- The organization must designate, in writing, a “PKI Point of Contact” and a “Code Signing Attribute Authority”
- The PKI Point of Contact (PoC) is responsible for communicating to the ORC ECA PKI, general information pertaining to members of the organization that obtain ECA PKI certificates (i.e. who is authorized to obtain which certificates, notifying the ORC ECA PKI when the person leaves the organization, etc.) and collecting and ‘zero-izing’ any cryptographic devices (smart cards) used with the associated ECA PKI certificates.
- The Code Signing Attribute Authority (CSAA) has specific responsibility for designating, in writing, which members of the organization are authorized to obtain ECA MCS certificates and the unique designator in the certificate Common Name field for each ECA MCS certificate issued to the organization.
- The PoC and CSAA may be the same person.
- The CSAA may designate themselves as an MCS certificate holder.
- Form letters are available here:
- Each perspective ORC ECA PKI MCS certificate holder must be designated in writing by the CSAA and must be an ORC ECA PKI Identity certificate subscriber, prior to issuance of the MCS certificate.
- Although the MCS certificate is a Medium-Hardware Assurance certificate, the Subscriber Identity certificate may be of any assurance level.
- While not required, a companion ORC ECA PKI Encryption certificate is also issued to the perspective MCS certificate holder.
- MCS certificates have the following critical requirements.
- The MCS certificate will have two values determined by the CSAA:
- A Common Name value equal to “CN=CS.
. ” The “optional number” is only optional for the first MCS certificate issued to an organization. After the first certificate is issued, all subsequent certificates are required to have a distinguishing set of characters (numeric or alphabetical) so that multiple MCS certificates issued to a single organization will each have a unique CN value. - A Subject Alternative Name value equal to “DirectoryName:
” - The MCS certificate is a Medium-Hardware Assurance certificate and is subject to the requirements listed below.
- You must be in possession of a ‘blank’ cryptographic device that meets the FIPS 140 Level 2 standard. You must be able to write certificates to this cryptographic device. You may purchase cryptographic devices and required middleware from ORC. ORC will not support middleware or cryptographic equipment obtained elsewhere.
- IMPORTANT: You must perform the online request in the presence of an ORC ECA Local Registration Authority (LRA).
- The DoD ECA Certificate Policy requires all Subscribers to protect their certificate private keys with a password or PIN. During the online request process you will have an opportunity to assign a PIN to protect the smartcard and the certificate private keys, therein. ORC will not know this PIN, it is not sent out from your computer. If you forget your smartcard PIN, you may be required to purchase a new card and certificate.
After reading the requirements above: