DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS
TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
(U//FOUO) Tales from the EN-Crypt! (How To Get Your PKI
Certificate)
FROM:
Chief, Support Requirements
Run Date: 07/08/2003
(U//FOUO) Some of you have heard the buzz over the past several months about PKI
certificates. The clock is ticking and everyone is on an end-of-the-year deadline! But what are
these mysterious certificates? Who needs them? How do we get them? AND WHY?!?! The
following paragraphs will answer these questions and offer a few secrets on how to get certified
as quickly and as painlessly as possible! Don't wait until October--this requirement is not going
to go away, so get it out of your way now!!!
(U//FOUO) First, what is a PKI certificate? PKI stands for Public Key Infrastructure. The PKI
system is a comprehensive encryption system that protects information against unauthorized
disclosure, unauthorized modifications through digital signing, unauthorized access by enabling
access controls and authorization services, and false user identifications.
(U//FOUO) Who needs them? Almost everyone! If you work at NSA and you are a US citizen
holding a blue, green, or gold badge, then YOU NEED ONE! So if you are a Second Party member
or a non-US citizen, then you have some breathing room, but the system will be ready for you
soon!
(U//FOUO) WHY do we need them? This is perhaps the most important question. The answer
is multi-fold. First, the current email encryption system, ICARUS, is going away. It will be out of
service and the PKI system is the replacement. In addition, the PKI certificate will soon be a
necessity in order to use CONCERTO, Peoplesoft, and other similar applications. So even if you
rarely send encrypted emails, you still need to get the certificate. Without it, your
individual access to certain information will be significantly limited.
(U//FOUO) Now you know what a PKI certificate is, who needs it, and why. So now you need to
know HOW TO GET IT! Here's how:
(U//FOUO) Take a deep breath. Accept that this will take a bit of your time, but it must be done,
so just dive in! Type "go pki" on the web. The PKI home page will appear and it will walk you
through a four-step process that will culminate in obtaining your certificate.
(U//FOUO) Warning! There are a few items in the process that can be confusing. Reading these
hints, in conjunction with the instructions on the home page, will guarantee some time saved:
1) Before you start, make sure that you have an active Searchlight account. If you do
not, you will need to get one before you can get the certificate.
2) When you get to the PKI Home Page, there are two seemingly good options: "Getting
your NTS-PKI Personal Certificate" and "Getting your NTS-PKI Server Certificate". Click
on "Getting your NTS-PKI Personal Certificate".
3) If you are a Second Party member, you cannot get a PKI Certificate yet.
4) In Step 2, the directions instruct you to check for your secondary SMTP address.
Your secondary SMTP address is the lowercase one. You will see SMTP and smtp; the
address that follows the smtp is your secondary address .
5) If you do not have either the security switch or the secondary SMTP address. Call
x
It's only takes a second for them to give you one. Really.
6) For Step 3, you might want to print the page so that you can follow the instructions as
you go along. Boxes start to pop up and it gets difficult to read the instructions and
follow them correctly.
7) In Step 3, if you enter your sid and it says that your Searchlight information does
not match your Concerto information , don't panic. Just send
@nsa a
short email that says your information does not match, and they will immediately fix it.
(Note: I had to call to get my secondary SMTP address and I had to send an email about
a Searchlight mismatch, and getting to STEP 4 still only took me about 15 minutes! It
just sounds worse than it is!)
8) Thursday morning is not a good time for getting your PKI. The server goes through
maintenance then, and the kiosks open late. It is possible to get your certificate in the
late morning on Thursdays, but another day is probably a better option, if possible.
9) Going to the kiosks. Ok, this involves a little bit of physical energy. Yes, you have to
leave your desk and go to the kiosk (room) closest to you. If (and only if) you have to
travel outside of the building, you must bring a courier bag with you. Please
expect the kiosk to take about 15 minutes. It takes a few minutes for the machine to
generate a password and to print it out. So don't get agitated, just expect a short wait.
10) VERY IMPORTANT! At the kiosk you will receive information on completing your PKI
certificate. You will return to your desk and follow a step-by-step package of instructions.
ONCE YOU BEGIN THIS PROCESS YOU SHOULD SET ASIDE ENOUGH TIME TO
COMPLETE THE WHOLE THING. It is much less confusing that way, and you avoid
getting sidetracked. There is a link that is only valid for same-day use , so once you
start, commit yourself to completing it. It will probably take you about 30 minutes to an
hour to complete this final step. BUT THEN YOU'RE FINISHED!
11) Final hint : Just accept that this process might be a little confusing, a little
frustrating, a little time-consuming, but just sit down, take a deep breath and do it! It
really isn't that bad!!!!
(U//FOUO) If you have any further questions, the PKI Help Desk (
any and all questions!
s) is available for
"(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet
without the consent of S0121 (DL sid comms)."
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS
TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108