BUREAU OF PUBLIC DEBT
Frequently Asked Questions about Treasury PKI

Why should I use Treasury certificates?

  • Established Trust: Treasury has achieved a high degree of trust in the Federal community made possible through its emphasis of security and policy that was placed before the PKI began operation and continues today.
  • Lower Costs: Recognizing that the costs of establishing, operating, and maintaining a PKI may be considerable, agencies can significantly reduce many of these expenses by employing Treasury’s pre-established PKI.
  • Support: The Program Management Office (PMO) offers support for the Treasury Operational Certificate Authority (TOCA) community.
Does Treasury issue PIV credentials from a Treasury CA?

       Yes, TOCA issues PIV credentials for all of Treasury.

Who is my Registration Authority (RA)?

       Contact the Fiscal Service IT Service Desk at 304-480-7777 and ask to speak to a
       Security Officer (SO).

What is Entrust Security Manager Administration (SMA) and who should use it?

       SMA is an administrative client for Entrust Certificate Authorities (CA’s). It is used by
       SO’s and RA’s to create user and device entries in the CA's database.

What is Entrust Administration Services (AS)?

       AS is a web-based administrative client designed for RA’s. It is similar to SMA but has
       fewer options available than SMA.

Will AS work on other web browsers besides Internet Explorer such as Mozilla and Firefox?

       Yes, AS does work with other web browsers.

What is Entrust Entelligence Service Provider ESP?

       ESP is an Entrust client for enterprise certificates. Enterprise certificates are used almost
       exclusively to represent people in the CA. One notable exception is Microsoft Domain
       Controllers, which also use ESP. Once an entity is provisioned in the CA database, ESP
       can be used to retrieve certificates for that entity.

ESP says it can't manage my PIV certificate. Is that OK?

       ESP should only manage certificates retrieved using ESP. If this message appears in
       reference to a PIV credential, check the box labeled, "Don't show this message again",
       and click OK.

Where can I find a copy of Security Manager Administrator (SMA) to install?

       Go to http://pki.treas.gov/ under Forms and Downloads and select Security Manager
       Administration for OCA (v7.1sp3). The ZIP file contains the components necessary to
       successfully install SMA.

I have just installed SMA, however, when I try to connect to the CA, I get the following error, “(-11523) Unable to establish TCP connections to the CA”.

       Contact your local support to confirm there is network connectivity from your system to
       the CA on ports 710 and 829 and to the directory on port 389. For additional assistance
       contact the Fiscal Service IT Service Desk at 304-480-7777 and ask to speak to a PKI
       administrator.

How do I request a device certificate from TOCA?

       A system administrator for the device or server completes an Application for Certificate
       form, signs the form with a PIV credential and submits it electronically to a Bureau RA.
       The RA creates an entry in the CA database and delivers activation codes (reference
       number and authorization code) to the system administrator.

How do I retrieve web, SSL, or device certificates from TOCA?

       The certificate can be retrieved from https://wc.treas.gov. The site requires a
       Certificate Signed Request (CSR) from the system administrator. When the system
       administrator creates the CSR, he must include the reference number as the value for
       the CN. A guide to generating a Certificate Signed Request (CSR) is available from
       http://pki.treas.gov/Generating a Web or Device Certificate Using Entrust Enrollment
       Server for Web.htm

Do I need server authorization and client authorization OIDs?

       Device, browser, and server certificates contain numeric values identifying their role as a
       server or as a client certificate. Sometimes a device or server must act as both a server
       and as a client. This certificate requires both numeric values to appear in the certificate.
       A typical application requiring both server and client OIDs is Microsoft SQL Server.

What signature algorithms are supported by the Treasury’s CAs?

       Federal policy requires RSA 2048 bit keys and SHA-256 hashes in all new certificates.

I tried to retrieve a device certificate from https://wc.treas.gov and received an error about having the incorrect time. What does this mean?

       When sending a signed certificate request, the reference number must be used as the
       CN. Other fields in the request are ignored.
      

I need software to install a Microsoft Domain Controller certificate. Where can I find it?

       For Domain Controller certificates issued from the TOCA, go to http://pki.treas.gov/
       under Forms and Downloads and select ESP for Domain Controllers (ESPv9.1) either 32
       bit or 64 bit versions of Windows. The software is preconfigured for TOCA. To enroll
       domain certificates, go to
       http://pki.treas.gov/Enrolling.Domain.Controller.Certificates.htm.