IMPORTANT: These instructions are written step-by-step; do not perform an action before the

instructions tell you to do so.

A NOTE TO INTERNET EXPLORER APPLICANTS – When performing certificate functions with

Internet Explorer, you are really dealing with the Windows operating system. This means that there can

be many Windows configuration variables that ORC cannot anticipate. In these cases, we may have to

have your IT people assist us.

You must be logged onto your computer under your normal user profile (or Username) [Your IT

support person may have had to log-on as the Administrator to install ActivClient; but the we want the

user logged on now, not the Administrator.]

1. In Internet Explorer, go to: https://eca.orc.com/.

2. Scroll down and click the “Order” button next to Medium Token Assurance Identity and Encryption

Certificates.

3. Click on the link to “Proceed to Step 1 to read the requirements”.

4. Read the requirements, and then click on the “Proceed to Step 2” button.

5. Read the requirements to present 2 photo IDs, Proof of Citizenship and Proof of Organizational

Affiliation when you go through the Identity Verification process. Then click on the “Proceed to Step

3” button.

6. By this point you must have Trusted the Certificate Authority (CA) when you ran the procedure to Trust

the DoD and ECA PKIs. You should also have purchased a smart card or cryptographic token, installed

ActivClient (re-booted the computer at least once), and initialized the smart card (set a PIN). Check the

3 check boxes only when you have done all of the above and click the “Proceed to Step 4” button.

You already did

the steps above

(and more) when

you ran the

InstallRoot tool.

7. On the application page, select the desired Validity Period (One or Three Years), enter your name,

company name, the email address that you use at work, your citizenship, and your phone number at

work. Then scroll down.

8. If you see a Web Access Confirmation dialogue box, click Yes

This is sample

data, please enter

your information.

If you have a

middle name,

please enter you

middle initial.

9. On the Confirm Information page, double check your information, make any changes if necessary and

then click “This is Correct”. (NOTE: If you make a mistake and ORC has to re-issue your certificate

with a correction, you will be charged again to fix your mistake.)

10. You will get a warning that key generation will take a few minutes. So things may appear to be

‘frozen’, please be patient.

If you need to

make a

change, do so

here

This is critical; it

MUST be correct

11. ActivClient may then prompt you to enter the PIN for the device. Enter the PIN that you have set on the

device. Note: You might not be prompted if you have entered the PIN within the last few minutes.

12. If you see a Web Access Confirmation dialogue box, click Yes

13. You will now be prompted to request your encryption certificate. Click the “Submit Request” button.

14. You will get a warning that key generation will take a few minutes. So things may appear to be

‘frozen’, please be patient.

15. Print the request form; it should be two pages long, with a third page of instructions. This is the page

that you will take to a Notary or Local Registration Authority (LRA) for Identity Verification.

16. Click on the “Continue” button

17. The next page asks you to confirm that your certificate key pairs were written onto the device.

Instructions for doing so are included in this document.

The RSA Key Pair is written to your cryptographic token when you have successfully made an on-line

request for certificates. There will be an RSA key for each certificate request that you have made. Your

computer will look for this RSA Key Pair on your cryptographic token when you attempt to import the

issued certificate from the certificate server. This RSA Key Pair is NOT YET a certificate; it is, rather,

the 'foundation' of the certificate (i.e. - the RSA Key Pair will become the certificate). It has real value

prior to your certificate being issued.

Verification of the RSA Key Pair will confirm that the RSA Key for your future certificate is fully

functional. To ensure that the RSA Key Pair has successfully written to your cryptographic token, please

follow the steps below.

CRITICAL: DO NOT at any time delete an RSA key from your cryptographic token.

18. IMPORTANT: Confirm that your certificate key pairs were written onto the device.

a. Open the ActivClient User Console and then click View then Refresh, then double-click on the My

Certificates folder.

b. You should see one (1) RSA Key Pair for each certificate that you are requesting. [Please note that

the RSA Key Pairs are not yet certificates. They are the core of a certificate, but will not be

finished until you receive a Certificate Issuance Notification email from ORC and you execute the

instructions contained in that email.]

c. Pull your card out of the reader. [Notice how the display goes blank.]

d. CRITICAL: If you do NOT see an RSA Key Pair on your cryptographic token, you have not made

a successful request. Also, if you see more than two (2) RSA keys on your cryptographic token,

this means that you have generated more than two on-line requests. These are problems for the

following reasons:

i. If you do not see your RSA Key Pair on the cryptographic token, then you will not be able to

successfully complete the import process when you receive the certificate issuance notification

email.

ii. If you see more than two (2) RSA Keys on your cryptographic token, then you have generated

more than two on-line requests. It is impossible to tell which RSA Key is associated with a

particular request number that you generated during the on-line request process. If you were to

send in paperwork for the wrong RSA Key Pair, then you would not be able to complete the

import process when you receive the certificate issuance notification email.

If you find that you fall into either one of these categories, and were to send us the request forms

anyway, then your certificate will NOT work when issued, and you will be solely responsible for

the cost of purchasing a new certificate.

To address these issues, please contact email us at ecahelp@orc.com for assistance. Enter a Subject of

“Need help requesting Medium-Token Assurance certificates”. This will open a help desk ticket in our

system and a representative can contact you.

19. After verifying your RSA keys, click the button to “Proceed to Step 6”

20. Click the button that corresponds to your citizenship status. Read all of the information provided and

follow the instructions on this page to submit your request forms to ORC.

21. The application process is complete.

Click the button

that applies to you