for every application to download a CRL every time a certificate is presented. A hierarchical approach is needed where some services are provided by the DoD Public Key Infrastructure, some services by the DoD Components infrastructure and some services by the Local Area Network.
- Establish a cache for CRLs within the DoD Component domain. The PKE Workspace on the Global Information Grid (GIG) Enterprise Services (GES) portal (https://www.us.army.mil/suite/page/474113) has several options for establishing a local CRL Cache. CRL Caching allows administrators to determine when the CRL is downloaded, rather then waiting for the first request to come in that needs a specific CRL. CRL downloads can be done at a time that is more efficient for the LAN. This can also be used to get the CRLs from the External Certificate Authorities (ECAs) and make them available in the local cache as they are currently not available through the Robust Certificate Validation Service (RCVS).
- Utilize OCSP via RCVS. OCSP offers an alternative means of certificate validation. OCSP sends a request for an individual certificate to an OCSP responder that has all of the CRL information and the responder sends a very small signed message that the certificate is good, bad, or unknown. The DoD PKI PMO stood up the Robust Certificate Validation Service (RCVS) (Located at http://ocsp.disa.mil) as part of the Infrastructure. The RCVS has two different types of OCSP responders. These are commonly referred to as traditional (Tumbleweed) and Distributed (Tumbleweed and CoreStreet) OCSP.
- Configure downloads to occur at a scheduled time. All CRLs issued by the DoD PKI are published once per day and are available on GDS (crl.gds.disa.mil). The CRLs should be downloaded to the DoD Components infrastructure once, and only once, per day.
- Utilize All CRL ZIP. All CRL ZIP is a ZIP file which contains all of the latest CRLs hosted by GDS within a ZIP file. Downloading the All CRL ZIP is a more efficient way to attain all of the latest CRLs when caching them locally within a component domain.
About the buttons
- Home - Displays the Welcome page.
- Help - Displays this Help page.
- FAQs - Displays a page of Frequently Asked Questions.
- Search GDS - Redirects you to the DoD411 Search page.
How to use the Interface
To view or download the certificate or Certificate Revocation List (CRL)
of a particular Certification Authority (CA), select (highlight) the CA
on the list in the left hand frame. Once a CA has been selected, the
right hand frame will display those actions that can be done with respect
to this CA, that is, View/Download the Certificate and/or download the
associated CRL. The update date of the CRL will be displayed next to the
download link under the Certificate Revocation List label.
- Note: Because of security concerns, this interface will not allow the download of the root CA self-signed certificate, however, the view function will be available to the user.
If View is selected for the Certification Authority Certificate, a new window will appear
displaying a text description of some of the CA certificate fields.
- Note: Close this view window in order to return to the DoD PKI Management Interface.
If Download is selected for the Certification Authority Certificate, a
standard file download dialog box in Internet Explorer or Save File dialog
box in Netscape will appear. In response to the user input the CA
certificate will be saved in a directory selected by user.
- Note: The user should remember this location in order to retrieve the certificate for further use or processing.
- If Download is selected for the CRL, a standard file download dialog box in Internet Explorer or Save File dialog box in Netscape will appear. In response to the user input the CRL will be saved in a directory selected by user. Note: The user should remember this location in order to retrieve the CRL for further use or processing.
Note: The CA listing and the CRLs are refreshed automatically. By default this refresh is performed every 15 minutes but may be sooner or later depending on volatility.