CI-09-03-003-Requesting_DoD_PKI_Digital_Certificates_v1200

Document Sample
CI-09-03-003-Requesting_DoD_PKI_Digital_Certificates_v1200 Powered By Docstoc
					Prepared for the   Implementation, Training, and Technical Support of the
U.S. Air Force
(USAF) PKI         Department of Defense
System Program     Class 3 Public Key Infrastructure
Office (SPO)       For the United States Air Force




                   Instructions for Requesting
                   DoD PKI Digital Certificates
                   for Servers, Devices, or
                   Applications


                   June 2009




Deliverable No.
CI-09-03-003
                                                  CONTENTS
1.      General Information .........................................................................................1
2.      Generating the Certificate Request ..................................................................2
     2.1 Commercial Off-the-Shelf Instructions .......................................................2
     2.2 Off-Line Request Tool .................................................................................2
3.      Submitting the Certificate Request to the DoD Certification Authority..........3
     3.1 Connect to a DoD PKI Certification Authority ...........................................3
        3.1.1     DoD PKI Operational Certification Authorities ................................. 3
        3.1.2     DoD PKI Test and Development Certification Authorities ................ 3
     3.2 Choose the Certificate Profile ......................................................................4
     3.3 Post the PKCS#10 Certificate Request to the CA .......................................6
        3.3.1     Adding Multi-SAN entries .................................................................. 8
        3.3.2     Complete Requestor Information ........................................................ 9
        3.3.3     Complete Generic Input ...................................................................... 9
        3.3.4     Complete On-Line Request submission............................................ 10
     3.4 Submit your Certificate Requirement ........................................................10
        3.4.1     JITC Test Certs: ................................................................................ 10
        3.4.2     Operational DOD PKI Certificate Requirements ............................. 11
     3.5 E-mail Notification of Issue .......................................................................11
     3.6 Retrieving the Certificate ...........................................................................11
     3.7 Copy the Certificate to Notepad ................................................................12
     3.8 Paste and Save Certificate Information Using Notepad ............................12
     3.9 What’s Next? .............................................................................................12
4.      Obtaining the DoD Root Certificate Trust Chain ..........................................13
     4.1 Downloading Certificate Trust Chains ......................................................13
     4.2 Installing the DoD Root Trust Chain in the Server/Device .......................13
     4.3 Installing the DoD Root Trust Chain in the Browser ................................13
     4.4 Certificate Revocation Checking ...............................................................13
5.      Enabling Client Authentication......................................................................14
6.      Converting a Certificate to Distinguished Encoding Rule (DER) Format ....14
Appendix A Acronyms ....................................................................................... A-1




                                                                i
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


                                1. General Information
The Department of Defense (DoD) requires the Common Name (CN) identified in the
certificate be unique across the entire DoD. The CN is entered when generating the
Public Key Cryptography Standard (PKCS) #10 file. The easiest way to ensure
uniqueness is to use a Fully Qualified Domain Name (FQDN). Internet Protocol (IP)
addresses can also be used, but these can be volatile as networks are consolidated and
redesigned.

To ensure Transport Layer Security (TLS) and Secure Sockets Layer (SSL) connections
work seamlessly, the entry in the CN on the certificate must exactly match the Uniform
Resource Locator (URL) used in the browser for Web access. When the Certificate CN
and the URL in the address bar of the browser do not match, then the browser reports a
certificate error.
              Figure 1-1. Internet Explorer (IE) 7, Certificate Error Warning Page




The example above is an intranet site accessible by NetBIOS name (cpsgweb) and by an
Active Directory FQDN that was intentionally accessed by means not recognized by the
certificate multiple-subject alternative name (Multi-SAN) entry. It is NOT intended for
external access using a normal Domain Name System (DNS) name as shown. Since the
URL entered does not match any of the valid Subject Alternative Name (SAN) entries in
this certificate, this error page is presented. The Multi-SAN Server Enrollment profile
allows entry of alternative names that represent the same Web page or data store and
prevents users from receiving warning messages.



                                                   1
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


                     2. Generating the Certificate Request
2.1 Commercial Off-the-Shelf Instructions

See https://afpki.lackland.af.mil/html/pke_cots.asp for step-by-step guidance on
generating a certificate request on many standard commercial products, or go to Section 3
if a PKCS#10 file has already been requested.

2.2 Off-Line Request Tool

If the device is NOT capable of generating a PKCS #10 certificate request, go to
https://afpki.lackland.af.mil/html/offlinedevcerts.asp and download the OFF-LINE
Request Tool.

Note: Apache-based systems may prompt for a Privacy Enhanced Mail (PEM)
Challenge Phrase. A PEM Challenge Phrase must NOT be used in the request
generation process, because it creates a PKCS #9 extension to the request, which is not
supported by the DoD Public Key Infrastructure (PKI). Always use a password to
protect the key files on the local machine, which is supported.
                Figure 2-1 PKCS#10 Server Request File (Viewed in Notepad)




Note 1: This file is required to continue with the request process. If not available, return
to the documents referenced at the top of this section to generate the request.
Note 2: The additional generic information similar to that shown below is automatically
included in Domain Controller certificate requests generated with the Off-Line Request
tool running on a Domain Controller.
         Figure 2-2 Generic information in Server Request File (Viewed in Notepad)




                                                   2
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


3. Submitting the Certificate Request to the DoD Certification
                          Authority
DoD Certification Authorities (CAs) are updated regularly. Ensure this is the most
current document from https://afpki.lackland.af.mil/html/web_svr_certs.asp before
proceeding.

3.1 Connect to a DoD PKI Certification Authority

3.1.1 DoD PKI Operational Certification Authorities
CA-21: https://ca-21.c3pki.chamb.disa.mil/ (New CA on-line in May 2009)
        ---CAUTION: URL may migrate to *.csd.disa.mil without notice


CA-22: https://ca-22.csd.disa.mil/                    (New CA on-line in May 2009)

Note 1: A security alert appears if the DoD PKI Root CA Chain is not installed in the
browser. Either accept the current session or see:
https://afpki.lackland.af.mil/html/trustingthedodpki.asp to install trust in the browser.

Note 2: SIPRNET requests must be submitted on SIPRNET and include *. smil.mil in
the CA URL. All other processing is the same.

Note 3: New CA’s 21 and 22 SIPRNET & NIPRNET replace previous CA’s numbered 17
and 18. Certificates from CA’s 17 & 18 continue to be good until normal expiration. All
New requests must be submitted to CA-s 21 or 22.

3.1.2 DoD PKI Test and Development Certification Authorities

The DISA, Joint Interoperability Test Command (JITC) runs a test PKI for test and
development purposes both internal to the DoD PKI and for use by DoD and Commercial
applications that are testing interoperability with the DoD PKI.

JITC certificates conform to the same specifications as Operational DoD PKI
Certificates, but they fall under a TEST ROOT CA. These certificates are not to be
trusted on operational computers used for normal Web browsing or e-mail. In the event a
machine has JITC test certificates installed for testing and is then moved to the
operational network, the JITC certificates and trust chain MUST be removed before the
system is placed in operational use.

Note: Connecting to a JITC site with an operational computer may result in a
“Navigation Blocked” error in your normal desktop browser. Test environment
computers should install the JITC Root; however, on operational desktops it is safe to
click past these specific warnings because the JITC infrastructure is safe to access.

The explicit JITC Root CA trust chain for a given server/device/application certificate is
included in the “Base 64 encoded certificate with CA certificate chain in pkcs7 format”

                                                     3
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

available when downloading the certificate from the CA. Other JITC CA trust
certificates may be downloaded from https://crl.gds.nit.disa.mil/ as necessary for testing.
For more information, go to the JITC PKI Web Site: http://jitc.fhu.disa.mil/pki/

The following JITC CA is commonly used for obtaining test certificates.

JITC CA-21: https://CA-21.c3pki.nit.disa.mil/ca/

CAUTION: SEE paragraph 3.4 for special JITC request submission process.

3.2 Choose the Certificate Profile
Figure 3-1 represents the Enrollment page displayed when accessing the CA URLs
identified in section 3.1 above. See below for proper use of profiles.
                   Figure 3-1. The DoD Certificate Manager Enrollment Tab




Note 1: There are other profiles shown on the actual Certificate Authority Enrollment
page. For server certificate requirements you should ignore other profiles on this page
as they do not apply to server/device/application requests.


Note 2: NEW enrollment profiles supporting 2048 Bit Key Generation are now
available. The DOD PKI is updating Key Strength requirements from legacy value of
1024 bit Modulus to NIST mandated 2048 bit Modulus. The original 1024 bit profiles
will remain available for an extended period; however, the 2048 Bit Profiles SHOULD
be used when possible. Any application/server-system that cannot generate 2048 bit
requests must immediately begin to update capability to generate 2048 bit key sizes.


                                                   4
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

         a. New 2048-Bit SSL Enrollment Form:
              (New SSL Enrollment form (1024 legacy))

This profile is a new version of the Multi-SAN Server Enrollment profile but with one
very important difference; this profile contains Extended Key Usage Attributes required
by some applications. The following Extended Key Usages (EKUs) are automatically
included in certificate requests when using this profile.
Extended Key Usage:
Server Authentication ……… (1.3.6.1.5.5.7.3.1)
Client Authentication ………. (1.3.6.1.5.5.7.3.2)
IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
AnyEKU ………………………. (2.5.29.37.0)


Recommended Uses: The New 2048-Bit SSL Enrollment Form is the primary enrollment
profile for requests not specifically identified below.

         b.   Regular 2048-Bit SSL Server Enrollment:
              (Regular SSL Server Enrollment (Legacy 1024 bit)

This is the original server profile and has been in use since the beginning of the DoD
PKI. Use this profile when the device/application does not support a Subject Alternative
Name extension. It is suitable for normal TLS/SSL server certificates and use with other
devices or application modules that are accessed using one specific URL that do NOT
require EKU’s .

         c. 2048 Bit Multi-SAN Server Enrollment:
              (Multi-SAN Server Enrollment (1024 bit Legacy)

The Multi-SAN Server Certificate solves the “Certificate Error” issue for sites accessed
by different URL names. It is suitable for normal TLS/SSL server certificates requiring
signature and encryption capability and for use with other devices. It contains, by
default, one SAN entry that is a duplicate of the CN entry but allows for the addition of
multiple Alternative Names to support multiple URL access, short names and special
functions.

Recommended Uses: The 2048-Bit Multi-SAN Server Enrollnent profile is required to
request E-Mail Signing certificates for Application servers that have automated mailers
sending e-mail with links and/or attachments. These applications must digitally sign
their e-mail as per AFI 33-119, Air Force Messaging.

         d.    Manual PKCS#10 Domain Controller Certificate Enrollment:
This profile is used exclusively for requesting Domain Controller certificates with
PKCS#10 files generated using the Off-Line Request Tool.




                                                   5
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

3.3 Post the PKCS#10 Certificate Request to the CA

Open the certificate request as shown in Figure 2-1.

Highlight the text including the BEGIN NEW CERTIFICATE REQUEST header and
END NEW CERTIFICATE REQUEST trailer, with all dashes. Right click the
selected text, and from the shortcut menu, click Copy.

Paste the certificate request file into the Certificate Request block. This process is the
same regardless of which profile you choose.

                        Figure 3-2. Regular SSL Server Enrollment Page




                                                   6
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


                       Figure 3-3. Multi-SAN Certificate Enrollment Page




Note: Appearance of the PKCS#10 request in the request window may be different
depending upon the browser used.
        Figure 3-4. Manual PKCS#10 Domain Controller Certificate Enrollment Page




Note: Additional Generic Input blocks contain DNS Name and Globally Unique
Identifier (GUID) for Domain Controller certificate request.




                                                   7
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

3.3.1 Adding Multi-SAN entries

    a. Select appropriate General Name type from the drop-down menu.
                        Figure 3-5. Add General Name Drop-Down Menu
                           (“New SSL” and “Multi-SAN” profiles only)




       (DNS Name: servername@basename.af.mil (Standard URL format)
       DNS Name: servername (NetBios Name format)
       DNS Name: *eis.afmc.af.mil (Wildcard support for SharePoint used with FQDN
        in CN field).
    Note 1: A Wildcard is ONLY permitted in the SAN field. DoD PKI policy does NOT
    permit a wildcard to be used in the CN field.
    Note 2: Don’t enter the same value used in the CN of the Certificate. The CN is
    automatically duplicated as the first SAN entry. Once any entry appears in the SAN
    field, it becomes authoritative and the value in the CN is ignored.
    Note 3: Web sites receiving redirections from other URLs should also contain a DNS
    name representative of the site from which the redirection is mapped.
       DNS Name: application.name@basename.af.mil (When requesting a server-
        based e-mail signing certificate, enter originating e-mail address here and mark
        the requirement form in 3.4.2 for application e-mail).
       Directory Name: DIRHEFLS02,CN=DCDSERVER,C=US……
        Note: Defense Messaging System (DMS) Directory Servers use this extension.
       IP Address: 195.25.681.095
       Uniform Resource Identifier (URI) Name: URN:UUID:F81DRFEA-7DEC-11D0-
        A765-00A0C91E6BF6
        Note: Entries for URI Name should be entered only from an authoritative
        source.




                                                   8
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


    b. Add additional General Name entries
                                  Figure 3-6. Add General Name




       The Add New General Name button may be used to add additional SAN. The
        X.509 specification for SAN entries is an unlimited multi-valued attribute. This
        interface supports up to 50 names. Not all applications and uses support large
        numbers of SAN values; be sure of the requirement and compatibility when
        submitting.
       The Delete Pair button deletes the respective General Name Type and General
        Name Value entry pair.

3.3.2 Complete Requestor Information
                                Figure 3-7. Requestor Information




       The Requestor Information here is the actual system administrator posting this
        request.
       The Requestor must be the same person identified as the System Administrator on
        the DoD PKI Certificate Requirement sent to the Registration Authority (RA).

3.3.3 Complete Generic Input
                 Figure 3-8. Generic Input (Domain Controller Requests only)




       This information is copied from the request file, see Figure 2-2


                                                   9
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

3.3.4 Complete On-Line Request submission

Click on the Submit button on the CA Certificate Profile page. The Request
Successfully Submitted Web page displays.
                   Figure 3-9. The Request Successfully Submitted Screen




       Print this screen or record the number for reference.

       Close all open windows or applications at this time.

       This Request number and the CA number where submitted must be recorded on
        the DoD PKI Certificate Requirement document sent to the RA.

       If an error is received instead of the Request Successfully Submitted Web page,
        contact the Air Force (AF) PKI Help Desk for assistance at
        https://afpki.lackland.af.mil/html/help_desk.asp.

CAUTION:

Submit the DoD PKI Server Certificate Requirement to the RA as in the next step, or
the certificate will NOT be issued.

3.4 Submit your Certificate Requirement

3.4.1 JITC Test Certs:

For JITC test certificates simply send an e-mail to afpki.ra@lackland.af.mil identifying
who you are, what you need the cert for and the JITC CA # with the request number.

                                                   10
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

Completion of a formally routed requirement document as described below is not
required.

3.4.2 Operational DOD PKI Certificate Requirements:

    a. Download the DoD PKI Server Certificate Requirement document (ZIP file).

    b. Annotate the Request Identification (ID) # and the CA# where submitted in the
       CA Request Info block on the DoD PKI Server Certificate Requirement.

    c. Submit the completed Requirement document to a Local Registration Authority
       (LRA) or Software Certificate Trusted Agent (TA).

A list of LRAs is located at: https://afpki.lackland.af.mil/html/lracontacts.asp.
E-mail afpki.ra@lackland.af.mil for assistance in locating TAs or to pre-arrange time
critical actions.

The AF PKI Helpdesk (DSN 945-2521) can assist in identifying local TAs for
software/device certificate requests.

3.5 E-mail Notification of Issue
The AF PKI RA verifies the certificate request on the CA server against the information
on the DoD PKI Server Certificate Requirement and then issues the certificate. Upon
certificate issuance, the RA will send instructions to the submitter for retrieving the
certificate via e-mail message from the AFPKI Registration e-mail account.
Note: Certificates are usually issued within one business day unless there is a problem.
If certificates have not been received within five business days, send an e-mail to
AFPKI.RA@lackland.af.mil requesting status.

3.6 Retrieving the Certificate

The AF PKI Registration e-mail identifies the certificates issued and provides specific
download instructions. Users may also use the steps below to check status at the CA.

To check status of and/or download the certificate:

    Step 1.    Connect to the appropriate CA identified in section 3.1.1. Return to the
               same CA to which the request was submitted
    Step 2.    Click on the Retrieval tab and enter the Request ID number
    Step 3.    Click Submit
    Note: If the status says Pending, then the certificate was not issued. Remember, the
    RA will not issue the certificate until the DoD PKI Server Certificate Requirement is
    received from an authorized registration official (TA or LRA).
    Step 4.    Click on the serial number found on the Issued Certificate line.

                                                   11
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009

    Step 5.    With the Certificate information displayed, scroll down to the Installing
               this certificate in a server section, where the server certificate is displayed
               in a block of encrypted text. Select the block entitled “Base 64 encoded
               certificate.” All AF mainstream applications support this format.

3.7 Copy the Certificate to Notepad

Scroll down the page to find the Base 64 encoded certificate display. Highlight the text
including the -----BEGIN CERTIFICATE ----- header and -----END CERTIFICATE--
--- trailer, with all dashes. To copy this text to the clipboard, right-click the selected
text, and click Copy on the shortcut menu.

Note: The “Base 64 encoded certificate” is the most commonly used format for
Microsoft Internet Information Services (IIS), Oracle database manager, or Timestep
VPN boxes. The “Base 64 encoded certificate with CA certificate chain in pkcs7
format” listed further down the screen may be required for some applications. The pkcs7
format contains a certificate chain including the server certificate, the CA certificate, and
the ROOT CA Certificate. See your application documentation.

3.8 Paste and Save Certificate Information Using Notepad

Open Notepad (or other ASCII Text Editor) and paste the “Base 64 encoded certificate”
information by right clicking in the text area and clicking Paste from the shortcut menu.
From the File menu, click Save and assign a file name with an extension of .cer, .crt,
.pem, or other extension appropriate to your particular Web server/operating system. If
using the “Base 64 encoded certificate with CA certificate chain in pkcs7 format,” then
save the file as *.p7b. Remember the filename and location of this file; it is needed to
install in the server.

3.9 What’s Next?

After retrieving the certificate request, install the Web server certificate according to the
specific instructions for that server or device. Sections 4, 5 and 6 below include
additional requirements that may also be stipulated in more detail in the specific PK
Enabling documents cited in Section 1 of this document.




                                                   12
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


         4. Obtaining the DoD Root Certificate Trust Chain
4.1 Downloading Certificate Trust Chains
Refer to the Web page: DoD Root Certificates - Trusting the DoD PKI at:
https://afpki.lackland.af.mil/html/trustingthedodpki.asp.

This Web page contains multiple formats of the DoD PKI Trust List for installation in
various environments. If the basic trust chain has already been installed via Active
Directory or other network generated actions, no further action is necessary.

4.2 Installing the DoD Root Trust Chain in the Server/Device
The DoD Root Trust chain must be installed in the server for the certificate to function.
The format of the files required for the server or device is specified in the system’s
documentation. The particular procedures, to include command line syntax, screen shots
and menu options are peculiar to each implementation. See the Web page cited in
Section 4.1, the PK Enabling instructions cited in Section 1, or the application
instructions to install the trust chain.

4.3 Installing the DoD Root Trust Chain in the Browser
See the Web page in section 4.1 for instructions on installing the DoD Root Trust Chain
in the browser. If the trust chain is already installed, no further action is necessary.

4.4 Certificate Revocation Checking
Certificate revocation checking is a requirement for all applications and servers. Just
having a certificate issued by the DoD is not sufficient. The application or Web server
must also validate the certificate is current and was not revoked. There are several ways
to do this; the best one to use depends on the environment. Validation is accomplished
using Online Certificate Status Protocol (OCSP) or using Certificate Revocation Lists
(CRLs).
Please see the Certificate Validation Web Site at:
https://afpki.lackland.af.mil/html/certvalidationclients.asp

Lightweight Directory Access Protocol (LDAP) was the original means of retrieving
CRLs and is still available; however, LDAP is connection-oriented and very bandwidth-
intensive. LDAP requires special IP filters at the Firewall and breaks if the IP address is
changed on the distant end.

The new certificates issued by the DoD PKI incorporate HTTP CRL Distribution points.
HTTP retrieval makes efficient use of the Blue Coat Proxy caching capability and relies
on forward-caching in the Non-Classified Internet Protocol Router Network (NIPRNet)
implementation of Akamai technology.
Efficient CRL retrieval is implemented using the Wget utility;
See: https://afpki.lackland.af.mil/html/kbsearchdetail.cfm?id=373

                                                   13
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


                        5. Enabling Client Authentication
Client authentication is now required on all DoD private Web sites.

Web servers and applications must be configured to trust only DoD-approved CAs for
support of client authentication per Joint Task Force-Global Network Operations (JTF-
GNO) direction.

Failure to implement a specific DoD Approved Root CA trust list allows people with
commercial certificates from any CA listed in the machine’s default trust store to
authenticate to the server. Non-DoD CAs should not be arbitrarily removed from the
machine’s default trust store as this may cause the computer to fail to operate.

On Microsoft Servers, implement a Certificate Trust List (CTL) using instructions at:
https://afpki.lackland.af.mil/assets/files/CTL_Instructions_1000.doc.

For Non-Microsoft servers, refer to the system documentation to limit client
authentication to DoD approved PKIs.

Refer to: https://afpki.lackland.af.mil/html/pke_cots.asp for common implementations.


   6. Converting a Certificate to Distinguished Encoding Rule
                         (DER) Format
Some Applications require certificates to be in a Distinguished Encoding Rule (DER)
encoded format. The Windows desktop has built-in utilities to convert the Base-64
encoded certificate format to DER (machine code) format. To accomplish this
conversion:
       a. Right click on the base 64 encoded file and select install certificate, then click
          through the screens with the DEFAULT settings.
       b. Open Internet Options (in I.E. or on the Control Panel). Select
          Content/Certificates and look for the certificate under the Other People tab.
       c. Highlight the certificate, click on Export, click Next on Certificate Export
          Wizard.
       d. Select the radio button for DER encoded binary, click on Next, click on the
          Browse button, select storage location, enter a file-name, click on Save, click
          on Next, then click on Finish. The exported file is in binary/DER format with
          a .cer extension.
       e. Move the file to where you can install it to your application.




                                                   14
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


                                         Appendix A
                                             Acronyms


AF                      Air Force
CA                      Certification Authority
CN                      Common Name
COMSEC                  Communications Security

CRL                     Certificate Revocation Lists
CTL                     Certificate Trust List
DER                     Distinguished Encoding Rules
DNS                     Domain Name System
DMS                     Defense Messaging System
DoD                     Department of Defense
EKU                     Extended Key Usage
FQDN                    Fully Qualified Domain Name
GUID                    Globally Unique Identifier
IA                      Information Assurance
ID                      Identification
IE                      Internet Explorer
IIS                     Internet Information Services
IP                      Internet Protocol
JITC                    Joint Interoperability Test Command
JTF-GNO                 Joint Task Force-Global Network Operations
LDAP                    Lightweight Directory Access Protocol
LRA                     Local Registration Authority
NIPRNet                 Non-Classified Internet Protocol Router Network


                                                  A-1
Instructions for Requesting Server/Device/Application DoD PKI Digital Certificates   February 2009


OCSP                    Online Certificate Status Protocol
PEM                     Privacy Enhanced Mail
PKCS                    Public Key Cryptography Standard
PKI                     Public Key Infrastructure
RA                      Registration Authority
SAN                     Subject Alternative Name

SPO                     System Program Office

SSL                     Secure Sockets Layer
TA                      Trusted Agent
TLS                     Transport Layer Security
URI                     Uniform Resource Identifier

URL                     Uniform Resource Locator
USAF                    United States Air Force




                                                  A-2

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:77
posted:4/4/2012
language:English
pages:18