certs certs links assets/coursemap.swf glossaryBtn Glossary Glossary GlossaryButtonClicked courseMapBtn Course Map Course map CourseMapButtonClicked resourcesBtn Resources Resources ResourcesButtonClicked replayBtn Replay Replay ReplayButtonClicked pauseBtn Pause Pause PauseButtonClicked resumeBtn Resume Resume ResumeButtonClicked mainMenuBtn Exit Exit MainMenuButtonClicked previousPgBtn Previous Previous screen. PreviousButtonClicked nextPgBtn Next Next screen. NextButtonClicked courseMenuBtn Course Map Course map CourseMenuButtonClicked pkiusec_01 1 Welcome to the Using PKI Certificates lesson. When you have completed this lesson, you will be able to identify how to safely and securely authenticate your identity to access Department of Defense, or DoD, unclassified networks using the PKI certificates contained on your Common Access Card, or CAC, or Alternate Token. You will also be able to identify how to use your PKI certificates to authenticate your identity to DoD systems, applications, and restricted web sites. You will be able to identify how to send and receive e-mail securely using digital signatures and encryption. Finally, you will be able to identify how to read e-mail that was encrypted when you had a previous CAC. There are four topics in this lesson. After you have completed this introduction, you will learn how to authenticate your identity to access DoD unclassified networks using the PKI certificates on your CAC or Alternate Token. Next, you will learn how to verify and use PKI certificates to authenticate your identity to access DoD systems, applications and web sites. Then, you will learn how, when, and why to digitally sign e-mail. You will also learn how to recognize and validate a digitally signed e-mail, and what to do if a digital signature is not valid. You will learn how, when, and why to send encrypted e-mail, as well as how to decrypt e-mail sent to you, and how to publish your e-mail encryption certificate to the Global Address List, or GAL. Finally, you will learn how to recover a previous private encryption key so that you can read e-mail that was encrypted when you had a previous CAC. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. Use your arrow keys to cycle through a list of options. Screen 1 of 17. Topic Title: Introduction and Objectives. Screen Title: Objectives. The Using P K Eye Certificates title and an image of a common access card, or cack, display. Bulleted text displays in support of audio. Titles of the topics display. Topics are Introduction and Objectives, Authentication, Secure Email, and Conclusion. pkiusec_02 2 Throughout this lesson, references to the CAC include Alternate Tokens. To use your PKI Certificates on your CAC to authenticate your identity to access DoD unclassified networks, you must first ensure that a Smart Card reader is attached to or embedded in your workstation or keyboard. A Smart Card reader is the device that reads the PKI certificates on your CAC and transmits your identification information to DoD networks. If you do not have a Smart Card reader, contact your Help Desk. To initiate the authentication process, insert your CAC into the Smart Card reader. Make sure that the card is picture side up and that the end of the card with the gold chip is inserted into the reader. Enter your CAC PIN when prompted. Once authenticated, you will have access to the DoD unclassified network for which you have an account. Note that when your computer is locked, you may have to remove your CAC from the reader and reinsert it to reinitiate the authentication process. After you log off your workstation, you must remove your CAC from the Smart Card reader. However, to avoid problems such as your workstation shutting down or freezing during the logoff process, wait until the logoff process completes before you remove your CAC from the Smart Card reader. Screen 2 of 17. Topic Title: Authentication. Screen title: To Unclassified D O D Networks. Image of a cack displays. Image of a laptop P C with a smart card reader attached displays. Image of dots run from the smart card reader through the laptop to a network of computers. Cack is inserted into smart card reader and login screen appears on laptop. Pin is entered on the screen and successful login screen appears. Cack is inserted and removed from smart card reader in synch with audio. pkiusec_03 3 PKI certificates authenticate your identity to access DoD unclassified systems, applications, and web sites. These certificates are created on your CAC at the time it is issued to you. Through Smart Card middleware, your certificates should be recognized automatically by Windows applications such as Outlook and Internet Explorer, and by Mozilla Firefox. When you access DoD unclassified systems, applications, and web sites, you will be prompted to select your certificate and enter your PIN and select OK. Review the warning statement and select OK. If you experience any problems with your PKI certificates not being recognized, you must decide whether or not you want to trust the server or you can contact your Help Desk or other PKI technical assistance. Select Error Messages to learn more. Screen 3 of 17. Screen title: To D O D Systems, Applications, and Web Sites. Image of three certificates with a key on top of each displays. The certificates are labeled Identity Certificate, Email Signing Certificate, and Email Encryption Certificate. Bulleted text displays in support of audio. A cack displays and the three certificates display on top of the cack. A laptop P C displays and laptop screen displays animation of all of the screens, web site addresses typed in, and buttons clicked in this process. Error messages button becomes selectable as a popup. pkiusec_03_01 Error Messages Popup 1 of 1: Popup title: Error Messages. A computer screen displays. Bulleted text displays in support of audio. Each type of error message screen displays in support of audio. pkiusec_04 4 Knowledge Check 1 500 600 Select True or False for each statement. Select Done when you have finished. 570 You must download your PKI certificates from your CAC so that MS Outlook and Internet Explorer will be able to authenticate your identity to DoD systems, applications, and web sites. True False Correct. Your PKI certificates are automatically enabled through Smart Card middleware to authenticate your identity to Windows Outlook and Internet Explorer and to Mozilla Firefox. Incorrect. Your PKI certificates are automatically enabled through Smart Card middleware to authenticate your identity to Windows Outlook and Internet Explorer and to Mozilla Firefox. 570 PKI certificates on your CAC or Alternate Token are used to authenticate your identity to DoD unclassified networks. True False Correct. PKI certificates on your CAC or Alternate Token are used to authenticate your identity to DoD unclassified networks. Incorrect. PKI certificates on your CAC or Alternate Token are used to authenticate your identity to DoD unclassified networks. 570 You should not have to wait for the logoff process to complete before removing your CAC from the Smart Card reader. True False Correct. In order to avoid problems such as your workstation shutting down or freezing during the logoff process, you should wait until the logoff process completes before you remove your CAC from the Smart Card reader. Incorrect. In order to avoid problems such as your workstation shutting down or freezing during the logoff process, you should wait until the logoff process completes before you remove your CAC from the Smart Card reader. 570 When you attempt to access DoD systems, applications, and web sites, you will be prompted to select your certificate and enter your PIN. True False Correct. When you attempt to access DoD systems, applications, and web sites, you will be prompted to select your certificate and enter your PIN. Incorrect. When you attempt to access DoD systems, applications, and web sites, you will be prompted to select your certificate and enter your PIN. Now check your knowledge. Screen 4 of 17. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options. pkiusec_05 5 DoD policy requires you to digitally sign e-mail when the e-mail contains an attachment or an embedded hyperlink. An embedded hyperlink is a URL or an e-mail address contained in the e-mail body or attachment that is both underlined and that will cause an action to occur if you select it with your mouse. You may also consider digitally signing other e-mail messages such as: those that contain information on operational, contract, finance or personnel management matters; those that provide direction or tasking; those that request or respond to requests for resources; or those that promulgate organization position. In many cases, your e-mail has been configured to automatically digitally sign your outgoing e-mail messages. If your e-mail is not configured to automatically digitally sign your e-mail, you can digitally sign your e-mail manually by selecting the Digital Signature button on the toolbar. Screen 5 of 17. Topic Title: Secure Email. Screen title: Digitally Signing Email. An image of an outgoing signed email message displays. Bulleted text displays in support of audio. An embedded hyperlink in the body of the email and the digital signature button on the email screen are notated with callout boxes. pkiusec_06 6 When you receive an email, you will see a signed by field under the subject line that contains the e-mail address of the person who signed the message. If the digital signature on the e-mail is valid, you will see a red ribbon on the signed by status line. If the digital signature is invalid, you will see a gray ribbon with an exclamation point on top of it. You also should see an invalid digital signature alert, if the box that specifies that you wish to be warned before opening messages with invalid signatures has not been unselected. If you have certificate validation software, on your workstation, you should see an additional notification of the certificate status in the lower right corner of your system tray. Select certificate status notification to learn more. Screen 6 of 17. Screen title: Receiving Digitally Signed Email. An image of an incoming digitally signed email message displays. Bulleted text displays in support of audio. The digital signature and the status indicator button are notated with callout boxes. The Digital Signature Invalid and the Unable to Validate Certificate popup windows display. The Certificate status notification button becomes selectable as a popup. pkiusec_06_01 Certificate Status Notification When you receive a digitally signed e-mail or document, you should see notification of the certificate status in the lower right corner of your system tray, if you have certificate validation software on your workstation If the certificate on the digitally signed e-mail or document is valid, you will see the Valid Certificate notification. If the certificate is expired, you will see the Unable to Validate Certificate notification. If the certificate has been revoked, you will see the Revoked Certificate notification. Popup 1 of 1: Popup title: Certificate Status Notification. A digitally signed email displays along with an image of each type of certificate status notification popup window. pkiusec_07 7 When you open a message that has been signed by an invalid certificate, you may see an invalid signature alert in Outlook. Through this alert, you can choose to ignore the warning and open the e-mail message by selecting View Message or you can choose not to open the message by selecting Cancel. You can view the details of the signature and its status by selecting Details. Digital signatures can be invalid for any of the following reasons: the content has been altered since it was signed; the certificate associated with the digital signature is revoked, expired, or was not issued by a trusted source. In this example, the certificate is invalid because it has expired and was not issued by a trusted source. If there is a problem with a digital signature on an e-mail you receive, you should contact the sender of the signed e-mail, if it's someone you know, and let them know that there is a problem with the signature. If you suspect this to be a suspicious or malicious e-mail, report it to your security point of contact, or POC, or help desk. Screen 7 of 17. Screen title: Invalid Digital Signatures. An image of a digital signature invalid alert screen displays. The buttons on this screen are highlighted as they are explained in the audio. After the details button is selected, another digital signature invalid screen displays that shows why the digital signature is invalid. Bulleted text displays in support of audio. pkiusec_08 8 Screen 8 of 17. Screen title: Why and When You Should Encrypt Email. Images of a key and a piece of paper display. Arrows display from the key and the paper pointing to a lock and another arrow pointing to a piece of paper with an image of a lock on it. Bulleted text displays in support of audio. A document labeled F O U O displays. Image of a social security card displays. Image of medical records folder displays. C U I becomes a rollover which states Controlled Unclassified Information, or C U I is a categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 1 2 9 5 8, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation C U I replaces Sensitive But Unclassified, or S B U. Source: White House Memorandum: Designation and Sharing of Controlled Unclassified Information, or C U I, May 2008. Foy ya becomes a rollover which states the Freedom of Information Act, or foy ya, signed into law in 1966 and implemented in 1967, is the implementation of freedom of information legislation in the United States. This act allows for the full and partial disclosure of previously unreleased information and documents controlled by the U S Government. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures, and grants nine exemptions to the statute. F O U O becomes a rollover which states For Official Use Only, or F O U O, is a designation that is applied to unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act, or foy yuh. The foy yuh specifies nine exemptions that may qualify certain information to be withheld from release to the public, if by its disclosure, a foreseeable harm would occur. Source: D O D fifty two hundred dot one dash r, Appendix 3, January 1997. P I I becomes a rollover which states personal information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, for example, Social Security number, age, military rank, civilian grade, marital status, race, salary, home or office phone numbers, or other demographic, biometric, personnel, medical, and financial information, etcetera. Such information also is known as personally identifiable information, that is, information that can be used to distinguish or trace an individual's identity, such as his or her name, Social Security number; date and place of birth, mother's maiden name, and biometric records, including any other personal information that is linked or linkable to a specified individual. Source: D O D D fifty four hundred dot eleven, 8 May 2007. Hippuh becomes a rollover which states the Health Insurance Portability and Accountability Act, or hippuh, is a law that Congress enacted in 1996. This act includes a series of administrative simplification provisions that require the Department of Health and Human Services to adopt national standards for electronic health care transactions to improve the efficiency and effectiveness of the health care system. Other categories of sensitive information becomes a rollover which states other categories of sensitive information include D O D Unclassified Controlled Nuclear Information, Unclassified Technical Data, Sensitive Acquisition Information, Proprietary Information, Foreign Government Information, and D E A Sensitive Information. pkiusec_09 9 After logging on with your PKI certificates for the first time, you may need to publish your DoD PKI e-mail encryption certificates, located on your CAC, to the Global Address List, or GAL, to make it easier for others to send you encrypted e-mail. Conversely, when others publish their certificates to the GAL, you are then able to send encrypted e-mail to them. Note that you may need to complete this process each time you receive a new CAC, if your certificates are not published automatically to the GAL. The steps for publishing to the GAL depend on which version of Microsoft Outlook you are using. Select your version of Microsoft Outlook to see the steps for publishing to the GAL. Screen 9 of 17. Screen title: Publishing to the GAL. An image of an email address book screen displays which shows names from the global address list. Bulleted text displays in support of audio. GAL becomes a rollover which states the Global Address List, or GAL, is a directory service within an organizations or group of organizations email system. The GAL contains information for all email users, distribution groups, and resources. Users of Microsoft Outlook can publish to the GAL their externally generated P K I email encryption certificates that are used for secure email. M S Outlook 2003 and M S Outlook 2007 buttons become selectable as popups. pkiusec_09_01 Publishing to the GAL for M S Outlook 2003 To publish to the GAL, open Microsoft Outlook 2003 and select Tools and then select Options. Select the Security tab. Under Encrypted e-mail, select Settings. Select Delete and this will empty all data fields. Select OK and you will be returned to the Security tab. Select Publish to GAL to remove old settings. A prompt appears. Select OK. Another prompt appears. Select OK. Select Settings. All data fields should be filled in again. Select OK. Once you are returned to the Security tab, select Publish to GAL to publish your current certificate. A prompt appears. Select OK. If prompted, enter your CAC PIN and select OK. You should now see that your certificates were published successfully. Select OK. To complete the process, select OK. If you experience any problems, contact your Help desk or other PKI technical assistance. Popup 1 of 2: Popup title: Publishing to the GAL for M S Outlook 2003. An animation of all of the screens and buttons that are part of this process displays. The instructions for each step of the process display in support of audio. pkiusec_09_02 Publishing to the GAL for M S Outlook 2007 To publish to the GAL, open Microsoft Outlook 2007 and select Tools, then select Trust Center. On the left hand side of the Trust Center screen, select the E-mail Security tab. Select Settings. Select Delete to remove all data. Select OK. Select Publish to GAL to remove old settings. A prompt appears. Select OK. Another prompt appears. Select OK. On the Trust Center screen, select settings. On the Change Security Settings screen, all data fields should be automatically filled. Select OK. On the Trust Center screen, select Publish to GAL to publish your current certificate. On the prompt that appears, select OK. If prompted, enter your CAC PIN and select OK. You should now see that your certificates were published successfully. Select OK. To complete the process, select OK. If you experience any problems, contact your Help desk or other PKI technical assistance. Popup 2 of 2: Popup title: Publishing to the GAL for M S Outlook 2007. An animation of all of the screens and buttons that are part of this process displays. The instructions for each step of the process display in support of audio. pkiusec_10 10 Screen 10 of 17. Screen title: Sending Encrypted Email. An email message displays. Bulleted text displays in support of audio. The blue padlock email encryption button on the email screen is notated with a callout box. An encryption error message screen displays. GAL becomes a rollover which states the Global Address List, or GAL, is a directory service within an organizations or group of organizations email system. The GAL contains information for all email users, distribution groups, and resources. Users of Microsoft Outlook can publish to the GAL their externally generated P K I email encryption certificates that are used for secure email. The G D S and Digitally signed email buttons become selectable as popups. pkiusec_10_01 G D S Follow these steps, to obtain a DoD user's encryption certificate from the Global Directory Service, or GDS. Open your web browser and enter the web site address provided on this screen. Select your identification certificate. Enter your PIN when prompted. Select OK. You can query by last name, first name, e-mail address, or by components, services, and agencies. Enter the search criteria in the appropriate data fields. Select Search. Select the last name of the person for whom you are searching. Select the Download Certificates as a vCard (Outlook and Internet Explorer or Netscape 7.x Required) link. Select the certificate to be downloaded. Select Open. Select Save and Close. Popup 1 of 2: Popup title: G D S. An animation of all of the screens and buttons that are part of this process displays. The instructions for each step of the process display in support of audio. The web site address referenced in step 1 is h t t p s colon forward slash forward slash d o d 4 1 1 dot g d s dot disa dot mil. G D S becomes a rollover which states Global Directory Service, or G D S, is an enterprise wide directory service that supports the D O D P K I Program. G D S currently provides a D O D wide search capability for information such as names, email addresses and public keys, regarding D O D personnel with a D O D P K I certificate on the nippernet and the sippernet. G D S includes both the public email encryption keys and the certificate revocation lists. pkiusec_10_02 Digitally Signed Email Popup 2 of 2: Popup title: Digitally Signed Email. An animation of all of the screens and buttons that are part of this process displays. The instructions for each step of the process display in support of audio. pkiusec_11 11 When someone sends you an encrypted e-mail, you will recognize it by the blue padlock visual indicator next to your e-mail in your inbox. When you open the e-mail, your private key will be used to decrypt the message, and you may be prompted to enter your PIN. Screen 11 of 17. Screen title: Receiving Encrypted Email. An image of an email inbox displays. The blue padlock next to an email message in the list is enlarged. Bulleted text displays in support of audio. A cursor clicks on the email to open it and a PIN prompt displays, a PIN is entered and the email message opens. pkiusec_12 12 When you receive a replacement CAC, you will also receive replacement certificates on your CAC. You will not be able to use your new CAC to read encrypted e-mail that was sent to you when you were using your previous CAC. To read those e-mail messages you will need to recover your previous e-mail encryption private key. Primarily for this reason, the DoD automatically escrows private encryption keys when new CACs and PKI certificates are issued. An automated key recovery process has been established to allow you to recover your previously issued private encryption key and install it in the certificate store on your computer. Note that if you are unable to recover your certificates, contact your Registration Authority, or RA, office. Select Automated Key Recovery Agent to review the steps for completing this process. Screen 12 of 17. Screen title. Receiving Previously Encrypted Email. Image of a cack displays. Image of a key labeled your previous public key displays. Image of a key labeled your previous private key displays on top of the cack. Bulleted text displays in support of audio. An image of a telephone displays. Automated Key Recovery Agent becomes selectable as a popup. pkiusec_12_01 Automated Key Recovery Agent Follow these steps to recover your previously issued private encryption key using the Automated Key Recovery Agent, or ARA and installing it in the certificate store on your computer. Open Internet Explorer and enter the web site address provided on this screen. Note that this URL is case sensitive. When prompted to select a certificate, you will need to select your CAC identification certificate. Note when the correct certificate is selected you should see the statement: You have a private key that corresponds to this certificate. Select your CAC ID certificate. Select OK. Enter your CAC PIN. Select OK. Read the DoD security warning. Select OK. The ARA will now gather a list of all of your private encryption certificate recoverable keys for you. Choose the key that you want to recover and select Recover. Read the acknowledgement that you are the DoD subscriber and select OK. Once the key is recovered, a page will display with a link to download your key along with a one-time password used to retrieve the recovered key. Write down or print the one-time password and keep it secured. Click the link to download your key. Select Open. Select Next. Verify the file name displayed is the intended encryption key to install. Select Next. Enter your one-time password. Check the box next to enable strong private key protection. Select Next. Select the radio button next to place all certificates in the following store. Select Browse. Select the personal store. Select OK. Select Next. You have successfully installed your private encryption key. Select Finish. Select Set Security Level. Select the radio button next to High. Select Next. Enter a new password and retype the password to confirm. Select Finish. Select OK. Select OK. You have successfully installed your previously issued private encryption key in the certificate store on your computer. Note that during this process, a notification e-mail was sent to you warning that a user was attempting to recover the chosen key. Popup 1 of 1: Popup title: Automated Key Recovery Agent. An animation of all of the screens and buttons that are part of this process displays. The instructions for each step of the process display in support of audio. The web site address referenced in step 1 is h t t p s colon forward slash forward slash ay r ay dash 1 dot c 3 p k eye dot c h ay m b dot disa dot mil forward slash ay r ay forward slash key. pkiusec_13 13 Knowledge Check 1 500 425 570 When you receive a digitally signed e-mail, you should verify that the sender's digital signature is valid. True False Correct. You should verify that the sender`s digital signature is valid. Incorrect. You should verify that the sender`s digital signature is valid. Now, check your understanding. Screen 13 of 17. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options pkiusec_14 14 Knowledge Check 1 500 425 Select the best response and then select Done. 570 Why should you publish your PKI e-mail encryption public key certificate to the Global Address List (GAL)? So others within your GAL can send you digitally signed e-mail So you can more easily send others within your GAL encrypted e-mail So others within your GAL can more easily send you encrypted e-mail So others within your GAL can access your private key Correct. You should publish your PKI e-mail encryption public key certificate to the GAL so others within your GAL can more easily send you encrypted e-mail. Incorrect. You should publish your PKI e-mail encryption public key certificate to the GAL so others within your GAL can more easily send you encrypted e-mail. Now, check your understanding of publishing to the GAL. Screen 14 of 17. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options pkiusec_15 15 Knowledge Check 1 500 Select the best response and then select Done. 570 Which of the following statements best reflects DoD policy regarding digitally signing e-mail messages? Select the best response and then select Done. You should digitally sign all e-mail messages. You should only digitally sign e-mail messages that you encrypt. You should digitally sign any e-mail messages that contain an attachment or embedded hyperlink. Correct. According to DoD policy, you should always digitally sign any e-mail message that contains an attachment or embedded hyperlink. You should also consider digitally signing e-mail messages that contain operational, contract, finance, or personnel management information, provide direction or tasking, request or respond to requests for resources, or promulgate organization position. Incorrect. According to DoD policy, you should always digitally sign any e-mail message that contains an attachment or embedded hyperlink. You should also consider digitally signing e-mail messages that contain operational, contract, finance, or personnel management information, provide direction or tasking, request or respond to requests for resources, or promulgate organization position. Now check your understanding. Screen 15 of 17. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options pkiusec_16 16 Knowledge Check 1 500 425 Select the best response and then select Done. 570 Which of the following statements best reflects DoD policy regarding encrypting e-mail messages? Select the best response and then select Done. You should encrypt all e-mail messages. You should encrypt any e-mail messages that contain Controlled Unclassified Information (CUI). You should only encrypt e-mail messages that you digitally sign. Correct. According to DoD policy, you should encrypt e-mail messages that contain Controlled Unclassified Information (CUI) which is information potentially exempt from disclosure under FOIA that is marked FOUO, PII that is protected by the Privacy Act, information that is protected under HIPAA, and other categories of sensitive information. Incorrect. According to DoD policy, you should encrypt e-mail messages that contain Controlled Unclassified Information (CUI) which is information potentially exempt from disclosure under FOIA that is marked FOUO, PII that is protected by the Privacy Act, information that is protected under HIPAA, and other categories of sensitive information. Now check your understanding. Screen 16 of 17. Screen title: Knowledge Check. This is a multiple choice question. Use your keyboard to cycle through the list of options pkiusec_17 17 Congratulations! You have completed the Using PKI Certificates lesson. You should now be able to identify how to safely and securely authenticate your identity to access DoD unclassified networks as well as DoD systems, applications, and web sites using PKI certificates. You should be able to identify how to send and receive e-mail securely using digital signatures and encryption. Finally, you should be able to identify how to read e-mail that was encrypted when you had a previous CAC. Screen 17 of 17. Topic Title: Conclusion. Screen title: Conclusion. The word Congratulations displays then fades and is replaced by a list of the objectives for the lesson. Each objective is checked off as it is reviewed. A space for you to enter your name displays. A print certificate button displays. A message displays that states make sure your certificate has printed before exiting. If not, troubleshoot the issue, then select the print button again.