1.1. Certificate Do's and Don'ts

CERTIFICATE DO'S AND DON'TS

Do Accept your new certificate when you receive notification email.

Do Make a backup copy of your certificate on a diskette.

Do Remember your certificate password.

Do Use your certificate to access certificate enabled applications.

Do Encourage others to get their own digital certificates.

Do Read the information under the tabs on the http://eca.orc.com web site.

Do Inform ORC if the information on your certificate changes.

Don't Tell anyone your certificate password.

Don't Use a blank password to protect your private key.

Don't Forget your certificate password.

Don't Leave your password written down in an unsecured environment.

Don't Leave your backup disk in an unprotected environment.

Don't Copy your certificate so another person can use it.

Don't Use someone else's certificate.

Don't Leave your certificate loaded on another or temporarily used PC.

 

1.2. How to get the Correct Browser

Netscape Navigator:

Netscape Navigator Download Site - download current version.

 

Internet Explorer:

Internet Explorer Download Site - download current version.

 

---

Sensitive But Unclassified (SBU) Data must be protected during transmission according to the Computer Security Act of 1987. This act names the Federal Bureau of Standards, now the National Institute of Standards and Technology (NIST), as responsible for developing standards and guidance to ensure data protection. NIST has developed Federal Information Processing Standards (FIPS) to define these guidelines.

FIPS 140-1, Security Requirements for Cryptographic Modules, applies "to all Federal agencies that use cryptographic-based security systems to protect unclassified information within computer systems."

NIST has established a validation program for encryption modules. The current list of validated modules can be found at:
http://csrc.ncsl.nist.gov/cryptval/140-1/1401val.htm

For more information on FIPS 140-1, see the NIST Cryptographic Standards Validation Programs at: http://csrc.ncsl.nist.gov/cryptval.

 

1.3. Individual Identity and Encryption Certificate Request Instructions

1.4. ID/Encrypt Cert Proof of Organizational Affiliation Letter

1.5. Component Certificate Request Instructions

1. Certificate Request Generation

NOTE: The request generation must be performed using your server's built-in functionality. Instructions are provided for IIS servers. If you have a different type of server please refer to your vendor supplied documentation.

See instructions for Microsoft IIS

In all cases you must desginate the following information. Information that is dependant on your server is enclosed in <> signs. Static information is enclosed in quotes.

Common Name: <FQDN of your server>
Organizational Unit: <Your company name>", OU=ORC, OU=ECA"
Organization: "U.S. Government"
Country: "US"

2. Submitting your request to the Certificate Authority

a. Read the obligations page and accept the terms and conditions.

b. Fill out and submit the electronic submission form.

• Click in the text area labeled "Paste the PKCS #10 request into this text area" and paste your PKCS #10 Request into the area.
• Enter the Hostname and IP Address of your server
• Enter the Key Contact's First Name, Middle Initial, and Last Name
• Enter the Name of the Company purchasing the server certificate (i.e. your company).
• Enter the Key Contact's Phone Number and Email address.
• Click "Submit"
• You should see a page stating, "Your request ID is xxxx"
  
  IMPORTANT: Print the "Print this Form Now" page. You will need it to validate your request.
• If you see an error message, your certificate request was not submitted correctly and cannot be processed. Write down the error message and contact the PKI Help Desk at pkihelp@orc.com or 1-800-816-5548

3. Verify Individual and Corporate Identity

A. Individual Identity Verification - All applicants for Server Certificates are required to appear in person before an ORC Registration Authority (RA), an ORC Appointed Local Registration Authority (LRA), or a Notary Public. Applicants are required to present two official photo ID credentials, one of which must be Government issued. In addition proof of organizational affiliation, and the request form ("Print this Form Now" page) must be supplied. Official photo IDs include Government issued photo IDs (passport, Driver's License), and Company issued photo IDs.

Bring the following items to the RA, LRA, or Notary Public you wish to have validate your identity.
	The printed Request Form ("Print this Form Now" page).
	Official Government issued Photo Identification.
	Official Photo Identification (Government issued or otherwise).
	Photocopies (front and back) of both Photo IDs.
	Proof of Organizational Affiliation.
Sign and date your printed Request Form ("Print this Form Now" page) in the presence of the RA, LRA, or Notary Public. Submit your paperwork to the RA or LRA. If you are being validated by a Notary Public mail your paperwork (via Certified Mail) to one of the addresses below.
ORC RA Location/Mailing Address - If you decide to be validated by an ORC RA or you need to mail your validated paperwork to ORC please use the address below.

11250 Waples Mill South Tower Suite 210 Fairfax, VA 22030

B. Corporate Identity Verification - In order to receive a Server Certificate the applicant must also be verified as a duly appointed key contact for their company. Complete the following steps to satisfy this requirement.

• Download the POA (Proof of Organizational Affliation) Letter.
• Insert the appropriate information for the Organization, Authorized Component Certificate Contact (Server Administrator), and Duly Authorized Representative (Approving company officer).
• Have the Duly Authorized Representative sign the POA letter.
• Submit the POA Letter along with your Request Form and Identification credentials.

4. Certificate Acceptance

a. Notification - Upon successful completion of the identification and authentication process, the ORC ECA shall create the requested ECA Certificate, and notify you via email that your certificate is ready.

b. Acceptance - Refer to either the supplied IIS/iPlanet documentation or your vendor-supplied documentation for instructions on how to import your server certificate.

c. Acknowledgement - You shall print a copy of the notification email, sign it, and mail the signed document to the ORC ECA RA.

IMPORTANT: If you do not provide this verification notice, or if you are found to have acted in a manner counter to these obligations, the Certificate shall be revoked, and you will forfeit all claims against the ORC ECA CA infrastructure in the event of a dispute arising from failure to fulfill the obligations above.

1.6. Component Certificate Authorization Letter

1.7. Mobile Code Certificate Request Instructions

1. Requesting Certificate Process

a. Click the "Order Your Certificate" button on the navigation bar.

A browser check will be performed without any user intervention. If you do not have the correct browser, you will be diverted to a download browser page in which you can download the latest browsers in order to complete the request and use your certificate. If you have the correct browser you will be taken to "Trust the Root" page.

b. Follow the instructions on the "Trust the Root" page.

c. Choose which certificate to apply for.

d. Read the obligations page and accept the terms and conditions.

e. Fill out the electronic submission form.

f. Print out the User Enrollment form, and follow the directions on the page. See section 2: Verify Identity.

g. Send the User Enrollment Form via Certified Mail to one of the ORC branches below:

Operational Research Consultants
Attn: ECA RA 11250 Waples Mill South Tower Suite 210 Fairfax, VA 22030

h. Once the mail is received and the specific Enrollment form is verified, a certificate will be generated and an email will arrive in your inbox. There will be a link to access your certificate and you must furnish the password in which you used to retrieve the certificate. See section 3: Accept Certificate.

i. After successfully supplying the password, your certificate will be added to your web browser so that you can access your certificate for its specific functions.

2. Verify Identity

A. Individual and Encryption ECA Certificates - Unaffiliated Individuals (members of the general public) may be authenticated through an electronically submitted application or by personal presence. The ORC CA shall verify all of the following identification information supplied by the applicant: first name, middle initial, last name, date of birth, current address (number, street, city and ZIP code), and telephone number. Subscriber identification must be confirmed via a GSA-approved identity-proofing process that incorporates the following factors:

Submission by the applicant of at least three individual identity items, which must be verified by multiple independent data sources along with cross-checks for consistency. For example:
	Alien Registration number.
	Passport number.
	Current employer name, address (number, street, city, ZIP code), and telephone number.
	Currently valid state-issued driver's license number or state-issued identification card number.
	Social Security number.
Notary Public - If you decide to go to a Notary Public for identification verification, you must take the forms generated during the certificate request process and present them along with a three of the above listed identity items, at least one of which must be a photo ID, for Notary Public validation. Upon completion, you must submit the notarized forms with a photocopy of the front and back of the photo IDs used to validate identity along with proof of organizational affiliation via certified mail to the ORC CA.

 

B. Request Authorization to receive a Code Signing Certificate

	The applicant's individual identity as specified above in Section A.
	That the applicant is a duly authorized representative of the Sponsoring Organization as an employee, partner, member, agent, or other association.
	The Code Signing Attribute Authority (CSAA), a duly appointed signature authority for the organization who authorizes applications or individuals for code signing certificates for the designated organization, will send a signed "Proof of Organizational Affiliation and Authorization for Code Signing" letter to the RA authorizing the code signer to receive a code signing certificate. The "Proof of Organizational Affiliation and Authorization for Code Signing" letter can be either a hard copy with an ink signature or an electronic copy that is digitally signed. If the letter is digitally signed, the certificate used to digitally sign the electronic copy must be a DoD Class 3 or higher certificate. Please see Step 3 for the address to send the signed "Proof of Organizational Affiliation and Authorization for Code Signing" letter.

3. Accept Certificate

a. Notification - Upon successful completion of the identification and authentication process, the ORC CA shall create the requested ECA Certificate, and notify you via email that your certificate is ready.

b. Acceptance - To accept the certificate, click on the link that was provided in the email to access the certificate retreival page. You shall indicate acceptance or rejection of the ECA Certificate to the ORC CA. By accepting the ECA Certificate, you are warranting that all information and representations made and included in the ECA Certificate are true. The acceptance agreement shall include the subscriber obligations.

c. Acknowledgement - You shall print a copy of the notification email, sign it, and mail the signed document to the ORC ECA CAA (Certificate Authority Administrator).

IMPORTANT: If you do not provide this verification notice, or if you are found to have acted in a manner counter to these obligations, the Certificate shall be revoked, and you will forfeit all claims against the ORC ECA CA infrastructure in the event of a dispute arising from failure to fulfill the obligations above.

1.8. Code Signing Attribute Authority Designation Letter

1.9. Mobile Code Certificate Authorization Letter

1.10. ECA Key Recovery Acknowledgement Letter

1.11. Revoking a Certificate

The individual making the request for certificate revocation shall either digitally sign requests sent via email, or the individual shall present the request in person to the RA.

Individual Revocation Request Letter
Corporate Revocation Request Letter

Note: Code signer certificates are not normally revoked when the code signer departs or is no longer withthe organization. If the code signer is suspected of having signed (intentionally or unintentionally) unapproved code, the code signer certificate may be revoked by the RA.

---

The following authorized parties may request a revocation of a certificate:

- Any End Entity may request revocation of their own certificate(s) and RAs may request revocation of any EE certificate on behalf of the EE or other authorized party

- The ORC IA may revoke any certificate within its domain for reasons identified in this CPS

- Other parties may also request revocation of certificates through a RA or LRA. The RA or LRA shall validate the credentials of the requesting party, and the RA shall determine if the revocation request meets the requirements of Section 4.4.1 of the ORC CPS.

If any individual has reason to believe that a certificate private key has been compromised, that individual is required to notify an RA or LRA of the compromise suspicion. It is the responsibility of the RA to investigate the information and determine if certificate revocation is warranted.

If so, the RA shall forward the revocation request along with documentation of the reason for the request to the IA. ORC will send a written notice and brief explanation for the revocation to the Subscriber.

If any of the following points apply to your current situation then immediately have your certificate revoked. If your key is compromised, report it to ORC at 1-800-816-5548, or email ecahelp@orc.com immediately.

Circumstances for Revocation

	The certificate holder requests that the certificate be revoked.
	The certificate holder can be shown to have violated the subscriber obligations, including payment of any required fees.
	The certificate holder is no longer authorized to hold the certificate (e.g. termination of employment or change in responsibilities).
	The information in the certificate is no longer accurate, and therefore, identifying information needs to be changed (e.g. change of name or privilege attributes asserted in the Subscriber's certificate are reduced).
	The Subscriber's employer or organization requests revocation.
	The certificate was obtained by fraud or mistake.
	The certificate was not correctly requested, issued, or accepted.
	The certificate contains incorrect information, is defective, or creates a possibility of incorrect reliance or usage.
	Certificate private key compromise is suspected.
	The certificate holder fails to make a payment or other contractual obligations related to the certificate.
	Subscribers leaving the organizations that sponsored their participation in the PKI shall surrender to their organization's PKI point of contact (through any accountable mechanism) all cryptographic hardware tokens that were issued, under the sponsoring organization, prior to leaving the organization. The PKI point of contact shall zeroize or destroy the token promptly upon surrender and shall protect the token from malicious use between surrender and zeroization or destruction. In all cases, whether software or hardware tokens are involved, the organization shall promptly notify an RA to revoke the certificate and attest to the disposition of the token, via a digitally signed email.
	ORC reserves the right to revoke any ORC ECA issued certificate at its discretion.

1.12. Certificate Request Generation and Certificate Installation Instructions for IIS 5

1.13. Install Certificate in Microsoft IIS Web Server Instructions

2.1. Certificate Request IE

2.2. Password Tips

2.3. Creating a Backup Copy (Exporting) of Your Enrollment Key Pair

2.4. Making a Backup Copy (Exporting) of Your Certificate

2.5. Importing Your Certificate from a Backup (Export) File

2.6. Trusting Your Certificate OR Verifying the ECA

2.7. Trusting the DOD PKI and ECA PKI in IE

2.8. Testing Your Identity Certificate

3.1. Certificate Request Instructions

3.2. Making a Backup Copy (Exporting) of Your Certificate - Firefox

3.3. Importing Your Certificate from a Backup File - Firefox

3.4. Set Certificate Password in Firefox

3.5. Changing Master Password - Firefox

3.6. Trusting ORC ECA Signing Certificate - Firefox

3.7. Testing Your Identity Certificate - Firefox

3.8. Using ECA Certificate in Firefox and Thunderbird