DoD PKI Automatic Key Recovery



Similar documents
How to Publish Your Smart Card Certificates Using Outlook 2010

Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate

AKO Shutdown Quick Reference Guide

Novo Nordisk Secure File Transfer User Guide

NASDAQ Web Security Entitlement Installation Guide November 13, 2007

Get Smart Card Ready. How to Recover Your Old (Expired) Certificates

eadvantage Certificate Enrollment Procedures

EJGH Encryption User Tip Sheet of 8

Frequently Asked Questions

SENDING AND RECEIVING PROTECTED INFORMATION VIA ELECTRONIC MAIL. Naval Medical Center Portsmouth IMD Training Division

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Utilizing the DoD PKI to Provide Certificates for Unified Capabilities (UC) Components. DISA NS2 Capabilities Center November 3, 2011 Revision 1.

Secure File Transfer Guest User Guide Updated: 5/8/14

Download and Install the Citrix Receiver for Mac/Linux

Presented by: Michael J. Danberry. Last Revision / review: 07 October ActivClient download locations:

TransUnion Direct: Download Digital Certificate Internet Explorer

Yale Secure File Transfer User Guide

RAPIDS Self Service User Guide

Receiving Secure from Citi For External Customers and Business Partners

Online Backup and Recovery Manager Setup for Microsoft Windows.

Configuring, Customizing, and Troubleshooting Outlook Express

Telstra Wholesale Digital Certificates

Using TLS Encryption with Microsoft Outlook 2007

YSU Secure Wireless Connect Guide Windows XP Home/Professional/Media Center/Tablet PC Edition

Remote Storage Area (RSA) Basics

Background Information

Account Create for Outlook Express

Why should I back up my certificate? How do I create a backup copy of my certificate?

How to connect to VUWiFi

Entrust Managed Services PKI

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:


Marcum LLP MFT Guide

HOW TO GUIDE MONEY MANAGEMENT

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

ORC ACES Subscriber Instructions. M o b i l e C o d e C e r t i f i c a t e s

SMALL BUSINESS USER GUIDE

Joint Knowledge Online. CAC Login Troubleshooting Guide

PaperClip. em4 Cloud Client. Setup Guide

Accessing DoD Enterprise , AKO, and other DoD websites with Internet Explorer & Edge (Windows 10) on your Windows computer

U.S. Bank Secure Mail

Directory and Messaging Services Enterprise Secure Mail Services

Using etoken for Securing s Using Outlook and Outlook Express

P309 - Proofpoint Encryption - Decrypting Secure Messages Business systems

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

User Guide Online Backup

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2010

How to Use Remote Access Using Internet Explorer

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

TriCore Secure Web Gateway User Guide 1

Set My University of Melbourne Identity Management Password for the First Time

Use of Common Access Cards (CACs) from Home on Windows 7 without Middleware

D&B SafeTransPort Tutorial YOUR MANAGED FILE TRANSFER SOLUTION FOR SECURE FILE TRANSFERS WITH D&B

Migration User Guides: The Console Application Setup Guide

How To Use Exhange On Outlook On A Pc Or Macintosh Outlook 2007 On Your Pc Or Ipad (For Windows Xp) On Your Ipad Or Ipa (For Your Windows Xp). (For A Macintosh) On A

Encrypting Files Using AxCrypt

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

2. To encrypt the drive for future use, click Yes (Fig 1, 2). This will start the encryption process.

TransUnion Direct: Download Digital Certificate Firefox

Page 1 of 14. MyAerospace. Order Status. Notifications

Use your UNNCNetID and password to log in. The first time you login to the system, you may receive the following screen:

Symantec Endpoint Encryption (SEE Client) Installation Instructions. Version 8.2

Inpatient Rehabilitation Assessment Validation and Entry Systems (jirven) Installation Guide. In support of Software Version 1.2.

PaperClip. em4 Cloud Client. Manual Setup Guide

Oklahoma State Department of Education

New World Construction FTP service User Guide

Schools Remote Access Server

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Internal Revenue Service

Schools CPD Online General User Guide Contents

Online File Folder. Getting Started Guide. Become an Expert at Managing Your Files Online. wind. Online File Folder // Getting Started Guide

Quick Start : i-fax User Guide

Mechanics Bank Mobile Banking Mobile Finance Manager (MFM) Application Windows Mobile Phone Installation

Assigning Access and Roles to FAMTest

Phone: Fax: Box: 230

DigiDelivery Client Quick Start

Using the Findlay City Schools Help Desk Program. This document describes how to submit a helpdesk request into the new system for the first time.

Online Statements. About this guide. Important information

Detecting and Removing Spyware From Your Home Computer

IQSweb Reference G. ROSS Migration/Registration

How to Access Coast Wi-Fi

Identity Finder Setup

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Client Certificate Update Guide for CPDMS.NET (Internet Explorer)

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

Proofpoint provides the capability for external users to send secure/encrypted s to EBS-RMSCO employees.

How to set up Outlook Anywhere on your home system

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

1. Go to Here! Note: the Forgot or to have. a password 3. Enter. Guide

MTA Course: Windows Operating System Fundamentals Topic: Understand backup and recovery methods File name: 10753_WindowsOS_SA_6.

How to install and use the File Sharing Outlook Plugin

Carillon eshop User s Guide

How to configure functional mailboxes in Outlook

NetBak Replicator 4.0 User Manual Version 1.0

Steps for provider to acquire A&A login credentials and make renewal payment

Seagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide for Use With Your FreeAgent Drive 1

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Transcription:

DoD PKI Automatic Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, philip.e.noble.civ@mail.mil U.S. Army Information Systems Engineering Command Fort Huachuca, AZ 85613-5300 5 August 2015 Mike Danberry last reviewed on 10 August 2015 http://militarycac.com/questions.htm The most current version of this guide can be downloaded from: http://militarycac.com/files/automatic_key_recovery_new.pdf ISEC: Excellence in Engineering

The Problem: One problem in the past with the DoD PKI infrastructure was the inability to recover Common Access Card (CAC) private encryption keys and certificates that were either expired or revoked. This becomes necessary when a CAC is lost and its certificates are revoked or when a CAC and the certificates it contains simply expires and is surrendered to DEERS/RAPIDS before the user s encrypted emails / files have been decrypted. An Auto Key Recovery capability has been fielded by DISA to permit holders of new CACs to retrieve encryption keys/certificates from previous cards to permit decryption of old email and files. NOTE: Please know that in April 2014, DISA changed the links for recovery to ONLY be available from the unclassified Government network. This means home users will have to email the email address on slide 7. 2

The Solution: Steps to Recover Private Encryption Keys The following slides identify steps to recover private encryption keys, escrowed by DISA, from previously held CACs 3

URLs for Key Recovery The links listed below are ONLY available from the Government UnClassified network, NOT from a personal computer at home https://ara-1.c3pki.chamb.disa.mil/ara/key Or https://ara-2.c3pki.den.disa.mil/ara/key Or https://ara-3.csd.disa.mil/ara/key Or https://ara-4.csd.disa.mil/ara/key Note: The links shown above ARE case sensitive. When you go to these links, you must identify yourself with PKI credentials. Use ONLY your IDentity certificate, NOT Email, or PIV certificate! 4

Choose Your Identity Certificate You will be prompted to identify yourself. Highlight your Identification Certificate. Select it, then click OK. Note: Do NOT choose any that contain the word EMAIL from the Issuer column. 5

Warning Banner Read the warning message, then click OK 6

Processing Your Request DO NOT be tempted to click the Logout button The Automated Key Recovery Agent will compile a list of Recoverable Keys. If the recovery fails or if the key is unable to be downloaded automatically, contact the Army Key Recovery Agent by sending a digitally signed email to: Netcom-9sc.registration.authority@mail.mil requesting recovery of your private email encryption Key. Please Wait 7

Key Selection Hint: Look for the dates that correspond with your former CAC. They may not be listed in order. Browse through the list and locate the appropriate key you want to recover. When located, click the adjacent associated Recover button. 8

Acknowledgement of DoD Subscriber Select OK 9

Processing Request The Automated Key Recovery Agent is processing your request Do NOT be tempted to click the Logout button, you Must Wait 10

One-time Password Click the DOWNLOAD link, you ll need the one-time password to access your Private Encryption Key 11

Installing the Certificate Select Open 12

Installing the Certificate (Cont d) Click Next 13

Installing the Certificate (Cont d) Click Next 14

Installing the Certificate (Cont d) Leave the check blocks unchecked, enter the Password shown on your screen, click Next 15

Installing the Certificate (Cont d) Leave Automatically select the certificate store based on the type of certificate selected (as shown above) click Next 16

Installing the Certificate (Cont d) Click Finish 17

Installing the Certificate (Cont d) Click OK 18

Installing the Certificate (Cont d) Click OK 19

Verifying the Download You can verify the successful download of your recovered Private Encryption Key by: Launching Internet Explorer, selecting Tools from the menu, and then Internet Options Click the Content (tab) then Certificates (button) 24

Verifying the Download (Cont d) Select the Personal (tab) you ll see a list of your currently registered certificates, including the recovered key certificate(s). 25

Verifying the Download (Cont d) Double-click on the certificate so you can view the specifics of your recovered key (or other current keys) as illustrated above. 26

Success Close the open window, you may now use the recovered key to access your encrypted email. Last Step: If you chose to save the recovered key to a file instead of directly installing the key, delete the saved.p12 file from your computer as this is a security vulnerability and will be detected in a Q- tip Scan. Disregard if you did not save the key to a file Should recovery fail, contact the Army Key Recovery Agent by sending a digitally signed email to: usarmy.pentagon.hqda-cio-g-6.mbx.army-registrationauthority@mail.mil requesting recovery of your private email encryption key 27

Other Services SPAWAR Integrated Support Center Helpdesk https://infosec.navy.mil/pki/ Email: itac@infosec.navy.mil Phone: 800-304-4636 DSN 588-4286 USMC RA Operations Helpdesk Email: raoperations@mcnosc.usmc.mil Phone: 703-432-0394 Air Force PKI Help Desk Phone: 1-210-925-2521 Email: afpki.ra@lackland.af.mil https://afpki.lackland.af.mil/html/lracontacts.asp (this site is accessible from.mil networks only) Additional Air Force PKI support is available from the Air Force PKI help desk: https://afpki.lackland.af.mil/html/help_desk.asp DISA PKI Help Desk Oklahoma City, OK Support: E-Mail: Okc-dodost@csd.disa.mil Phone (Commercial): 1-800-490-1643 Phone (DSN): 339-5600 28

Recovery Notification Email Example A user has attempted to recover a key using the Automated Key Recovery Agent. The ID Certificate used for Authentication was: CN=NOBLE.PHILIP.EUGENE.1184204718,OU=USA,OU=PKI,OU=DOD,O=U.S. GOVERNMENT,C=US, Serial: 0x0B5643, Issuer: DOD CLASS 3 CA-5. The key that was recovered was: CN=NOBLE.PHILIP.EUGENE.1184204718,OU=USA,OU=PKI,OU=DOD,O=U.S. GOVERNMENT,C=US, Serial: 0x0C8747, Issuer: DOD CLASS 3 EMAIL CA-3. If you did not perform this operation, please contact your local key recovery agent and ask that they check the logs for the key recovery at Fri Jul 01 16:48:12 GMT 2005 with session ID 1.c3pki.chamb.disa.mil- 23f%3A42c57335%3A68e46e9395fb9727. You will receive an email from PKI_ChambersburgProcessingElement@csd.disa.mil with a subject ALERT! Key Recovery Attempt Using Automated Key Recovery Agent similar to the above Recovery Notification example notifying you of your recovery action. 29

POC for Additional Information Philip E. Noble USAISEC Information Assurance and Security Engineering Directorate (IASED) DSN 312-879-7608 CML 520-538-7608 FAX DSN 312-879-8709 CML 520-538-8709 philip.e.noble.civ@mail.mil philip.e.noble.civ@mail.smil.mil 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information