Bureau of the Fiscal Service
Frequently Asked Questions about Treasury PKI

Why should I use Treasury certificates?

  • Established Trust: Treasury has achieved a high degree of trust in the Federal community made possible through its emphasis on security and enforcement of policy.
  • Lower Costs: The cost of establishing, operating, and maintaining a PKI are considerable. Agencies can significantly reduce their costs by employing Treasury's PKI.
  • Support: The Program Management Office (PMO) supports the Treasury Operational Certificate Authority (TOCA) and its community of users.

Does Treasury issue PIV credentials from a Treasury CA?

       Yes, the Treasury Operational CA issues PIV credentials for the Department of the

Who is my Registration Authority?

       Contact us at pki.pmo@fiscal.treasury.gov.

How do I report information related to Treasury PKI certificates?

       If you need to report suspected private key compromise, certificate misuse, or other
       types of fraud, compromise, misuse, inappropriate conduct, or any other matter related
       to Treasury PKI certificates: Contact your bureau Registration Authority or contact us at

What is Entrust Security Manager Administration (SMA) and who should use it?

       SMA is an administrative client for Entrust Certification Authorities (CA's). It is used by
       Treasury's Security Officers and Registration Authorities to create user and device
       entries in the CA's database.

What is Entrust Entelligence Service Provider (ESP)?

       ESP is an Entrust client for enterprise certificates. Enterprise certificates are used almost
       exclusively to represent people in the CA. One notable exception is Microsoft Domain
       Controllers, which also use ESP. Once an entity is provisioned in the CA database, ESP
       can be used to retrieve certificates for that entity.

ESP says it can't manage my PIV certificate. Is that OK?

       Yes, ESP only manages certificates retrieved with ESP. If this message appears in
       reference to a PIV credential, check the box labeled, "Don't show this message again",
       and click OK.

Where can I find a copy of Security Manager Administrator (SMA) to install?

       Go to http://pki.treasury.gov/ under Forms and Downloads and select Security Manager
       Administration for OCA (v8.1sp1)
. The ZIP file contains the components necessary to
       successfully install SMA.

I have just installed SMA, however, when I try to connect to the CA, I get the following error, "(-11523) Unable to establish TCP connections to the CA".

       Contact your local support to confirm network connectivity from your system to
       the TOCA on ports 710 and 829 and to the directory on port 389. For assistance
       contact the Fiscal Service IT Service Desk at ITServiceDesk@fiscal.treasury.gov to open
       a ticket with PKI Administration.

How do I request a device certificate from TOCA?

       See the information at http://pki.treasury.gov/Requesting Treasury OCA Production

How do I retrieve web, SSL, or device certificates from TOCA?

       The certificate can be retrieved from https://wc.treasury.gov. The site requires a
       Certificate Signed Request (CSR) from the system administrator. The value of the
       Common Name (CN) field in the CSR must be the reference number, e.g.,
       CN=8675309. A guide to generating a CSR is available from
       http://pki.treasury.gov/Generating a Web or Device Certificate Using Entrust Enrollment
       Server for Web.htm

Do I need server authentication and client authentication OIDs?

       Device, browser, and server certificates contain numeric values identifying their role
       as a server or a client. Some devices or servers have both a server and a client role.
       These devices require both authentication values to appear in the same certificate.
       A typical application requiring both server and client OIDs is Microsoft SQL Server.

What signature algorithms are supported by the Treasury's CAs?

       Federal policy requires RSA 2048 bit keys and SHA-256 hashes in all new certificates.

I tried to retrieve a device certificate from https://wc.treasury.gov and received an error about having the incorrect time. What does this mean?

       When sending a signed certificate request, the reference number must be used as the
       CN. Other fields in the request are ignored.

How can I configure a Microsoft Domain Controller for smart card logon?

       To use Domain Controller certificates issued from the TOCA, go to http://pki.treasury.gov/
       under Forms and Downloads and select ESP for Domain Controllers (ESPv9.2) either 32
       bit or 64 bit as appropriate. The software is preconfigured for TOCA. For guidance
       on configuring a domain controller to accept smart cards see the information at