DoD PKI Management Help

Special Note

Due to improper revocation checking configurations, the DoD PKI Network Infrastructure is being stressed during peak times due to high numbers of customer requests for CRLs of significant size from GDS. These requests are automatically generated during certificate validation. Currently there are 49 DoD and ECA Certificate Authorities (CA’s) supported by GDS, which when combined are over 231MB in size. Due to the demands of CRL based certificate validation, it is impractical for every application to download a CRL every time a certificate is presented. A hierarchical approach is needed where some services are provided by the DoD PKI, some services by the DoD Components infrastructure and some services by the Local Area Network. Certificate validation recommendations are:

• Utilize OCSP via RCVS: OCSP offers an alternative means of certificate validation. OCSP sends a request for an individual certificate to an OCSP responder that has all of the CRL information and the responder sends a very small signed message that the certificate is good, bad, or unknown. The DoD PKI PMO stood up the Robust Certificate Validation Service (RCVS) (Located at http://ocsp.disa.mil) as part of the infrastructure. The RCVS has two different types of OCSP responders. These are commonly referred to as traditional (Axway) and Distributed (Axway and HID) OCSP.
• Utilize OCSP via RCVS. OCSP offers an alternative means of certificate validation. OCSP sends a request for an individual certificate to an OCSP responder that has all of the CRL information and the responder sends a very small signed message that the certificate is good, bad, or unknown. The DoD PKI PMO stood up the Robust Certificate Validation Service (RCVS) (Located at http://ocsp.disa.mil) as part of the Infrastructure. The RCVS has two different types of OCSP responders. These are commonly referred to as traditional (Tumbleweed) and Distributed (Tumbleweed and CoreStreet) OCSP.
• Configure downloads to occur at a scheduled time. All CRLs issued by the DoD PKI are published once per day and are available on GDS (crl.gds.disa.mil). The CRLs should be downloaded to the DoD Components infrastructure once, and only once, per day.
• Utilize All CRL ZIP. All CRL ZIP is a ZIP file which contains all of the latest CRLs hosted by GDS within a ZIP file. Downloading the All CRL ZIP is a more efficient way to attain all of the latest CRLs when caching them locally within a component domain.

About the buttons

• Home - Displays the Welcome page.
• Help - Displays this Help page.
• FAQs - Displays a page of Frequently Asked Questions.
• Search GDS - Redirects you to the DoD411 Search page.

How to use the Interface

• To view or download the certificate or Certificate Revocation List (CRL) of a particular Certification Authority (CA), select (highlight) the CA on the list in the left hand frame. Once a CA has been selected, the right hand frame will display those actions that can be done with respect to this CA, that is, View/Download the Certificate and/or download the associated CRL. The update date of the CRL will be displayed next to the download link under the Certificate Revocation List label.
  • Note: Because of security concerns, this interface will not allow the download of the root CA self-signed certificate, however, the view function will be available to the user.
• If View is selected for the Certification Authority Certificate, a new window will appear displaying a text description of some of the CA certificate fields.
• If Download is selected for the Certification Authority Certificate, a standard file download dialog box will appear. In response to the user input the CA certificate will be saved in a directory selected by user.
  • Note: The user should remember this location in order to retrieve the certificate for further use or processing.
• If Download is selected for the CRL, a standard file download dialog box will appear. In response to the user input the CRL will be saved in a directory selected by user. Note: The user should remember this location in order to retrieve the CRL for further use or processing.

Note: The CA listing and the CRLs are refreshed automatically. By default this refresh is performed every 5 minutes but may be sooner or later depending on volatility.