Posted on Thursday, June 27th, 2024
Valued WidePoint Customer,
Beginning no later than July 6, 2024, WidePoint will begin to issue 3 year validity ECA certificates from the new WidePoint ECA 9 CA. This CA has been issued by the DoD’s ECA Root CA 5. WidePoint is working closely with DISA to ensure that DoD Authorizations are published by that time and that notices have been sent to DoD relying parties.
ECA PKI CAs have a limited lifespan. At the time WidePoint ECA 8 was established, the DoD ECA PKI policy only allowed ECA CAs to live for 6 years. Additionally, a standard of all PKIs prohibits end-entity certificates issued by a CA to live beyond the issuing CA. By early July WidePoint ECA 8 CA will be within 3 years of expiration and so will not be able to issue 3 year certificates. That duty will be taken over by WidePoint ECA 9 CA.
No. Certificates issued under WidePoint ECA 8 will not be impacted by the addition of the ECA Root CA 5/WidePoint ECA 9 CA to the ECA PKI.
Not initially. Historically, there has been a ‘burn in’ period before all relying party (DoD) systems have their configurations updated to adjust to new ECA CAs when they come on line. WidePoint will continue to issue certificates of less than 3 years validity from WidePoint ECA 8 to minimize potential negative impact to WidePoint’s ECA customers. WidePoint anticipates shifting all ECA issuances to WidePoint ECA 9 by July 2025.
The new ECA Root CA 5 and WidePoint ECA 9 CA certificates are both RSA SHA-384, 4096 bit certificates. Prior ECA trust chain certificates have been RSA SHA-256, 2048 bit certificates.
All certificates issued by WidePoint ECA 9 will continue to be RSA SHA-256, 2048 bit certificates until 2028, when end-entity (i.e. your) certificates will be required to be RSA SHA-384, 3072 bit certificates.
WidePoint has made the new certificates available here:
DISA has also published certificate data here: https://crl.gds.disa.mil/ (ECA or CAC certificate required) this new certificate data is available under the ECA menu in the DoD’s InstallRoot tool (available here: https://public.cyber.mil/pki-pke/tools-configuration-files/).
WidePoint strongly recommends that IT staff of customer organizations add the new root and intermediate CA certificates to their systems to confirm that their systems will accept the new certificates. The Installroot tool is very useful for putting these certificates into Microsoft systems.
Certificates
Quick Links
