PKI - Certificates
Certificates and their associated Public Key Infrastructure enable secure Internet services.

PKI Concepts

A Public Key Infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify the identity of a server or a user. A Certificate Authority (CA) is starting point for a chain of trust to the server or user. Authenticated and encrypted communications between two parties are only possible when they have common Certificate Authorities (CA).



Commercial Certificate Authorities

Some of our public webservers use commercial certificates from Certum and Comodo and their reseller SSL.com. Accessing these website generally requires no action, since Comodo has arranged for their certificates to be pre-installed in operating systems, applications, and many commercial products such as appliances. If you run into problems accessing any of these systems, such as from a customer location, you may need to install the SSL.com Certium and Comodo root certificate authorities.

Certificate SSL.com: New Root Archive

Certificate SSL.com: Certium Root Bundle

Certificate SSL.com: Comodo Root Bundle



BCT LLC Certificate Authorities

Like DoD and other defense contractors, BCT maintains a private certificate authority integrated with our Active Directory system. Certificates are used for servers, network devices, and users. To avoid a certificate error accessing selected company systems sites, you must install our private Root Certificates.

Certificate Download the BCT LLC Root Certificate


We also use systems provided by Ashton-Group Services, LLC. They also use their own corporate Root Certificate.


Certificate Download the Ashton GS Root Certificate



BCT LLC Web Enrollment

BCT users can self-enroll for a BCT LLC user certificate for use in authentication, digital signing, or encryption. Certificates are integrated with your Active Directory account.

Certificate BCT LLC Web Enrollment Server




ORC ECA Certificates

Many DoD websites require DoD PKI for access. TO satisfy these requirements, we can purchase DoD user identity and encryption certificates from ORC (WidePoint), who is accredited as an External Certificate Authority (ECA).

Software Certificates

For most websites, a software certificate will be sufficient. These are called "Medium Assurance Identity/Encryption Certificates".

Certificate ORC: Medium Assurance Identity/Encryption Certificates

Software Certificates

For most websites, a software certificate will be sufficient. These are called "Medium Assurance Identity/Encryption Certificates" and are stored in your user profile on your workstation.

Certificate ORC: Medium Assurance Identity/Encryption Certificates

Hardware Certificates

Some websites require a hardware token such as a CAC card or a thumb drive for additional assurance. Your certificates are stored on this physical token rather than on your workstation.

Certificate ORC: Medium Hardware Assurance Identity/Encryption Certificates


DoD Certificate Authorities

To avoid a certificate error accessing secure DoD web sites, you must install the DoD Root Certificates. DoD operates its own certificate system to avoid the exposures from commercially purchased certificates. Follow these instructions and links to download and install the DoD Root Certificate Authorities.



DoD InstallRoot Tool

DISA's InstallRoot is a utility to install and manages all of the DoD and ECA root and intermediate certificate authority root certificates into trust stores on Microsoft Windows servers and workstations.

Web Site DISA: InstallRoot 5.5

PDF DISA: InstallRoot 5.2 User Guide

PDF DISA Brochure: DoD PKE, Working with External PKIs



DoD Certificate Authorities

This DISA archive contains all of the DoD Root certificate authorities. This archive can be used as an alternative to the InstallRoot application.

ZIP DoD Root Certficate Archive

ZIP ECA Root Certficate Archive



External Certificate Authorities

This DISA archive contains all of the ECA Root certificate authorities. This archive can be used as an alternative to the InstallRoot application.

ZIP ORC: External Certification Authority (ECA) Repository

DOC Read me: ECA Root Certficate Archive

For questions or problems with the DoD website please contact the DISA OKC OST at 1-800-490-1643 or by email at disa-esmost@csd.disa.mil.



BCT LLC
10810 Guilford Road, Suite 111 | Annapolis Junction, MD 20701