You must be a Treasury employee or affiliated with Treasury to
sponsor a certificate.
Each Bureau can have
a designated Registration Authority (RA) or Local Registration
Authority (LRA) that you can contact to
obtain a certificate request form for a production device
certificate. If you do not know your
RA or LRA, contact email@example.com and
the Treasury PKI Security Officer will
If you have a PIV credential, digitally sign the form and
send it to the RA.
If you do not have a PIV credential, make arrangements with your RA
or LRA for in-person proofing. You are required to provide two forms of
identification, one being a photo ID [e.g., PIV
card, driver’s license, military card]. Reference NIST Special Publication 800-63, Electronic
Authentication Guideline, for Level 1 and Level 2 Assurance,
Follow the steps
below to process a certificate request form.
The Sponsor will obtain a certificate request form at http://pki.treas.gov/OCA/cert.form.pdf.
Complete the form and digitally sign it using your PIV credential.
For device information, the Common Name will be the
host name of the device [e.g., prodfs05, treasurypay.treas.gov].
Specify an individual or a group email account for
notification of expiring credentials.
Include any SubjectAltNames,
UserPrincipal Names, or IP
Addresses. Include any MS GUIDs for
Using the radio buttons:
Select the appropriate Certification Authority.
Select the type of device needed.
Select the type of action required.
7. Send the digitally signed form to the RA. After the RA
creates the device entry in the CA database, they will issue the
certificate and email you the Reference Number and call you with
the Authorization Code.
Generating a Device or SSL
Generate a Certificate Service Request (CSR) on the
device where the certificate is going to be installed and use
the Reference Number as the "CN"
value of the request.
Go to https://wc.treas.gov and select, "Create
Certificate from PKCS#10 Request", if you are using a Web
Enter the Reference Number and Authorization
o Copy the CSR in the box then click Submit Request.
o Click the “Download” button and save certificate.
here for instructions on generating Web certificates using
Microsoft IIS 6 and IIS
7, and IBM HTTP Server.
here for instructions on generating Domain Controller certificates.
have any technical issues, contact firstname.lastname@example.org.