News & Updates

ORC ECA final phase of SHA-256 migration

As part of the DoD’s transition to SHA-256, WidePoint (formerly ORC) will begin the final phase of migrating our ECA offerings to SHA-256 in October.  Beginning October 12, all new person certificate requests will be from the new ORC SHA-256 ECA Certificate Authority, ORC ECA 6.  To ensure that we maintain compliance with DoD ECA Certificate Policy, no SHA-1 ECA certificate that expires after November 11, 2016 will be renewed.  All requests will be new requests requiring Identity verification.  This may require new smart cards/crypto-tokens for Medium-Token Assurance and Medium-Hardware Assurance certificate users.

This is all part of the DoD’s transition to SHA-256 this year.  In January 2016, DoD required that all new ECA SSL/server certificates be issued with SHA-256.  In July, the DoD began issuing SHA-256 CACs and has ceased issuance of SHA-1 CACs.

In preparation for this transition, our site (https://eca.orc.com) has had the new SHA-256 ECA Root certificate and ORC ECA Intermediate certificate posted on our Trust CA’s page for most of the year.  DoD resources (like the DoD’s InstallRoot tool) have had the SHA-256 DoD and ECA PKI trust paths indicated for even longer.

What is not different:

What is different:

Frequently Asked Questions

Cybersecurity Sprint PIV-I Solutions

Certificate-on-Device for Windows To Go

What is Heartbleed’s impact to my ORC certificate?

heartbleed-1Heartbleed is a vulnerability in OpenSSL, software which provides cryptographic services to computers on the Internet. Please be aware that the Heartbleed vulnerability is not a virus, so it cannot spread from one computer to another.

If you have ORC client certificates—certificates that identify you to web sites—your certificates are not at risk. There are no common web browsers that use OpenSSL. Accordingly, Heartbleed cannot allow compromise of a client certificate private key from a personal computer.

If someone were to use a vulnerable version of OpenSSL on a web server with an SSL/TLS certificate—even an SSL/TLS server certificate provided by ORC—there is potential for the web server to be compromised. If you believe that your private key may have been compromised, please revoke your SSL/TLS server certificate as soon as possible and install a new SSL/TLS server certificate using new keys.

This vulnerability generally applies to any server using OpenSSL versions 1.0.1 through 1.0.1f regardless of the source of the certificate. We recommend that you perform an immediate review of all of your systems and upgrade your OpenSSL packages if necessary.

OpenSSL versions 0.98, 1.0.0 and 1.0.1g are not affected the Heartbleed vulnerability.

For more information regarding the Heartbleed vulnerability, please see:

If you have further questions, you may contact the ORC PKI Help Desk.

IE 11 error: Could not convert certificate to PKCS7 format

Due to changes in Microsoft Internet Explorer (IE) 11, an error may be produced when attempting import of a certificate in that browser.

To overcome the error message “Could not convert certificate to PKCS7 format”, place the browser into Compatibility view by following the instructions here:

http://eca.orc.com/wp-content/uploads/ECA_Docs/IE_Instructions/IE11_Compatibilty_View.pdf

TAMMS-A Requires PKI Certificate Login

The ORC Difference

ORC was the first company to graduate from the DoDs Interim External Certification Authority (IECA) program to the final ECA program. We are the only authorized vendor to issue every type of certificate sanctioned under the DoD ECA policy.

ORC’s lineage traces back to the early days of the DoD PKI (CAC) certificate program when the ORC Team hosted and operated the DoD PKI Development and Test Labs. This gives ORC very detailed knowledge in both DoD PKI and DoD ECA PKI in terms of both the history, legacy conditions, and similarities and differences of the two DoD certificate programs.

Since 01 Sep 2012, TAMMS-A login has required PKI certificates.

Directive JTF-GNO CTO 07-015 (07APR08) mandates PKI certificate to access private DoD applications.

Users without a CAC card will need an AKO account as well as a DoD approved External Certificate Authority (ECA) Certificate for TAMMS-A access.

What Certificate type does TAMMS-A require?

TAMMS-A only requires, at a minimum, a software based ECA certificate (the “Medium Assurance” certificate).  However, if you access other DoD systems that require a higher security credential (i.e., JPAS, FEDMALL, etc) you should purchase one of the hardware based options, either the “Medium Token or the Medium Hardware.” TAMMS-A will accept hardware based certificates as well as software based ECA credentials.

As a reminder, it is against DoD Regulations to share a username and password or allow an individual to access another’s TAMMS-A account in any manner.

DoD Policy requires that certificates be downloaded onto a user’s device (software or hardware) within 30 days.  Failure to complete this process within 30 days will require the applicant to start over again.

ORC offers the following TAMMS-A approved DoD PKI ECA Digital Certificates:

Medium Assurance Identity and Encryption Certificates

Also referred to as ‘browser based’ or ‘soft’ certificates, these certificates meet the minimum-security requirements for TAMMS-A.

Medium-Token Assurance Identity and Encryption Certificates

These are ‘hardware based’ certificates that may be obtained remotely. You must have a USB token or smart card on hand before you apply. Hardware items are separately priced. See contact information below to order.

Medium-Hardware Assurance Identity and Encryption Certificates

These are ‘hardware based’ certificates available in USB token or smart card form that must be obtained in person. They are equivalent to the certificates on a DoD Common Access Card (CAC). Hardware items are separately priced. See contact information below to schedule an appointment.

Contact us at ecahelp@orc.com to order hardware items or to set up an appointment for on-site issuance of Medium-Hardware certificates.

Please visit our pricing page for certificate and hardware item pricing.

ORC’s Help Desk can provide remote desktop assistance for any issue you may encounter. Please contact ecahelp@orc.com for rapid support.

Attention FEDMALL Users

The ORC Difference

ORC was the first company to graduate from the DoDs Interim External Certification Authority (IECA) program to the final ECA program. We are the only authorized vendor to issue every type of certificate sanctioned under the DoD ECA policy.

ORC’s lineage traces back to the early days of the DoD PKI (CAC) certificate program when the ORC Team hosted and operated the DoD PKI Development and Test Labs. This gives ORC very detailed knowledge in both DoD PKI and DoD ECA PKI in terms of both the history, legacy conditions, and similarities and differences of the two DoD certificate programs.

Quickly gain access to FEDMALL with an ORC ECA Medium Token Assurance Identity/Encryption Certificate Pair.
ORC provides the following necessary items for FEDMALL access:
  1. An approved active PKI Certificate; and
  2. Hardware and Software needed to read the PKI certificate.

Please see our pricing page for information on the necessary hardware and software for Medium Token certificates.

Features

  1. Your choice of USB token or smart card hardware
  2. Use for both signing and encrypting your email

Ready to begin?

Please contact ecahelp@orc.com to order hardware and software items.
ORC’s typical certificate issuance time is between 3 to 5 days after all paperwork is received. You will receive a email notification when your certificates have been issued.
If you have any general questions, please contact ecahelp@orc.com.

Attention JPAS Users

JPAS logon procedures have been updated to provide additional security and privacy of clearance data and personally identifiable information (PII). These changes are pursuant to Department of Defense (DoD) regulations mandating improved security by restricting access to only users with cryptographic logon.

Users need three items to access JPAS:

  1. An active JPAS account;
  2. An approved active PKI Certificate; and
  3. Hardware and Software needed to read the PKI certificate.

ORC is pleased to provide ECA credentials (items 2 and 3) for the JPAS infrastructure. While either type of PKI Certificate (Medium Token or Medium Hardware) is accepted, please be aware that there are a growing number of DoD sites that require Medium Hardware and will not accept Medium Token. To avoid unnecessary costs, we recommend that users who will access additional DoD sites select Medium Hardware.

Please see our pricing page for information on the necessary hardware and software for Medium Hardware and Medium Token certificates.
If you are ready to obtain your credentials, please schedule an appointment.