ECA-External Certificate Authority

VPN IPSec Certificates

Server certIn order to request, renew, and use a VPN IPSec Certificates issued under the ORC ECA CPS the applicant company and PKI Sponsor must agree to the following obligations.
  • To accurately represent themselves in all communications with ORC and the PKI, and abide by all the terms, conditions, and restrictions levied upon the use of the issued private key(s) and certificate(s).
  • To protect the certificate private key from unauthorized access in accordance with the Private Key Protection section of the ECA CPS.
  • To immediately report to the RA and request certificate revocation processing if Private Key Compromise is suspected.
  • In the event of a PKI Sponsor change, due to the verified individual having left the employ of the applicant company or is no longer assigned as the PKI Sponsor for the certificate(s), the applicant company must designate a new PKI Sponsor for the certificate(s). The new PKI Sponsor must complete a new identity verification.
  • When renewing the VPN IPSec certificate the PKI Sponsor must complete a new identity verification.
  • Confirm that you (the PKI Sponsor) are a current employee of the applicant company and that you are authorized by the applicant company to obtain VPN IPSec certificates for the company by completing and submitting the Component/Server Authorization letter.
  • That the VPN IPSec system designated in the certificate request is the only system on which the certificate is to be installed.
  • To use the certificate only for authorized applications which have met the requirements of this CPS.
  • To use the certificate only for the purpose for which it was issued, as indicated in the key usage extension.
  • To report any changes to information contained in the certificate to the appropriate RA for certificate reissue processing.
  • PKI Sponsors signify and guarantee that their application does not interfere with or infringe upon the rights of any others regarding their trademarks, trade names or any other intellectual property.
    Subscribers shall hold ORC harmless for any losses resulting from any such act.
  • As a result of issuing a certificate that identifies a person as an employee or member of an organization, ORC does not represent that the individual has authority to act for that organization.
  • For Relying Parties: Use of REVOKED certificates could have damaging or catastrophic consequences in certain applications. The matter of how often new Revocation data should be obtained is a determination to be made by the relying party and the system accreditor.
    If it is temporarily infeasible to obtain Revocation information, then the relying party must either reject use of the certificate, or make an informed decision to accept the risk, responsibility, and consequences for using a certificate whose authenticity cannot be guaranteed to the standards of the ORC ECA practice statement.
A VPN IPSec PKI Sponsor and their applicant organization found to have acted in a manner inconsistent with these obligations is subject to revocation of LRA responsibilities and/or revocation of all VPN IPSec Certificates issued to that applicant organization.
When creating the CSR, you will need the following information:

  • Key Length or Key Size: 2048 bits
  • Hash Algorithm: SHA2 or SHA256
  • Subject values: C=US, O=U.S. Government, OU=ECA, OU=ORC, OU=Company/Organization Name, CN=domain name/hostname/IP address
  • Exportable: yes or true (in most cases, you want the private key to be exportable)
  • Request type or output: PKCS10
I understand that during this process I will be generating my key pair and will possess the only copy of my private key on the workstation/computer (or hardware token) from which I am making my request. If lost, damaged, or compromised, I will be responsible for requesting and incurring the costs of a new certificate.
I have read and understand all the certificate instructions listed in the PKI Sponsor Instructions document, as well as Trusted the ECA CAs.
I have read and agree to all of the Subscriber Obligations listed above.