DoD PKI Automatic Key Recovery - Common Access Card

2y ago
49 Views
2 Downloads
1.68 MB
24 Pages
Last View : 16d ago
Last Download : 2m ago
Upload by : Lucca Devoe
Transcription

DoD PKIAutomatic Key Recovery(520) 538-8133, DSN 312-879-8133, or milFort Huachuca, AZ 85613-530014 March 2017Mike Danberry last reviewed on 26 April 2021https://militarycac.us/questions.htmThe most current version of this guide can be downloaded from:https://militarycac.us/files/Automatic Key Recovery New.pdfISEC: Excellence in Engineering

The Problem:A problem in the past with the DoD PKI infrastructure was the inability to recoverCommon Access Card (CAC) private encryption keys and certificates that were eitherexpired or revoked. This becomes necessary when a CAC is lost and its certificatesare revoked or when a CAC and the certificates it contains expires and is surrenderedto DEERS / RAPIDS site before the user’s encrypted emails / files have beendecrypted.An Auto Key Recovery capability has been fielded by DISA to permit holders of newCACs to retrieve encryption keys / certificates from previous cards to permitdecryption of old email and files.NOTE: In April 2014, DISA removed the Certificate recovery website “white listing,”changing the site to ONLY be available from the UnClassified Government network.Home users will need to follow instructions on slide 21 for Army users & 22 for allother military branches to get your previous CAC certificates. See slide 24 foranother idea if you have access to a Government computerU.S. Army Materiel Command Communications-Electronics Command2

The Solution:Steps to Recover CACPrivate Email Encryption KeysThe following slides provide steps to recover privateencryption keys [escrowed by DISA] from yourpreviously CACsU.S. Army Materiel Command Communications-Electronics Command3

URLs for Key RecoveryThe links listed below are ONLY accessible from the GovernmentUnClassified networkThey will NOT work from a personal computer at homeTLS 1.0, 1.1, & 1.2 must be checked on your Government computer in Internet Options, Advanced (tab). SomeGovernment computer users may have to use Firefox, as their commands have blocked the ability to check TLS 1.0,1.1, & 1.2NOTE: Some people have had better success using Firefox or Chromehttps://ara-5.csd.disa.mil or https://ara-6.csd.disa.milSIPR users: spNote: The links shown above ARE case sensitiveIf the keys fail in the links, follow instructions on slide 21 for Army users & 23 for all other military branches.U.S. Army Materiel Command Communications-Electronics Command4

Choose Your Identity orAuthentication CertificateWhen prompted to identify yourself, Highlight your Identification Or Authentication Certificate. Select it,then click OK.Note: Do NOT choose the EMAIL certificateU.S. Army Materiel Command Communications-Electronics Command5

Warning BannerRead the warning statement, then click I AcceptU.S. Army Materiel Command Communications-Electronics Command6

Key SelectionLook for thedates thatcorrespond withyour previousCAC(s). Theymay not be listedin order. Onlyrecover previouscertificates.There is no needto recover yourcurrent CACcertificateBrowse the list and locate the key you want / need to recover. Once located, clickthe Recover button.U.S. Army Materiel Command Communications-Electronics Command7

AcknowledgementSelect OKU.S. Army Materiel Command Communications-Electronics Command8

One-time PasswordClick the DOWNLOAD (button), you’ll use the one-time password to access / install your recoveredcertificateU.S. Army Materiel Command Communications-Electronics Command9

Installing the CertificateSelect OKPeople following slide 24, select Save, then after you get home continuewith this guide by clicking OpenU.S. Army Materiel Command Communications-Electronics Command10

Installing the Certificate(Cont’d)Click NextU.S. Army Materiel Command Communications-Electronics Command11

Installing the Certificate(Cont’d)Click NextU.S. Army Materiel Command Communications-Electronics Command12

Installing the Certificate(Cont’d)Note: If you check“Enable strong privatekey protection” you’llneed to enter thepassword providedevery time you accessyour email / files. So,recommendation is toNOT check it.Enter the Password shown on the download link web page, leave the blocks unchecked, clickNextU.S. Army Materiel Command Communications-Electronics Command13

Installing the Certificate(Cont’d)Leave “Automatically select the certificate store based on the type ofcertificate” selected, click NextU.S. Army Materiel Command Communications-Electronics Command14

Installing the Certificate(Cont’d)Click FinishU.S. Army Materiel Command Communications-Electronics Command15

Installing the Certificate (Cont’d)Click OKU.S. Army Materiel Command Communications-Electronics Command16

Installing the Certificate (Cont’d)Click OKU.S. Army Materiel Command Communications-Electronics Command17

Verifying the DownloadVerify the successful download of your recovered certificate by: Launching Internet Explorer,selecting Tools from the menu, Internet Options, Content (tab), Certificates (button)U.S. Army Materiel Command Communications-Electronics Command18

Verifying the Download (Cont’d)Select the Personal (tab) to see a list of your currently registeredcertificates, including the recovered key certificate(s).U.S. Army Materiel Command Communications-Electronics Command19

Verifying the Download (Cont’d)Double-click the certificate to view the specifics of your recoveredkey (or other current keys).U.S. Army Materiel Command Communications-Electronics Command20

SuccessClose the open window, you may now use therecovered key to access your encrypted email.Last Step: If you saved the recovered certificate to your computer instead of directlyinstalling it, you need to delete the .P12 file. This is a security vulnerability and couldbe detected in a scan. Disregard if you did not save the certificate to your computerIf the recovery failed, Army users, contact the Key Recovery Agent by sending adigitally signed email from your DoD Enterprise Email account ion-authority@mail.milrequesting recovery of your private email encryption keySend your digitally signed email requesting recovery of old PKI encryption certificates and provide thefollowing (you’ll get this information from the page shown on slide 8):1. Your name and 10 digit DoDID [on back of your CAC] (ex. Doe.John.J.1234567890)2. The CA certificate (ex. CA-32)3. The serial number (ex. 0x12fA3)4. Provide exact reason why you are recovering your certificate(s)5. The certificates you need recoveredU.S. Army Materiel Command Communications-Electronics Command21

Other ServicesNavy Key Recovery Agenthttps://infosec.navy.mil/PKI/Email: NCMS NAFW NAVY RA@navy.milPhone: 800-304-4636DSN 312-588-4286USMC RA Operations HelpdeskEmail: raoperations@mcnosc.usmc.milPhone: 703-432-0394Air Force PKI Help DeskPhone: 210-925-2521Email: mil/html/lracontacts.asp (this site is accessible from .mil networks only)Additional Air Force PKI support is available from the Air Force PKI help desk:https://afpki.lackland.af.mil/html/help desk.aspDISA PKI Help Desk Oklahoma City, OK Support:E-Mail: : 844-347-2457, Options: 1, 5, 4U.S. Army Materiel Command Communications-Electronics Command22

Recovery NotificationEmail ExampleA user has attempted to recover a key using the Automated Key Recovery Agent.The ID Certificate used for Authentication was:CN NOBLE.PHILIP.EUGENE.1184204718,OU USA,OU PKI,OU DOD,O U.S. GOVERNMENT,C US, Serial: 0x0B5643, Issuer: DOD CLASS 3 CA-5. Thekey that was recovered was:CN NOBLE.PHILIP.EUGENE.1184204718,OU USA,OU PKI,OU DOD,O U.S. GOVERNMENT,C US, Serial: 0x0C8747, Issuer: DOD CLASS 3 EMAIL CA-3.If you did not perform this operation, please contact your local key recovery agentand ask that they check the logs for the key recovery at Fri Jul 01 16:48:12 GMT2005 with session ID b9727.You will receive an email fromPKI ChambersburgProcessingElement@csd.disa.mil with a subject“ALERT! Key Recovery Attempt Using Automated Key RecoveryAgent” similar to the above Recovery Notification example notifyingyou of your recovery action.U.S. Army Materiel Command Communications-Electronics Command23

Home users needing theircertificates to open old emails inwebmailReminder [mentioned on slide 2] in April 2014, DISA removed the Certificaterecovery website white listing, changing the site to ONLY be available fromthe UnClassified Government network. This put home users in an unfortunatesituation as you may need to access old encrypted emails via OWA.An idea for you [if you have access to a Government computer], is to followslides 4-10, save the file(s) to the computer you are on, and not run it. Whenyou get to slide 9, type the password into a .txt file or into an email to yourselfusing DoD Enterprise Email. Attach the .p12 file to the email and save it toyour drafts. Do not email it. You are merely “holding” it there until you gethome. Once you are home, continue with slides 11-20 using the passwordyou included in your email. It will install into your certificate store, and youshould be able to open up your former encrypted emails.U.S. Army Materiel Command Communications-Electronics Command24

Common Access Card (CAC) private encryption keys and certificates that were either expired or revoked. This becomes necessary when a CAC is lost and its certificates are revoked or when a CAC and the certificates it contains expires and is surrendered to DEERS / RAPIDS site before

Related Documents:

The US DoD has two PKI: DoD PKI is their internal PKI; DoD ECA PKI is the PKI for people outside of the DoD [External Certification Authority] who need to communicate with the DoD [i.e. you]. Fortunately, the DoD has created a tool for Microsoft to Trust the DoD PKI and ECA PKI; the DoD PKE InstallRoot tool.File Size: 1MBPage Count: 10

PKI belonging to the testers' organization, in this case the DoD PKI, is referred to as the Host PKI, and the external PKI to be tested is referred to as the Partner PKI. For the purpose of testing transitive trust, the third party PKI cross-certified with the Partner PKI but not the Host PKI will be referred to as the Third Party PKI.

The DoD PKI consists of the US DoD issuing certificates internally to US DoD end entities (like DoD employees and DoD web sites). The ECA PKI consists of vendors that are authorized by the US DoD to issue certificates to end entities outside of the US DoD that need to communicate with the DoD. You probably need to trust both the DoD PKI and ECA .

DoD PKI Automatic Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, philip.noble@us.army.mil U.S. Army Information Systems Engineering Command Fort Huachuca, AZ 85613-5300. ISEC: Excellence in Engineering One problem in the past with the DoD PKI infrastructure was the inability to

Configuring PKI This chapter describes the Public Key Infrastructure (PKI) support on the Cisco NX-OS device. PKI allows the device to obtain and use digital certificates for secure communication in the network. This chapter includes the following sections: Information About PKI, page 5-1 † Licensing Requirements for PKI, page 5-6

The DoD Public Key Enablement (PKE) Reference Guides are developed to help an organization augment their security posture through the use of the DoD Public Key Infrastructure (PKI). The PKE Reference Guides contain procedures for enabling products and associated technologies to leverage the security services offered by the DoD PKI. Purpose

For DoD or other Federal Agencies: Joint Task Force-Global Networking Operations (JFT-GNO) Tasking Order 07-15, Public Key Infrastructure (PKI) implementation, Phase 2 mandates widespread DoD PKI implementation for DoD information systems (including web-servers). Public Key (PK) enabling is further supported by DoD Directive 8500.01E,

DoD PKI Automatic Key Recovery (520) 538-8133, DSN 312-879-8133, or 866-738-3222, Netcom-9sc.om-iacacpki.helpdesk@mail.mil Fort Huachuca, AZ 85613-5300. 14 March 2017. Mike Danberry last reviewed on 26 April 2021. . An Auto Key Recovery capability has been fielded by DISA to permit holders of new