Valued WidePoint Customer,
In June of 2026, WidePoint shifted all certificate issuance to the WidePoint ECA 9 CA for all certificate types. Since June 2024, WidePoint has been gradually shifting certificate issuance from the WidePoint ECA 8 CA to the WidePoint ECA 9 CA.
In early July, WidePoint ECA 8 CA will be too old to issue even one-year ECA certificates, so all ECA certificates will be issued by WidePoint ECA 9 CA.
The WidePoint ECA 9 CA is signed by the DoD’s ECA Root CA 5, so subscribers may need to update their trust chains appropriately.
Please be advised that DoD’s ECA Root CA 5 and WidePoint ECA 9 CA have been in service since 2024, so DoD systems should already be updated to rely on WidePoint ECA 9 CA.
To update your trust chain, we have PDF instructions for the InstallRoot Program.
No. Certificates issued under WidePoint ECA 8 will not be impacted by the addition of the ECA Root CA 5/WidePoint ECA 9 CA to the ECA PKI.
The new ECA Root CA 5 and WidePoint ECA 9 CA certificates are both RSA SHA-384, 4096 bit certificates. Prior ECA trust chain certificates have been RSA SHA-256, 2048 bit certificates.
All certificates issued by WidePoint ECA 9 will continue to be RSA SHA-256, 2048 bit certificates until 2028, when end-entity (i.e. your) certificates will be required to be RSA SHA-384, 3072 bit certificates.
WidePoint has made the new certificates available here:
DISA has also published certificate data here: https://crl.gds.disa.mil/ (ECA or CAC certificate required) this new certificate data is available under the ECA menu in the DoD’s InstallRoot tool (available here: https://www.cyber.mil/pki-pke/tools-configuration-files/).
WidePoint strongly recommends that IT staff of customer organizations add the new root and intermediate CA certificates to their systems to confirm that their systems will accept the new certificates. The InstallRoot tool is very useful for putting these certificates into Microsoft systems.
Certificates
Quick Links
