A certificate that a domain controller uses to identify itself to other computers to enable smart card logon functionality to the network. It also includes the public key which is required in order for web browsers to set up a secure encrypted connection with the server.
Any domain controller that can be used as a logon server to assign domain privileges must have a domain controller certificate in order to facilitate smartcard logon across the network. For example, if you have 3 domain controllers handling user logons, all 3 must have a unique domain controller certificate that corresponds to that machine name.
A certificate that is used to do authentication with client/user certificates within a Virtual Private Network.
IMPORTANT: You must perform the online application for yourself, in your own name. You may NOT make an Online Application for another individual. This is grounds for immediate revocation of the certificate, and any fees paid will not be returned.
The DoD ECA Certificate Policy requires all Subscribers to protect their certificate private keys from unauthorized use. Device (or Server) certificates do not have a password assigned to the private key, so you will need to protect the certificate private key via other methods. You should keep a back-up of the private key (or the certificate with the private key); the back-up file will require you to assign a password. WidePoint-ORC will not know this password; it is not sent out from your computer. If you forget your certificate password, you will be required to purchase a new certificate.
The specifics of making a CSR and key generation are different for each situation. Your server may have a specific procedure or you may use a common tool (e.g., OpenSSL). The process that you follow for making a CSR may require you to enter data that is not indicated in the information above. (For example, you might be required to enter information for “State” or “Locale”.) If so, enter values that are correct. But be advised that we will issue the certificate as indicated above and without those values. This is dictated by the DoD ECA Certificate Policy Certificate Profiles.
When creating the CSR, you will need the following information:
HOWEVER, if you’re an MFOM Subscriber you will provide a copy of a non expired, organizational photo ID with your first and last name, photo, and your DOD Agency/Branch on it or a signed proof of affiliation letter INSTEAD of the signed Component Certificate Authorization Letter.
The Trust procedure below may have been performed when you obtained your Identity Certificate. The trust procedure must be performed on every computer where ECA certificates will be used.
A few screens from now, you will be required to select a DOD/NSA Affiliation from a list. If you are getting an MFOM or TAXII Certificate, then you will select the radio button for that certificate and continue on with the process.
For subscribers of all other device certificates, you will select either ‘My Federal Program is not Listed’ or ‘No ECA Agency Affiliation is Required.’ Even if you are setting up server-to-server communications with a DOD or NSA Server, you will still select one of the two in the first sentence (it does not matter which one). The reason is that the ECA Affiliation Page is designed to make sure that Client Certificate Subscribers select the appropriate level of ECA Client Certificate to be able to access the web site(s).
If you do have an account with us already, click below to access your account.
Certificates
Quick Links
