The “USGov DoD PKI” Certificate Authorities (CA) are used in support of the United States Government (USG), Department of Defense enterprise programs, services and authentication. USGov DoD PKI root CAs are hosted and controlled under the Global Directory program.
This program and document are not associated with DoD PKI hosted and run by DISA.
This document will provide a high level overview of the program and technologies. It is not prefect and is it intended to meet any external requirement.
Architecture
The USGov DoD PKI CAs follow the generate root/intermediate/issuing certificate model.
There are currently 2 root CAs that all intermediate CAs are issued from. These Roots are dedicate to Non-Persona Entity (NPE) and User certificates.
| CA Name | Purpose |
|---|---|
| USGov DoD PKI Root CA1 | Non-Persona Entity |
| USGov DoD PKI Root CA2 | Users (General User and Admin) |
Root CN: DC=PKI,DC=DOD,DC=USGOV,DC=MIL
Root and intermediate certificates are available for download at usgov.pki.mil.
Certificate Uses
These certificates are intended to be used with DoD programs and services.
Certificates Issued by USGov DoD PKI:
- Are not intended to be trusted outside of USGov computer systems.
- Are not intended to be used for public facing user services.
- Are not intended to be used on personal or corporate computers.
- No one will be forced to consume these services. However, access to some services may be degraded if the CAs are not trusted.
Certificate Types:
- NPE:
- SSL / Web 2048/4096
- Server / Domain Controller / Kerberos Authentication
- User:
- Smart Card Authentication (User -or- Admin)
- Windows Hello For Business
Naming and Identification
All CAs (root/intermediate/issuing) will be identified with “USGov DoD PKI” in the subject name and with ” DC=PKI,DC=DOD,DC=USGOV,DC=MIL” in the DN.
- NPE CAs will be tagged with DC=NPE in the DN
- User CAs will be tagged with DC=USER in the DN
CA names will include program and enclave specific naming standards post the USGov DoD PKI naming standard. A full list of issuing CAs is available at usgov.pki.mil.
Example CA Name:
- Subject: US Gov DoD PKI DEAS NPE CA1
- DN: CN=USGov DoD PKI DEAS NPE CA1,DC=NPE,DC=PKI,DC=DOD,DC=USGOV,DC=MIL
A member of the Global Directory team is the approving authority for all subCAs.
Key Generation
Root CAs: The USGov DoD PKI root CAs are treated as an offline root. They are hosted in Azure under the Global Directory program and are backed by Azure Hardware Security Modules (HSM). These CAs are kept in a powered off state and isolated to the Global Directory management environment. This environment is protected by Global Directory with Multi Factor Authentication (MFA).
Issuing CAs are distributed into programs and services. They are deployed as needed to support enterprise services offerings. These are dynamically provisioned as needed. All intermediate CAs are highly recommended to be HSM backed however it is not required as HSMs are not easily accessible by all programs.
Procedures
Certificate automation is critical to the success of USGov DoD PKI. Certificate automation is used to the maximum extent possible to issue and distribute certificates. This includes auto enrollment of server, workstation and user certificates where possible. Technologies like Windows Hello For Business (WHFB) are leveraged to automate provisioning of user certificates.
Manual user enrollment is also available for a number of services. These portals will be protected by Global Directory with MFA for all user and admin access.
Certificate Revocation Lists
USGov DoD PKI provides CRLs available to all connected networks. CRLs when possible are made available via both secure (HTTPS) and non-secure (HTTP) download. The associated CA CRL is listed with the CA at usgov.pki.mil.
CRLs are pulled directly from the CAs and published to the CRL cache every 15 minutes using scripting automation. CRL last update times are made available at usgov.pki.mil.
OCSP is also made available to consume. Most issuing certificate authorities are stamped with an OCSP URL. However, clients can be configured to connect directly to ocsp at http://ocsp.usgov.pki.mil/ocsp.
Additional OCSP and CRL details can be found at usgov.pki.mil