ECA-External Certificate Authority

News & Updates

ORC ECA final phase of SHA-256 migration

Posted on Friday, October 7th, 2016

As part of the DoD’s transition to SHA-256, WidePoint (formerly ORC) will begin the final phase of migrating our ECA offerings to SHA-256 in October.  Beginning October 12, all new person certificate requests will be from the new ORC SHA-256 ECA Certificate Authority, ORC ECA 6.  To ensure that we maintain compliance with DoD ECA Certificate Policy, no SHA-1 ECA certificate that expires after November 11, 2016 will be renewed.  All requests will be new requests requiring Identity verification.  This may require new smart cards/crypto-tokens for Medium-Token Assurance and Medium-Hardware Assurance certificate users.

This is all part of the DoD’s transition to SHA-256 this year.  In January 2016, DoD required that all new ECA SSL/server certificates be issued with SHA-256.  In July, the DoD began issuing SHA-256 CACs and has ceased issuance of SHA-1 CACs.

In preparation for this transition, our site (https://eca.orc.com) has had the new SHA-256 ECA Root certificate and ORC ECA Intermediate certificate posted on our Trust CA’s page for most of the year.  DoD resources (like the DoD’s InstallRoot tool) have had the SHA-256 DoD and ECA PKI trust paths indicated for even longer.

What is not different:

  • The ORC ECA website remains largely unchanged.
  • The certificate request and issuance process also remain largely unchanged.  You will still start and end up in the same place that you did before.

What is different:

  • The new certificates will be issued under the new ECA Root certificate [ECA Root CA 4] and the new ORC ECA Intermediate CA certificate [ORC ECA 6].
  • Unlike our SHA-1 offerings where we had two issuing CAs, one for ‘software based’ certificates (ORC ECA SW5) and another for ‘hardware based’ certificates (ORC ECA HW5); all certificates will be issued by a single CA (ORC ECA 6).
  • The web form where subscribers enter their information looks a bit different.  But it asks for exactly the same information in the same way.
  • There are fewer button clicks to get both the Identity and Encryption certificates.
  • The size of the paper forms has been cut by 75% – from 8 pages (typically) to 2
    • Both the Identity and Encryption certificate request numbers are listed on the same request form.
    • The request form has been trimmed of all excess graphics.

Frequently Asked Questions

  • Do I have to replace my existing certificate?
    • No.  The DoD has stated that they will continue to accept SHA-1 ECA until December 31, 2019
  • Will our existing SHA-1 certificates be revoked?
    • No.  The DoD has stated that they will continue to accept SHA-1 ECA until December 31, 2019
  • Can we upgrade our existing SHA-1 certificates to SHA-256?
    • No.  It is not possible to change a SHA-1 certificate into a SHA-256 certificate.
  • Will my certificates be automatically converted to SHA-256?
    • No.  It is not possible to change a SHA-1 certificate into a SHA-256 certificate.
  • May I obtain SHA-256 ECA certificates if I already have SHA-1 certificates?
    • Yes, we will be happy to sell you SHA-256 ECA certificates.