VICTORY Portal

NOTICE:  Certificate Error on VICTORY Portal

When logging into the VICTORY portal, you may see a certificate error. In order to correct this, you will need to install the newest ECA certificates from the DoD Cyber Exchange public website. In order to install the necessary certificate(s), navigate to https://public.cyber.mil/pki-pke/admins/#toggle-id-1 and follow the "Install Certification Authority (CA) Certificates" steps.

 

More information for the curious:

Q: Why is this certificate error occurring?

A: In order for the TLS public key encryption system to operate an Operating System / Web browser contains a list of trusted certificates from the main TLS certificate authorities (CAs). These CAs use their trusted certificates to sign the encryption certificates of most of the websites you visit that use TLS (that begin with https). Your browser trusts these CAs, and so it automatically trusts certificates signed by them. The VICTORY portal does not use such a certificate.

Q: Why does the VICTORY portal not use a certificate that my browser already trusts?

A: The VICTORY portal contains some content that is considered For Official Use Only (FOUO) and Distribution C, but it is a consortium website, and not a government website (note the lack of *.gov in the portal's domain name). By DoD requirements, and due to the portal's content, the VICTORY portal is required to use a commercial ECA server certificate.

Q: Why are ECA certificates not trusted by my browser?

A: The implicit trust that we place in our browser's or OS's trusted CA list is considered a potential security vulnerability. It is always possible for a malicious user to insert malicious root certificates into this trusted storage, and how many of us ever check for this? It is even possible for malicious certificates to be inserted directly into the install package for the browser. It is a requirement of the ECA program that the ECA root certificates always be obtained from a verified authority, and never automatically included in browser and operating system default trust stores. It should be noted that the same is required of the DoD root CA certificates used by CAC cards, but those certificates are often pre-installed on government and government contractor furnished equipment, and they are also embedded within CAC cards as a separate OS-readable keychain.