EmailSharePrint

Enrollment Instructions – Medium Token Assurance Certificate

Meets New JPAS Specifications for Authentication

The new JPAS login procedures have been strengthened to require strong authentication (user name and password plus an ECA Medium Token/Hardware Assurance certificate.) This certificate must be stored on a Smart Card or USB Token.


Print these instructions: We strongly suggest printing this page before enrolling for your ECA Certificate.

  1. a. Send an email to ECA Sales (eca_sales@symantec.com) to request an FIPS 140-2 compliant smart card or USB token and pre-pay for the ECA certificate. In this email, please attach the ECA Administrator Kit Order Form and either your company's purchase order or a completed credit card authorization form for payment.
  2. b. If you order a smart card, we will send you a package with a smart card, a smart card reader, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.
  3. c. If you order a USB token, we will send you a package with a USB token, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.
  4. Note: If enrolling from Windows 7, please follow this link to download the latest drivers AR1752

  1. Do not proceed with these steps until you have received your smart card or USB token package in the mail.
  2. a. Install the PKI Client software on your Windows XP, Vista, or 7 computer.
    Note: Mac OS is not support at this time.
  3. b. Plug your smart card or USB token into your computer.
  4. c. Change the default password on your smart card or USB token. Enter default password 1234567890 in the Current Password field. Enter a new password in the New Password field. This new password must be at least 8 characters and include at least one letter, one number, and one special character.
  5. d. Once this password is successfully created you can move on to the certificate enrollment instructions

  1. Do not proceed with these steps until you have received your smart card or USB token package and installed the PKI Client software. You must have your smart card or USB token plugged into your computer at the time of enrollment.
  2. a. Plug your smart card or USB token into your computer.
  3. b. Go to ECA Certificate Enrollment form.
  4. c. In the Select Enrollment Method section, select the Subscriber Enrollment using Trusted Agent radio button.
  5. d. In the ECA Certificate Subscriber Information section, complete all mandatory fields marked with a red asterisk.
    Note: Enter your full legal name exactly as specified on your passport or birth certificate in the First Name and Last Name fields.
    Note: If you have a suffix after your last name (e.g. Smith, Jr.), enter both your last name and suffix in the Last Name field.
    Note: Only enter your company's legal business name in the Organization field.
  6. e. In the Select Enrollment Type section, select Token Enrollment.
  7. f. In the Enter Payment Type section, enter the sales order number provided in your package in the Sales Order Number field.
    Note: You must add an "11" to the beginning of your 8 digit sales order when enrolling.
  8. g. In the Enter a Challenge Password section, enter a password in both the Challenge Password and Re-enter Challenge Password fields.
  9. h. In the Subscriber Agreement section, read the terms and conditions of the Subscriber Agreement.
  10. i. Click the Accept and Purchase button to submit your certificate request. Then, follow the prompts on the screen to install the CA Root Certificate.
  1. VeriSign ECA Authentication team cannot approve your certificate request until you submit the ECA Subscriber Enrollment form.
  2. a. Download and print ECA Subscriber Enrollment form, but do not sign this form yet. You must sign the ECA Subscriber Enrollment form in the presence of a Notary.
  3. b. Fill out Section 1 of the ECA Subscriber Enrollment form.
  4. c. Take the ECA Subscriber Enrollment to a Notary Public. You must present your valid Passport or Birth Certificate, valid Driver's License, and your Work ID Badge to the Notary.
    Note: If you do not have a Work ID badge, you must download and print the Subscriber's Organizational Contact form. Then, a separate full-time employee of your company must fill out and sign the Subscriber' Organizational Contact form. The purpose of this form is to verify the ECA subscriber's employment within the same organization.
  5. d. Sign the ECA Subscriber Enrollment form in presence of the Notary. Then, the Notary must list documentation, confirm viewing documentation, stamp, and sign Section 2 of the ECA Subscriber Enrollment form.
  6. e. Mail the signed ECA Subscriber Enrollment form to:

    Symantec Corporation
    Attn: VeriSign ECA Authentication Support
    350 Ellis Street
    Mountain View, California 94043
  7. f. Once the ECA Subscriber Enrollment form has been received by the VeriSign ECA Authentication team, you will receive an email confirmation within 7 to 10 business days.
  1. You must have your smart card or USB token plugged into your computer to pick up your certificates.
  2. a. After reviewing your ECA Subscriber form, VeriSign ECA Authentication Support team will approve your certificate request. You will then receive an email stating your ECA certificate has been issued. This email contains an approval PIN required to pick-up your ECA Identity certificate.
  3. b. Plug your smart card or USB token into your computer. Click the link in the email to access ECA Certificate Installation web page, enter your PIN, and click the Continue button to download and install the ECA Identity certificate on your smart card or USB token.
  4. c. After installing the ECA Identity certificate, you will immediately download and install the ECA Encryption certificate on your smart card or USB token.
    Note: Windows may prompt you to select a certificate to pick up the ECA Encryption certificate. If you get a pop-up window, select your ECA Identity Certificate and click the OK button.
  1. You must install both VeriSign ECA CA and DoD Root CA certificates to create a chain of trust. Web browsers (e.g. Internet Explorer) and email software (e.g. Microsoft Outlook) validate your ECA Identity and Encryption certificates by verifying this chain of trust.
  • Internet Explorer
  • Firefox
  • Secure Email

Install CAs Using Internet Explorer 6, 7, 8

Download the VeriSign ECA root certificates to your Windows Desktop:

  1. 1. Go to https://eca2048.verisign.com/CA/ECARootCA2048.cer
  2. 2. Select Save
  3. 3. In the “Save As” window, select Save
  4. 4. Go to https://eca2048.verisign.com/CA/VeriSignECA2048-G2.cer
  5. 5. Select Save
  6. 6. In the “Save As” window, click Save

Download the DoD root certificates to your Desktop:

  1. 1. Download Root CA 2 Certificate (filename: Rel3_dodroot_2048.p7b)
  2. 2. Download External Certification Authority (ECA) Root CA. (filename: dodeca.p7b)
  3. 3. Download External Certification Authority (ECA) Root CA 2 Certificate. (filename: dodeca2.p7b)

Use the following procedures to individually install all of them:

  1. 1. From Windows, in the lower left hand menu, select Start > All Programs > Accessories > Command Prompt (the Command Prompt may be located in a different location on your computer)
  2. 2. From the command prompt window, type mmc
  3. 3. Hit Enter.
  4. 4. If you see: “Do you want the following program to make changes to your computer?” Click Yes
  5. 5. From the Console Root, select File > Add/Remove Snap-in
  6. 6. From the list, select Certificates
  7. 7. Select the Add button > My user account > Finish > OK
    NOTE: It may automatically add the snap-in without prompting you to select an account
  8. 8. From the left Console Root tree, select on the small triangle to the left of the certificates icon then do the same for Console Root > Certificates (Current User) > Trusted Root Certification Authorities > Certificates
  9. 9. Right-click Certificates > All Tasks > Import
  10. 10. A certificate import wizard will appear; select Next
  11. 11. Select “Browse” and search for your certificates on your Desktop. If you don’t see them, click on the button above the Open and Cancel buttons and change the file type to All Files (*).
  12. 12. Select the file to import and select “Next” in the next screen.
  13. 13. Place the certificate in the Trusted Root Certification Authorities store and select Next.
  14. 14. Select Finish
  15. 15. You should see “The import was successful”.
  16. 16. Go back to step 9 above and repeat all steps for all root certificates.

NOTES:

  • You may be required to click “Yes” several times when importing DoD Certs. The rel3_dodroot_2048.p7b may require multiple clicks.
  • When all certs have been installed, you may exit all windows.
  • Click No when asked to save Console 1 settings




Install CAs Using Firefox

You need to install both the ECA Root CA certificate and the VeriSign ECA CA certificate to use your digital certificates.

Open the browser on the computer where you need to install the certificates. You will download two certificates and they will automatically install in your system.

Install the ECA Root CA Certificate

  1. 1. Download ECA Root CA Certificate.
    To download 2048 bit CA certificate, click Download 2048 bit ECA Root CA Certificate.
  2. 2. You will see a window entitled "Downloading Certificate". Check all the boxes entitled "Trust this CA ..."
  3. 3. Select OK at the bottom of this window.

Install the VeriSign ECA CA Certificate

  1. 1. Download VeriSign ECA Root CA Certificate.
    To download 2048 bit CA certificate, click Download 2048 bit ECA Root CA Certificate.
  2. 2. You will see a window entitled "Downloading Certificate". Check all the boxes entitled "Trust this CA ..."
  3. 3. Select OK at the bottom of this window.

Secure Email Installation

You will see a series of windows entitled "New Certificate Authority":

  1. 1. In the first window, click on "View" and compare the displayed "fingerprint" with the one on your Certificate Registration Instructions.
    If they are not the same, stop and notify your Local Registration Authority.
    If they are the same, click on "OK". Then click on "Next >".
  2. 2. In the next window: Click on the first two check boxes and click on "Finished".
    If you see a window stating "The certificate cannot be imported. This certificate is already in your database," click "OK".

After reading the above instructions, click on Download Root CA 2 Certificate.

Then, using the same instructions, click on Download External Certification Authority (ECA) Root CA Certificate.

Then, using the same instructions, click on Download External Certification Authority (ECA) Root CA 2 Certificate.

If you need to trust certificates from any of the retired Root Certification or Intermediate Certification Authorities for any reason click here.

Learn More
Need More Info?
Please see the ECA Certificates Knowledge Center for more help and service advisories. Contact Us
Technical Support Phone:
1-866-202-5570 (option 2) or 650-426-3996

For sales support of 10 or more certificates:
650-426-3614 or
eca_sales@symantec.com

For order status and enrollment questions:
eca-authentication@symantec.com

For installation questions:
eca_support@symantec.com
ECA Certificates Support