- Home

  - About Treasury PKI

  - About SSP

  - Why Choose Treasury?

- Requesting Certificates

  - Certificate Policies

  - CRL's and Certificates

  - Forms and Downloads

  - FAQ

  - Glossary

  - PKI Fundamentals

  - Contact Us

Requesting Production Device Certificates from the

Treasury Operational Certification Authority (TOCA)

Note:  You must be a Treasury employee or affiliated with Treasury to sponsor a certificate. 

Each Bureau can have a designated Registration Authority (RA) or Local Registration Authority (LRA) that you can contact to obtain a certificate request form for a production device certificate.  If you do not know your RA or LRA, contact pki.pmo@fiscal.treasury.gov and the Treasury PKI Security Officer will assist you.

If you have a PIV credential, digitally sign the form and send it to the RA.

If you do not have a PIV credential, make arrangements with your RA or LRA for in-person proofing.  You are required to provide two forms of identification, one being a photo ID [e.g., PIV card, driver's license, military card]. Reference NIST Special Publication 800-63, Electronic Authentication Guideline, for Level 1 and Level 2 Assurance, pages vii-viii.

http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

Follow the steps below to process a certificate request form.

1.       The Sponsor will obtain a certificate request form at http://pki.treasury.gov/OCA/cert.form.pdf.

2.      Complete the form and digitally sign it using your PIV credential. 

3.      For device information, the Common Name will be the host name of the device [e.g., prodfs05, treasurypay.treasury.gov].

4.      Specify an individual or a group email account for notification of expiring credentials.

5.      Include any SubjectAltNames, UserPrincipal Names, or IP Addresses.  Include any MS GUIDs for domain controllers.

6.      Using the radio buttons:

o    Select the appropriate Certification Authority.

o    Select the type of device needed.

o    Select the type of action required.

7.     Send the digitally signed form to the RA. After the RA creates the device entry in the CA database, they will issue the certificate and email you the Reference Number and call you with the Authorization Code.

Generating a Device or SSL Certificate

Generate a Certificate Service Request (CSR) on the device where the certificate is going to be installed and use the Reference Number as the "CN" value of the request.

o   Go to https://wc.treasury.gov and select, "Create Certificate from PKCS#10 Request", if you are using a Web Server certificate.

o   Enter the Reference Number and Authorization Code. 

o   Copy the CSR in the box then click Submit Request.

o   Click the "Download" button and save certificate.

Click here for instructions on generating Domain Controller certificates.

http://pki.treasury.gov/Enrolling.Domain.Controller.Certificates.htm

If you have any technical issues, contact pki_ops@fiscal.treasury.gov.