ECA Component Server SSL, ECA Domain Controller, ECA VPNIPsec, MFOM, and TAXII Requests

Step 1 | Select A Certificate Type

Component/Server/SSL Certificate Features

  • Allows a server to identify itself to other computers via SSL and TLS communication
  • Software only — no hardware needed (also can be used with a hardware security module)
  • Includes a public key for encrypting communications
  • Useful for any web server that requires secure connections

Jump to Instructions

Domain Controller Certificate Features

A certificate that a domain controller uses to identify itself to other computers to enable smart card logon functionality to the network. It also includes the public key which is required in order for web browsers to set up a secure encrypted connection with the server.

Any domain controller that can be used as a logon server to assign domain privileges must have a domain controller certificate in order to facilitate smartcard logon across the network. For example, if you have 3 domain controllers handling user logons, all 3 must have a unique domain controller certificate that corresponds to that machine name.

Jump to Instructions

VPN/IPSec Certificate Features

A certificate that is used to do authentication with client/user certificates within a Virtual Private Network.

Jump to Instructions

Step 2
Read The Instructions

IMPORTANT: You must perform the online application for yourself, in your own name. You may NOT make an Online Application for another individual. This is grounds for immediate revocation of the certificate, and any fees paid will not be returned.

  • A workstation with a FIPS 140-1/2 Level 1 cryptographic compliant web browser is required. You may use Edge, Chrome, or Firefox to make the certificate request.
  • You will combine the certificate after we issue it with the private key according to your server manual instructions.
  • If you are renewing a device certificate, you must generate a new private key. You cannot use a previous private key with a new public key.

The DoD ECA Certificate Policy requires all Subscribers to protect their certificate private keys from unauthorized use. Device (or Server) certificates do not have a password assigned to the private key, so you will need to protect the certificate private key via other methods. You should keep a back-up of the private key (or the certificate with the private key); the back-up file will require you to assign a password. WidePoint-ORC will not know this password; it is not sent out from your computer.  If you forget your certificate password, you will be required to purchase a new certificate.

Step 3 | Generating a Certificate Signing Request (CSR)

The specifics of making a CSR and key generation are different for each situation. Your server may have a specific procedure or you may use a common tool (e.g., OpenSSL). The process that you follow for making a CSR may require you to enter data that is not indicated in the information above. (For example, you might be required to enter information for “State” or “Locale”.) If so, enter values that are correct. But be advised that we will issue the certificate as indicated above and without those values. This is dictated by the DoD ECA Certificate Policy Certificate Profiles.

When creating the CSR, you will need the following information:

  • Key Length or Key Size: 2048 bit RSA (Note: exactly 2048 bits; no more, no less)
  • Hash Algorithm: SHA2 or SHA256
  • Subject values: C=US, O=U.S. Government, OU=ECA, OU=ORC,
    OU=Company/Organization Name, CN=domain name/hostname/IP address
  • Exportable: yes or true (you want the private key to be exportable, except if it is prohibited by your organization’s policy or for your organization’s needs)
  • Request type or output: PKCS10

Step 4 | Gather the Required Documents

Users MUST attach photocopies of the following items to the request forms:

  • Two photo IDs, one of which must be a current and valid, Government-Issued Photo ID
  • Proof of Citizenship
  • Signed Component Certificate Authorization Letter

HOWEVER, if you’re an MFOM Subscriber you will provide a copy of a non expired, organizational photo ID with your first and last name, photo, and your DOD Agency/Branch on it or a signed proof of affiliation letter INSTEAD of the signed Component Certificate Authorization Letter.

Step 5 | Trust the Certificate Authorities

The Trust procedure below may have been performed when you obtained your Identity Certificate. The trust procedure must be performed on every computer where ECA certificates will be used.

Two Ways to Trust CA’s:

  • Quick Method: Trust your device quickly and easily using InstallRoot. Click here for instructions on download and running the tool.
  • Manual Method: If you prefer the manual method, you can visit the ECA Repository page and download all of the ECA Root Certificates and the WidePoint-ORC ECA Signing Certificates.

A Few More Notes

A few screens from now, you will be required to select a DOD/NSA Affiliation from a list. If you are getting an MFOM or TAXII Certificate, then you will select the radio button for that certificate and continue on with the process.

For subscribers of all other device certificates, you will select either ‘My Federal Program is not Listed’ or ‘No ECA Agency Affiliation is Required.’ Even if you are setting up server-to-server communications with a DOD or NSA Server, you will still select one of the two in the first sentence (it does not matter which one). The reason is that the ECA Affiliation Page is designed to make sure that Client Certificate Subscribers select the appropriate level of ECA Client Certificate to be able to access the web site(s).

Step 6 | Proceed to Our Secure Portal

New Users

If you have NOT created an account with us, click below to proceed.

Create An Account

Returning Users

If you do have an account with us already, click below to access your account.

Access Your Account