NOTICE:  Certificate Error on VICTORY Portal

When logging into the VICTORY portal, you may see a certificate error.  This is because we have renewed our server ECA certificates, and our new certificate was signed by the recently generated "ECA Root CA 4." In order to correct this, you will need to install the newest ECA certificates from DISA's website.

In order to get this certificate, navigate to http://iase.disa.mil/pki-pke/Pages/tools.aspx and select the "Trust Store" tab.

If you are using Windows, the easiest method for doing this is to install the InstallRoot program available at this site.  Under the "Trust Store" tab, download the appropriate NIPR Windows Installer for InstallRoot. There is even an option for Non-Administratior users.  Once you have installed and run InstallRoot, be sure to select the ECA certificates for installation.

If you are using another OS, such as Mac OS or some distribution of GNU/Linux, or if you are using Firefox on Windows, then you will need to use the "PKI CA Certificate Bundles." You will need to grab the ECA PKI bundle (at least), and I suggest the PKCS#7 (standard Zip file) bundle. Once extracted, there are instructions available in a README.txt file that you can follow in order to verify and install the certificate bundles. The verification instructions are geared to Mac OS and Linux command line users, but the installation instructions should work on any version of Firefox (on any operating system).

One final note.  On some operating systems, such as Mac OS, if you install the certificate bundle into the system keychain (typically, just double-click the bundle to do so) so that it is accessible to the Safari and Chrome browsers, you will need to take an extra step to trust the newly installed ECA root certificates.  On a Mac, this involves opening the program "Keychain Access," finding the relevant certificates, right-clicking and selecting "Get Info," and then using the drop-down "Trust" menu to select "Always Trust" for the first option.

More information for the curious:

Q:  Why is this certificate error occurring?

A:  In order for the TLS public key encryption system to operate an Operating System / Web browser contains a list of trusted certificates from the main TLS certificate authorities (CAs).  These CAs use their trusted certificates to sign the encryption certificates of most of the websites you visit that use TLS (that begin with https).  Your browser trusts these CAs, and so it automatically trusts certificates signed by them.  The VICTORY portal does not use such a certificate.

Q:  Why does the VICTORY portal not use a certificate that my browser already trusts?

A:  The VICTORY portal contains some content that is considered For Official Use Only (FOUO) and Distribution C, but it is a consortium website, and not a government website (note the lack of *.gov in the portal's domain name).  By DoD requirements, and due to the portal's content, the VICTORY portal is required to use a commercial ECA server certificate.

Q:  Why are ECA certificates not trusted by my browser?

A:  The implicit trust that we place in our browser's or OS's trusted CA list is considered a potential security vulnerability.  It is always possible for a malicious user to insert malicious root certificates into this trusted storage, and how many of us ever check for this?  Is is even possible for malicious certificates to be inserted directly into the install package for the browser.  It is a requirement of the ECA program that the ECA root certificates always be obtained from a verified authority, and never automatically included in browser and operating system default trust stores.  It should be noted that the same is required of the DoD root CA certificates used by CAC cards, but those certificates are often pre-installed on government and government contractor furnished equipment, and they are also embedded within CAC cards as a separate OS-readable keychain.