important: these instructions are written step-by-step; … · important: these ... read the...
TRANSCRIPT
IMPORTANT: These instructions are written step-by-step; do not perform an action before the
instructions tell you to do so.
A NOTE TO INTERNET EXPLORER APPLICANTS – When performing certificate functions with
Internet Explorer, you are really dealing with the Windows operating system. This means that there can
be many Windows configuration variables that ORC cannot anticipate. In these cases, we may have to
have your IT people assist us.
You must be logged onto your computer under your normal user profile (or Username) [Your IT
support person may have had to log-on as the Administrator to install ActivClient; but the we want the
user logged on now, not the Administrator.]
1. In Internet Explorer, go to: https://eca.orc.com/.
2. Scroll down and click the “Order” button next to Medium Token Assurance Identity and Encryption
Certificates.
3. Click on the link to “Proceed to Step 1 to read the requirements”.
4. Read the requirements, and then click on the “Proceed to Step 2” button.
5. Read the requirements to present 2 photo IDs, Proof of Citizenship and Proof of Organizational
Affiliation when you go through the Identity Verification process. Then click on the “Proceed to Step
3” button.
6. By this point you must have Trusted the Certificate Authority (CA) when you ran the procedure to Trust
the DoD and ECA PKIs. You should also have purchased a smart card or cryptographic token, installed
ActivClient (re-booted the computer at least once), and initialized the smart card (set a PIN). Check the
3 check boxes only when you have done all of the above and click the “Proceed to Step 4” button.
You already did
the steps above
(and more) when
you ran the
InstallRoot tool.
7. On the application page, select the desired Validity Period (One or Three Years), enter your name,
company name, the email address that you use at work, your citizenship, and your phone number at
work. Then scroll down.
8. If you see a Web Access Confirmation dialogue box, click Yes
This is sample
data, please enter
your information.
If you have a
middle name,
please enter you
middle initial.
9. On the Confirm Information page, double check your information, make any changes if necessary and
then click “This is Correct”. (NOTE: If you make a mistake and ORC has to re-issue your certificate
with a correction, you will be charged again to fix your mistake.)
10. You will get a warning that key generation will take a few minutes. So things may appear to be
‘frozen’, please be patient.
If you need to
make a
change, do so
here
This is critical; it
MUST be correct
11. ActivClient may then prompt you to enter the PIN for the device. Enter the PIN that you have set on the
device. Note: You might not be prompted if you have entered the PIN within the last few minutes.
12. If you see a Web Access Confirmation dialogue box, click Yes
13. You will now be prompted to request your encryption certificate. Click the “Submit Request” button.
14. You will get a warning that key generation will take a few minutes. So things may appear to be
‘frozen’, please be patient.
15. Print the request form; it should be two pages long, with a third page of instructions. This is the page
that you will take to a Notary or Local Registration Authority (LRA) for Identity Verification.
17. The next page asks you to confirm that your certificate key pairs were written onto the device.
Instructions for doing so are included in this document.
The RSA Key Pair is written to your cryptographic token when you have successfully made an on-line
request for certificates. There will be an RSA key for each certificate request that you have made. Your
computer will look for this RSA Key Pair on your cryptographic token when you attempt to import the
issued certificate from the certificate server. This RSA Key Pair is NOT YET a certificate; it is, rather,
the 'foundation' of the certificate (i.e. - the RSA Key Pair will become the certificate). It has real value
prior to your certificate being issued.
Verification of the RSA Key Pair will confirm that the RSA Key for your future certificate is fully
functional. To ensure that the RSA Key Pair has successfully written to your cryptographic token, please
follow the steps below.
CRITICAL: DO NOT at any time delete an RSA key from your cryptographic token.
18. IMPORTANT: Confirm that your certificate key pairs were written onto the device.
a. Open the ActivClient User Console and then click View then Refresh, then double-click on the My
Certificates folder.
b. You should see one (1) RSA Key Pair for each certificate that you are requesting. [Please note that
the RSA Key Pairs are not yet certificates. They are the core of a certificate, but will not be
finished until you receive a Certificate Issuance Notification email from ORC and you execute the
instructions contained in that email.]
c. Pull your card out of the reader. [Notice how the display goes blank.]
d. CRITICAL: If you do NOT see an RSA Key Pair on your cryptographic token, you have not made
a successful request. Also, if you see more than two (2) RSA keys on your cryptographic token,
this means that you have generated more than two on-line requests. These are problems for the
following reasons:
i. If you do not see your RSA Key Pair on the cryptographic token, then you will not be able to
successfully complete the import process when you receive the certificate issuance notification
email.
ii. If you see more than two (2) RSA Keys on your cryptographic token, then you have generated
more than two on-line requests. It is impossible to tell which RSA Key is associated with a
particular request number that you generated during the on-line request process. If you were to
send in paperwork for the wrong RSA Key Pair, then you would not be able to complete the
import process when you receive the certificate issuance notification email.
If you find that you fall into either one of these categories, and were to send us the request forms
anyway, then your certificate will NOT work when issued, and you will be solely responsible for
the cost of purchasing a new certificate.
To address these issues, please contact email us at [email protected] for assistance. Enter a Subject of
“Need help requesting Medium-Token Assurance certificates”. This will open a help desk ticket in our
system and a representative can contact you.
19. After verifying your RSA keys, click the button to “Proceed to Step 6”
20. Click the button that corresponds to your citizenship status. Read all of the information provided and
follow the instructions on this page to submit your request forms to ORC.
21. The application process is complete.
Click the button
that applies to you