diff --git a/_ficampmo/ficampmo.md b/_ficampmo/ficampmo.md index ac62331e0..1aa8f5140 100644 --- a/_ficampmo/ficampmo.md +++ b/_ficampmo/ficampmo.md @@ -44,7 +44,7 @@ Through this four-part framework, the GSA FICAM Program leads or coordinates the 3. Recognition 1. Workforce identity trust services 2. FIPS 201 Approved Product List - 3. [GSA PKI Shared Service Provider Program]({{site.baseurl}}/ssppki/) - Manage commercial PKI service providers that issue Federally-compliant digital certificates. + 3. [GSA PKI Shared Service Provider Program]({{site.baseurl}}/pkissp/) - Manage commercial PKI service providers that issue Federally-compliant digital certificates. 4. Compliance 1. [FIPS 201 Evaluation Program]({{site.baseurl}}/fips201/) - Tests and certify services and commercial products used in PIV credentialing systems and physical access control systems. 2. Federal PKI Annual Review Process @@ -59,7 +59,7 @@ The GSA FICAM Program coordinates and oversees governmentwide ICAM initiatives a The [Identity, Credential, and Access Management Subcommittee (ICAMSC)](https://community.max.gov/pages/viewpage.action?pageId=234815732){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is the principal interagency forum for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management. It’s a sub-committee of the [Federal CIO Council’s Chief Information Security Officer (CISO) Council](https://www.cio.gov/about/members-and-leadership/ciso-council/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. -The ICAMSC is co-chaired by the [GSA Office of Government-wide Policy](https://gsa.gov/portal/category/21399){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} and another volunteer agency (currently the Department of Justice). The ICAMSC aligns the identity management activities of the federal government and supports collaborative government-wide efforts to: +The ICAMSC is co-chaired by the [GSA Office of Government-wide Policy](https://www.gsa.gov/about-us/organization/office-of-governmentwide-policy){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} and another volunteer agency (currently the Department of Justice). The ICAMSC aligns the identity management activities of the federal government and supports collaborative government-wide efforts to: - Increase agency flexibility in addressing ICAM challenges; - Coordinate interagency efforts to meet agency mission needs; - Identify gaps in policies, procedures, standards, guidance, and services; and @@ -110,19 +110,19 @@ It is co-chaired by the GSA Office of Government-wide Policy. The GSA Office of ### Activities - **Approve Policies and Practices** – Approve Federal Bridge Certification Authority (FBCA) and Federal Common Policy Certification Authority Certificate Policies (CPs), including revisions; approve FPKI Trust Infrastructure Certification Practice Statements. - **Approve Entity Cross-Certification** – Establish and administer criteria and methodology for cross-certification with the FBCA; approve cross-certifications and execute Memoranda of Agreement (MOAs); maintain the FPKI Certification Applicant Requirements and the Common Policy CPS Evaluation Matrix. -- [**Maintain Compliance**](../fpkiaudit/) – Ensure cross-certified entities are compatible with the FBCA Certificate Policy (CP) (or the Federal Common Policy Certification Authority (FCPCA) CP for Federal Legacy CAs). +- [**Maintain Compliance**]({{site.baseurl}}/fpki/#audit-information-for-the-fpki-management-authority) – Ensure cross-certified entities are compatible with the FBCA Certificate Policy (CP) (or the Federal Common Policy Certification Authority (FCPCA) CP for Federal Legacy CAs). - **Agreement with FPKI Management Authority** – Oversee the FPKI Management Authority (FPKIMA) to issue and revoke cross-certificates, ensure adherence to the FPKI CPs, and provide documentation to be archived. - **Interoperability Practices** – Coordinate legal, policy, technical, and business practices and issues related to FPKI Trust Infrastructure. ### Membership and Meetings -Members are appointed by each federal agency’s CIO, and the group operates under the authority of the Federal CIO Council through the Information Security and Identity Management Committee (ISIMC) and the Identity, Credential, and Access Management Subcommittee (ICAMSC). See the [FPKIPA Charter](../../docs/fpkipa-charter.pdf){:target="_blank"}{:rel="noopener noreferrer"} (PDF, August 2021) for information on membership requirements, voting rights, etc. +Members are appointed by each federal agency’s CIO, and the group operates under the authority of the Federal CIO Council through the Information Security and Identity Management Committee (ISIMC) and the Identity, Credential, and Access Management Subcommittee (ICAMSC). See the [FPKIPA Charter]({{site.baseurl}}/docs/fpkipa-charter.pdf){:target="_blank"}{:rel="noopener noreferrer"} (PDF, August 2021) for information on membership requirements, voting rights, etc. The FPKIPA meets in the morning on the second Tuesday of each month. Contact fpki at gsa.gov to participate in the FPKIPA or its working groups. ## Federal Public Key Infrastructure Management Authority -[The Federal Public Key Infrastructure Management Authority (FPKIMA) enables government-wide trust](../../docs/fpki-fpkima-wp.pdf){:target="_blank"}{:rel="noopener noreferrer"} by providing trust infrastructure services to federal agencies. The FPKIMA is governed under the FPKI Policy Authority (FPKIPA) and managed by the GSA Federal Acquisition Service. +[The Federal Public Key Infrastructure Management Authority (FPKIMA) enables government-wide trust]({{site.baseurl}}/docs/fpki-fpkima-wp.pdf){:target="_blank"}{:rel="noopener noreferrer"} by providing trust infrastructure services to federal agencies. The FPKIMA is governed under the FPKI Policy Authority (FPKIPA) and managed by the GSA Federal Acquisition Service. ### Activities - **Manage digital certificate policies and standards** to ensure secure physical and logical access, document sharing, and communications across federal agencies and between external business partners. diff --git a/_ficampmo/fips201ep.md b/_ficampmo/fips201ep.md index b1127eb16..5a858210e 100644 --- a/_ficampmo/fips201ep.md +++ b/_ficampmo/fips201ep.md @@ -82,7 +82,7 @@ Product testing is performed by either: If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the [Approved Products List (APL)]({{site.baseurl}}/acquisition-professionals/#products). The APL includes product information, version, date of certification, and special considerations. -Visit the [Vendors page]({{site.baseurl}}/vendor/) for more on testing and certification. +Visit the [Vendors page]({{site.baseurl}}/vendors/) for more on testing and certification. ## Testing Guidance and Documents @@ -120,7 +120,7 @@ All applicants, please complete the following steps: Agencies that wish to issue D-PIV credentials should follow these steps: 1. Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO) 2. Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs) -3. Submit sample D-PIV public certificates for testing or provide results from the [Certificate Profile Conformance Tool (CPCT)]({{site.baseurl}}/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"} to fips201ep at gsa.gov. +3. Submit sample D-PIV public certificates for testing or provide results from the [Certificate Profile Conformance Tool (CPCT)](https://github.com/GSA/cpct-tool/releases/){:target="_blank"}{:rel="noopener noreferrer"} to fips201ep at gsa.gov. Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials. diff --git a/_ficampmo/gsapkissp.md b/_ficampmo/gsapkissp.md index b727a5de0..dc13cdfd5 100644 --- a/_ficampmo/gsapkissp.md +++ b/_ficampmo/gsapkissp.md @@ -67,7 +67,7 @@ This document is primarily for the following audience: 2. Existing GSA PKI SSP Program members to refresh their knowledge of ongoing maintenance requirements. 3. Federal agency customers who want to understand the GSA PKI SSP program or find contact information for the program management. -If you have questions about this document or the outlined process, contact [GSAPKISSP@gsa.gov](GSAPKISSP@gsa.gov). +If you have questions about this document or the outlined process, contact [GSAPKISSP@gsa.gov](mailto:GSAPKISSP@gsa.gov). # Section I: GSA PKI SSP Program @@ -142,7 +142,7 @@ A PKI Vendor will be asked for proof or to provide attestations regarding their ### MOA Procedural Guidance: -- Send an email to [GSAPKISSP@gsa.gov](mailt0:GSAPKISSP@gsa.gov) requesting admission to the GSA PKI SSP Program. +- Send an email to [GSAPKISSP@gsa.gov](mailto:GSAPKISSP@gsa.gov) requesting admission to the GSA PKI SSP Program. - SSPs must obtain, review, and sign the MOA from the SSP Program Office. Once an MOA is signed, the GSA PKI SSP will sponsor the vendor to apply to the Federal PKI Policy Authority. diff --git a/_implement/introduction.md b/_implement/introduction.md index 6b9fee8ac..00b11290f 100644 --- a/_implement/introduction.md +++ b/_implement/introduction.md @@ -35,8 +35,8 @@ The majority of engineering guides are focused on helping agencies configure PIV 1. [Windows Domains]({{site.baseurl}}/implement/scl-windows) 2. [MacOS]({{site.baseurl}}/implement/scl-macos) 3. [Microsoft Outlook (on-premise)]({{site.baseurl}}/implement/outlook) - 4. [Firefox Browser]({{site.baseurl}}/implement/firefox) - 5. [SSH Command Line]({{site.baseurl}}/implement/ssh) + 4. [Firefox Browser]({{site.baseurl}}/implement/scl-firefox) + 5. [SSH Command Line]({{site.baseurl}}/implement/scl-ssh/) 6. Certificate-based Authentication on Azure AD (Coming soon!) 7. Certificate-based Authentication on Okta (Coming soon!) 2. FIDO2 Configuration diff --git a/_implement/outlook.md b/_implement/outlook.md index 2edf89a97..b3fa4395e 100644 --- a/_implement/outlook.md +++ b/_implement/outlook.md @@ -86,7 +86,7 @@ The Global Address List (GAL) is a shared, enterprise-wide contact directory in When sending an encrypted email, the message is encrypted using the public key in the intended recipient's certificate. If Outlook cannot find the intended recipient's public key through the [Global Address List](#publish-your-certificates-to-the-global-address-list), you may need to load it manually. -1. Obtain a copy of the intended recipient's [Key Management]({{site.baseurl}}/arch/pivdetails/) certificate (you may need to ask the intended recipient to export and share their certificate with you) +1. Obtain a copy of the intended recipient's [Key Management]({{site.baseurl}}/university/piv/#how-to-view-piv-credential-certificates) certificate (you may need to ask the intended recipient to export and share their certificate with you) 2. Click the **Home** tab. 3. Click the **Address Book**. 4. Select **File** > **New Entry**. @@ -112,6 +112,6 @@ PIV users may receive and store encrypted emails througout their tenure in an or ## Other Helpful References - Enabling S/MIME on [Mac Mail](https://support.apple.com/guide/mail/sign-or-encrypt-emails-mlhlp1180/mac){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} -- Enabling S/MIME on [Thurderbird email client](https://docs.nitrokey.com/pro/smime-thunderbird.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- Enabling S/MIME on [Thurderbird email client](https://docs.nitrokey.com/storage/mac/smime-thunderbird.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - S/MIME with [Gmail](https://support.google.com/a/topic/9061730?hl=en&ref_topic=2683828){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - S/MIME with [O365](https://support.microsoft.com/en-us/office/encrypt-messages-by-using-s-mime-in-outlook-web-app-2e57e4bd-4cc2-4531-9a39-426e7c873e26){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/scl-ssh.md b/_implement/scl-ssh.md index f3cc58b4d..f7127bbb2 100644 --- a/_implement/scl-ssh.md +++ b/_implement/scl-ssh.md @@ -44,7 +44,7 @@ PuTTY-CAC is an open-source SSH client that uses Microsoft's CryptoAPI (CAPI). (

PuTTY configuration window.

-4. From the **Windows Security** list, select your PIV/CAC authentication certificate by clicking _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/arch/pivdetails/). +4. From the **Windows Security** list, select your PIV/CAC authentication certificate by clicking _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/university/piv/#how-to-view-piv-credential-certificates).

A PuTTY select certificate for authentication screenshot.
@@ -88,7 +88,7 @@ WinSCP is an open-source, secure copy protocol (SCP) and secure file transfer pr
A screenshot showing Add CAPI Cert selected.
-8. From the **Windows Security** screen, select your PIV/CAC authentication certificate, and click _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/arch/pivdetails/){:target="_blank"}{:rel="noopener noreferrer"}.) +8. From the **Windows Security** screen, select your PIV/CAC authentication certificate, and click _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/university/piv/#how-to-view-piv-credential-certificates){:target="_blank"}{:rel="noopener noreferrer"}.)
A screenshot showing a PuTTY select certificate for authentication window with the OK button selected.
diff --git a/_implement/scl-windows.md b/_implement/scl-windows.md index a3b05004f..6347fb58f 100644 --- a/_implement/scl-windows.md +++ b/_implement/scl-windows.md @@ -850,9 +850,9 @@ For our use, this complex process is simplified into the following workflows:

After the domain controller’s authentication certificate is used to make a secure link from the workstation to the domain controller, the certificate data for the user’s smart card is sent to the domain controller for validation. The domain controller does the following to validate the credential:

    -
  1. The domain controller looks up the user’s account in Active Directory (AD) using information found in the user’s PIV authentication certificate. This process is known as name mapping. More information about user name mapping can be found in the Account Linking Playbook
    2. -
  2. The certificate is sent to the Microsoft Crypto-API (CAPI) service running on the domain controller for path discovery and validation. CAPI performs basic certificate checks through Path Discovery and Validation (PDVal).
    3. -
  3. The domain controller checks its local copy of the Enterprise NTAUTH store for the presence of the issuing certification authority (CA) for the PIV authentication certificate. Steps for adding a certificate to this store can be found in the Trust Stores Playbook
    4. +
  4. The domain controller looks up the user’s account in Active Directory (AD) using information found in the user’s PIV authentication certificate. This process is known as name mapping. More information about user name mapping can be found in the Account Linking Playbook
    5. +
  5. The certificate is sent to the Microsoft Crypto-API (CAPI) service running on the domain controller for path discovery and validation. CAPI performs basic certificate checks through Path Discovery and Validation (PDVal).
    6. +
  6. The domain controller checks its local copy of the Enterprise NTAUTH store for the presence of the issuing certification authority (CA) for the PIV authentication certificate. Steps for adding a certificate to this store can be found in the Trust Stores Playbook

Note: Certificate validation of the PIV authentication certificate for smart card logon only occurs on the individual domain controller processing the logon request. The client computer does not check the validity of the logon certificate. Other applications outside of Windows logon may perform certificate validation locally, so it may still be a good idea to have a valid path installed on your organization’s client computers. if you have multiple logon servers in your environment, only the one responding to the individual logon request performs validation. Therefore, it is important to maintain a consistent configuration across your domain controllers.

Use the information below to troubleshoot additional symptoms encountered after the PIN is entered, but before logon occurs.

@@ -916,12 +916,12 @@ For our use, this complex process is simplified into the following workflows:

Example 3: The revocation status is unreachable, or the revocation status signature cannot be validated due to an invalid trust path.

A screenshot of a window labeled Event 11, CAPI2. The subjectName and the Cert Trust Revocation Status Unknown details are highlighted with yellow.

Note: The error status in Example 3 will occur for any certificate lower in the path than the above Examples for 1 and 2. For example, if a trusted root cannot be found at the top of the path, no valid revocation status will be found for any certificate issued below the trusted root, including the issuing CA certificate and the end user’s PIV authentication certificate. This situation occurs because the revocation data cannot have its signature verified for the same reasons that the certificate itself cannot.

-

You can also use the PKI Interoperability Test Tool (PITT), listed on the Useful Tools page, to validate the certificate path on the logon server. The PITT Usage Guide contains procedures for using the tool.

+

You can also use the PKI Interoperability Test Tool (PITT), listed on the Useful Tools page, to validate the certificate path on the logon server. The PITT Usage Guide contains procedures for using the tool.

Resolution

  1. On the domain controller, work through any path validation issues identified in the above steps and examples. Keep in mind that that path building comes before validation and that a path is built from the bottom up. In this instance, the PIV authentication certificate chains to a trust anchor, such as Federal Common Policy G2. Ensure that the correct trust anchor for your organization’s PIV credentials is installed on every domain controller. If you also trust certificates from other agencies and organizations, the appropriate roots and cross-certificates may need to be installed to complete the path.
  2. Find expired and revoked certificates that may be installed in your domain controller certificate store and delete them as appropriate. In a Windows environment, unexpected errors often result if you have duplicates of a certificate installed in a given store or have accidently installed an intermediate CA in the trusted root store or vice versa.
    3. -
  3. Lastly, you will need to allow outbound access over port TCP 80 from each domain controller to each of the CRL, OCSP, and AIA distribution points listed in the certificates in the path. For more information, see Path Discovery and Validation (PDVal).
    4. +
  4. Lastly, you will need to allow outbound access over port TCP 80 from each domain controller to each of the CRL, OCSP, and AIA distribution points listed in the certificates in the path. For more information, see Path Discovery and Validation (PDVal).

Possible Cause 2 - CA Not in the NTAuth Store

    @@ -948,7 +948,7 @@ For our use, this complex process is simplified into the following workflows:

    Possible Cause 2

    The identifiers listed in the Smart Card Logon certificate on the card cannot be matched to an AD account.

    Resolution 2

    -

    Follow the suggestions in the Account Linking Playbook to ensure that the card identifier can be linked to the AD account. This may require User Principal Name (UPN) mapping, adding alternate security identifiers added to the AD record, or domain hinting.

    +

    Follow the suggestions in the Account Linking Playbook to ensure that the card identifier can be linked to the AD account. This may require User Principal Name (UPN) mapping, adding alternate security identifiers added to the AD record, or domain hinting.


    Back to Process Overview
diff --git a/_university/fpki101.md b/_university/fpki101.md index ac484e837..e3005a23a 100644 --- a/_university/fpki101.md +++ b/_university/fpki101.md @@ -143,7 +143,7 @@ The overarching policies of the Federal PKI are the Federal Common Policy Framew | Certificate Type | General Purpose | Authenticator Format | | ----- | ------ | ----- | -| PIV Certificates | The PIV Card contains up to five certificates with four available to a PIV card holder. See [PIV Certificates]({{site.baseurl}}/arch/pivdetails/) to understand more about PIV certificates on a PIV Card. | FIPS 201 Approved Smart Card (AAL3) | +| PIV Certificates | The PIV Card contains up to five certificates with four available to a PIV card holder. See [PIV Certificates]({{site.baseurl}}/university/piv/#how-to-view-piv-credential-certificates) to understand more about PIV certificates on a PIV Card. | FIPS 201 Approved Smart Card (AAL3) | | Common PIV-I Certificates | The Common PIV-I card contains up to five certificates with four available to the Common PIV-I card holder. See the [PIV-I Playbook]({{site.baseurl}}/playbooks/pivi/) for more information on a Common PIV-I card. | FIPS 201 Approved Smart Card (AAL3) | | Digital Signature | Sign documents such as a PDF or word document. | Software (AAL2) or Hardware (AAL3) | | Encryption (Key Management) | Encrypt files or emails. | Software (AAL2) or Hardware (AAL3) | diff --git a/_university/pacs101.md b/_university/pacs101.md index f737e6b0e..ef282c408 100644 --- a/_university/pacs101.md +++ b/_university/pacs101.md @@ -116,7 +116,7 @@ Here are some key E-PACS advantages to consider: * One employee and contractor enrollment system that connects multiple enrollment locations. * One credential registration and provisioning point. * One enterprise-wide system for administrators to modify or terminate access privileges. -* One enterprise-wide system that regularly polls for [Certificate Revocation List]({{site.baseurl}}/arch/pivdetails/#certificate-revocation){:target="_blank"} (CRL) updates and maintains revocation data. +* One enterprise-wide system that regularly polls for [Certificate Revocation List]({{site.baseurl}}/university/piv/#how-to-view-piv-credential-certificates){:target="_blank"} (CRL) updates and maintains revocation data. * Reduced costs for system management, such as patching, server system administration, and software updates. * Reduced costs for reporting, such as Federal Information Security Modernization Act [FISMA] reporting. * Reduced costs for: