Tales from the EN-Crypt! (How To Get Your PKI Certificate)

DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL (U//FOUO) Tales from the EN-Crypt! (How To Get Your PKI Certificate) FROM: Chief, Support Requirements Run Date: 07/08/2003 (U//FOUO) Some of you have heard the buzz over the past several months about PKI certificates. The clock is ticking and everyone is on an end-of-the-year deadline! But what are these mysterious certificates? Who needs them? How do we get them? AND WHY?!?! The following paragraphs will answer these questions and offer a few secrets on how to get certified as quickly and as painlessly as possible! Don't wait until October--this requirement is not going to go away, so get it out of your way now!!! (U//FOUO) First, what is a PKI certificate? PKI stands for Public Key Infrastructure. The PKI system is a comprehensive encryption system that protects information against unauthorized disclosure, unauthorized modifications through digital signing, unauthorized access by enabling access controls and authorization services, and false user identifications. (U//FOUO) Who needs them? Almost everyone! If you work at NSA and you are a US citizen holding a blue, green, or gold badge, then YOU NEED ONE! So if you are a Second Party member or a non-US citizen, then you have some breathing room, but the system will be ready for you soon! (U//FOUO) WHY do we need them? This is perhaps the most important question. The answer is multi-fold. First, the current email encryption system, ICARUS, is going away. It will be out of service and the PKI system is the replacement. In addition, the PKI certificate will soon be a necessity in order to use CONCERTO, Peoplesoft, and other similar applications. So even if you rarely send encrypted emails, you still need to get the certificate. Without it, your individual access to certain information will be significantly limited. (U//FOUO) Now you know what a PKI certificate is, who needs it, and why. So now you need to know HOW TO GET IT! Here's how: (U//FOUO) Take a deep breath. Accept that this will take a bit of your time, but it must be done, so just dive in! Type "go pki" on the web. The PKI home page will appear and it will walk you through a four-step process that will culminate in obtaining your certificate. (U//FOUO) Warning! There are a few items in the process that can be confusing. Reading these hints, in conjunction with the instructions on the home page, will guarantee some time saved: 1) Before you start, make sure that you have an active Searchlight account. If you do not, you will need to get one before you can get the certificate. 2) When you get to the PKI Home Page, there are two seemingly good options: "Getting your NTS-PKI Personal Certificate" and "Getting your NTS-PKI Server Certificate". Click on "Getting your NTS-PKI Personal Certificate". 3) If you are a Second Party member, you cannot get a PKI Certificate yet. 4) In Step 2, the directions instruct you to check for your secondary SMTP address. Your secondary SMTP address is the lowercase one. You will see SMTP and smtp; the address that follows the smtp is your secondary address . 5) If you do not have either the security switch or the secondary SMTP address. Call x It's only takes a second for them to give you one. Really. 6) For Step 3, you might want to print the page so that you can follow the instructions as you go along. Boxes start to pop up and it gets difficult to read the instructions and

follow them correctly. 7) In Step 3, if you enter your sid and it says that your Searchlight information does not match your Concerto information , don't panic. Just send @nsa a short email that says your information does not match, and they will immediately fix it. (Note: I had to call to get my secondary SMTP address and I had to send an email about a Searchlight mismatch, and getting to STEP 4 still only took me about 15 minutes! It just sounds worse than it is!) 8) Thursday morning is not a good time for getting your PKI. The server goes through maintenance then, and the kiosks open late. It is possible to get your certificate in the late morning on Thursdays, but another day is probably a better option, if possible. 9) Going to the kiosks. Ok, this involves a little bit of physical energy. Yes, you have to leave your desk and go to the kiosk (room) closest to you. If (and only if) you have to travel outside of the building, you must bring a courier bag with you. Please expect the kiosk to take about 15 minutes. It takes a few minutes for the machine to generate a password and to print it out. So don't get agitated, just expect a short wait. 10) VERY IMPORTANT! At the kiosk you will receive information on completing your PKI certificate. You will return to your desk and follow a step-by-step package of instructions. ONCE YOU BEGIN THIS PROCESS YOU SHOULD SET ASIDE ENOUGH TIME TO COMPLETE THE WHOLE THING. It is much less confusing that way, and you avoid getting sidetracked. There is a link that is only valid for same-day use , so once you start, commit yourself to completing it. It will probably take you about 30 minutes to an hour to complete this final step. BUT THEN YOU'RE FINISHED! 11) Final hint : Just accept that this process might be a little confusing, a little frustrating, a little time-consuming, but just sit down, take a deep breath and do it! It really isn't that bad!!!! (U//FOUO) If you have any further questions, the PKI Help Desk ( any and all questions! s) is available for "(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid comms)." DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108