Announcing WidePoint ECA 9 Certificate Authority

Announcing WidePoint ECA 9 Certificate Authority

Posted on Thursday, June 27th, 2024

Valued WidePoint Customer,

Beginning no later than July 6, 2024, WidePoint will begin to issue 3 year validity ECA certificates from the new WidePoint ECA 9 CA.  This CA has been issued by the DoD’s ECA Root CA 5.  WidePoint is working closely with DISA to ensure that DoD Authorizations are published by that time and that notices have been sent to DoD relying parties.

Why is this happening?

ECA PKI CAs have a limited lifespan.  At the time WidePoint ECA 8 was established, the DoD ECA PKI policy only allowed ECA CAs to live for 6 years.  Additionally, a standard of all PKIs prohibits end-entity certificates issued by a CA to live beyond the issuing CA.  By early July WidePoint ECA 8 CA will be within 3 years of expiration and so will not be able to issue 3 year certificates.  That duty will be taken over by WidePoint ECA 9 CA.

Will this affect certificates that have already been issued?

No.  Certificates issued under WidePoint ECA 8 will not be impacted by the addition of the ECA Root CA 5/WidePoint ECA 9 CA to the ECA PKI.

Will WidePoint issue all new certificates from this new ECA 9 CA?

Not initially.  Historically, there has been a ‘burn in’ period before all relying party (DoD) systems have their configurations updated to adjust to new ECA CAs when they come on line.  WidePoint will continue to issue certificates of less than 3 years validity from WidePoint ECA 8 to minimize potential negative impact to WidePoint’s ECA customers.  WidePoint anticipates shifting all ECA issuances to WidePoint ECA 9 by July 2025.

What is new:

The new ECA Root CA 5 and WidePoint ECA 9 CA certificates are both RSA SHA-384, 4096 bit certificates.  Prior ECA trust chain certificates have been RSA SHA-256, 2048 bit certificates.

All certificates issued by WidePoint ECA 9 will continue to be RSA SHA-256, 2048 bit certificates until 2028, when end-entity (i.e. your) certificates will be required to be RSA SHA-384, 3072 bit certificates.

WidePoint has made the new certificates available here:

DISA has also published certificate data here:  (ECA or CAC certificate required) this new certificate data is available under the ECA menu in the DoD’s InstallRoot tool (available here:

What should I do?

WidePoint strongly recommends that IT staff of customer organizations add the new root and intermediate CA certificates to their systems to confirm that their systems will accept the new certificates.  The Installroot tool is very useful for putting these certificates into Microsoft systems.