1. /
  2. ECA Certificate Enrollment – Medium Token Assurance Certificates

DoD Interoperability - ECA Certificates
Certificate Enrollment Requirements- Medium Token Assurance Certificates

Print these instructions: We strongly suggest printing this page before enrolling for your ECA Certificate.

1. Hardware Ordering Instructions

  1. Send an email to ECA Sales (eca_sales@symantec.com) to order a FIPS 140-2 compliant smart card or USB token and pre-pay for your Medium Token Assurance certificate. In this email, please attach the ECA Administrator Kit Order Form and either your company's purchase order or a completed credit card authorization form for payment.
  2. If you order a smart card, we will send you a package with a smart card, a smart card reader, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.
  3. If you order a USB token, we will send you a package with a USB token, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.
    Note: Please download latest PKI Client software from AR1752. Windows 7 users must download this software.

2. Hardware Installation Instructions

Do not proceed with these steps until you have received your smart card or USB token package.
  1. Install the PKI Client software on your Windows XP, Vista, or 7 computer.
    Note: Mac OS, Apple Safari, Google Chrome, Firefox, and Internet Explorer 10 are not supported at this time.
    Note: If you have ordered a smart card and smart card reader, Windows Plug And Play does not always install the smart card reader driver. In this case, you need to download and install the smart card reader driver from the Athena Smartcard Solutions web site (http://www.athena-scs.com/downloads.asp):
  2. Plug your smart card or USB token in your computer.
  3. Change the default password on your smart card or USB token. Enter default password 1234567890 in Current Password field.
  4. Enter a new password in the New Password field - it must be at least 8 characters and include at least one letter, one number, and one special character. You must create a new eToken password.
    Once this password is successfully created, you can move on to the certificate enrollment instructions.

3. Certificate Enrollment Instructions

Do not proceed with these steps until you have received your smart card or USB token package and installed the PKI Client software. You must have your smart card or USB token plugged into your computer at the time of enrollment.
  1. Plug your smart card or USB token into your computer.
  2. Go to the ECA Certificate Enrollment form.
    Note: Internet Explorer 10 web browser is not supported at this time. If you have Internet Explorer 10 web browser, you will need to downgrade to Internet Explorer 9.
  3. In the Select Enrollment Method section, select the Subscriber Enrollment using Trusted Agent radio button.
  4. In the ECA Certificate Subscriber Information section, complete all mandatory fields marked with a red asterisk.
    Note: Enter your full legal name exactly as specified on your passport or birth certificate in the First Name and Last Name fields. Note: If you have a suffix after your last name (e.g. Smith, Jr.), enter both your last name and suffix in the Last Name field. Note: Only enter your company's legal business name in the Organization field.
  5. In the Select Enrollment Type section, select Token Enrollment.
  6. In the Enter Payment Type section, enter your sales order number received via email for the ECA certificate in the Sales Order Number field – DO NOT enter the sales order number associated with the token itself.
    Note: You must add an “11” to the beginning of your 8 digit sales order when enrolling.
  7. In the Enter a Challenge Password section, enter a password in both the Challenge Password and Re-enter Challenge Password fields.
  8. In the Subscriber Agreement section, read the terms and conditions of the Subscriber Agreement.
  9. Click the Accept and Purchase button to submit your certificate request. Then, follow the prompts to install the CA Root Certificate.

4. Identify Proofing Instructions

The Symantec ECA Authentication team cannot approve your certificate request until you submit your ECA Subscriber Enrollment form.
  1. Download and print ECA Subscriber Enrollment form, but do not sign this form yet. You must sign the ECA Subscriber Enrollment form in the presence of a Notary.
  2. Fill out Section 1 of the ECA Subscriber Enrollment form.
  3. Take the ECA Subscriber Enrollment to a Notary Public. You must present your valid Passport or Birth Certificate, valid Driver's License, and your Work ID Badge to the Notary. Note: If you do not have a Work ID badge, you must download and print the Subscriber’s Organizational Contact form. Then, a separate full-time employee of your company must fill out and sign the Subscriber’ Organizational Contact form. The purpose of this form is to verify the ECA subscriber's employment within the same organization.
  4. Sign the ECA Subscriber Enrollment form in the presence of a valid Notary. The Notary must list and confirm viewing of your ID documentation, stamp, and sign Section 2 of the ECA Subscriber Enrollment form.
  5. Mail the signed ECA Subscriber Enrollment form to:
    Symantec Corporation
    Attn: Symantec ECA Authentication Support
    350 Ellis Street
    Mountain View, California 94043
  6. Once the ECA Subscriber Enrollment form has been received by the Symantec ECA Authentication team, you will receive an email confirmation within 7 to 10 business days.

5. Install CA Certificates Instructions

You must install both Symantec ECA CA and DoD Root CA certificates to create a chain of trust. Web browsers (e.g. Internet Explorer) and email software (e.g. Microsoft Outlook) validate your ECA Identity and Encryption Certificates by verifying this chain of trust. You will also need to adjust your browser settings.

Step 1: Download & Install all Symantec ECA Root Certificates

Internet Explorer (Windows Vista & 7)
  1. Open the Internet Explorer 6, 7, 8, or 9 web browser
  2. Download the first certificate: https://eca2048.pki.symantec.com/CA/ECARootCA2048.cer
  3. Click Save button which launches Save As window
  4. Select Desktop location, click Save button, and click Close button
  5. Click Windows Start button
  6. In the Search Programs and Files field, enter mmc, and click Enter button which opens a Console1 window with a Console Root sub-window. NOTE: You may need to click Yes to confirm that you wish to allow changes to your computer
  7. Click File > Add/Remove Snap-in… option
  8. From the Availablesnap-ins list, select Certificates option, and click Add button
  9. Select Computer account radio button and click Next button
  10. Keep Local computer radio button selection, click Finish button, and click OK button NOTE: You may not be prompted to select an account. If not, just click OK.
  11. From the left pane under Console Root in blue, expand Certificates (Local computer or current user) option
  12. Expand Trusted Root Certification Authorities option
  13. Select Certificates folders and right-click your mouse
  14. Select All Tasks > Import… which will launch a Certificate Import wizard.
  15. Click Next button
  16. Click Browse button and go to your Desktop location
  17. Select ECARootCA2048.cer file and click Open button
  18. Click Next button, click Next button again, click Finish button, and finally click OK button
  19. Close the Console1 window Note: Click No button unless you wish to save the setup
  20. Download the second certificate: https://eca2048.pki.symantec.com/CA/SymantecECA2048-G3.cer
  21. Click Save button which launches Save As window
  22. Select Desktop location, click Save button, and click Close button
  23. Go to your Desktop and double-click VerisignECA2048-G3.cer file which launches a Certificate window
  24. Click Install Certificate.. button which launches a Certificate Import wizard
  25. Click Next button and select Place all certificates in the following store radio button
  26. Click Browse button, select Intermediate Certification Authorities option, and click OK button
  27. Click Next button, click Finish button, and click OK button
  28. Close Certificate window by clicking OK button
Internet Explorer (Windows XP)
  1. Open the Internet Explorer 6 or 7 web browser
  2. Download the first certificate: https://eca2048.pki.symantec.com/CA/ECARootCA2048.cer
  3. Click Save button which launches Save As window
  4. Select Desktop location, click Save button, and click Close button
  5. Go to your Desktop and double-click ECARootCA2048.cer file which launches a Certificate window
  6. Click Install Certificate.. button which launches a Certificate Import wizard
  7. Click Next button and select Place all certificates in the following store radio button
  8. Click Browse button, select Intermediate Certification Authorities option, and click OK button
  9. Click Next button, click Finish button, and click OK button
  10. Close Certificate window by clicking OK button
  11. Download the second certificate: https://eca2048.pki.symantec.com/CA/SymantecECA2048-G3.cer
  12. Click Save button which launches Save As window
  13. Select Desktop location, click Save button, and click Close button
  14. Go to your Desktop and double-click VerisignECA2048-G3.cer file which launches a Certificate window
  15. Click Install Certificate.. button which launches a Certificate Import wizard
  16. Click Next button and select Place all certificates in the following store radio button
  17. Click Browse button, select Intermediate Certification Authorities option, and click OK button
  18. Click Next button, click Finish button, and click OK button
  19. Close Certificate window by clicking OK button

Step 2: Download & Install DoD Root Certificates

Internet Explorer (Windows XP, Vista, & 7)
  1. Open the Internet Explorer 6, 7, or 8 web browser
  2. Go to DoD Class 3 PKI web site: http://dodpki.c3pki.chamb.disa.mil/rootca.html
  3. Click on Download Root CA 2 Certificate (filename: rel3_dodroot_2048.p7b)
  4. Click Save button which launches Save As window
  5. Select Desktop location, click Save button, and click Close button
  6. Click on Download External Certification Authority (ECA) Root CA (filename: dodeca.p7b)
  7. Click Save button which launches Save As window
  8. Select Desktop location, click Save button, and click Close button
  9. Click on Download External Certification Authority (ECA) Root CA 2 Certificate (filename: dodeca2.p7b)
  10. Click Save button which launches Save As window
  11. Select Desktop location, click Save button, and click Close button
  12. Exit Internet Explorer web browser
  13. Go to your Desktop and double-click rel3_dodroot_2048.p7b file which launches a Certificate window
  14. Click Install Certificate.. button which launches a Certificate Import wizard
  15. Click Next button and select Place all certificates in the following store radio button
  16. Click Browse button, select Trusted Root Certification Authority option, and click OK button
  17. Click Next button, click Finish button, and click OK button
  18. Close Certificate window by clicking OK button
  19. Go to your Desktop and double-click dodeca.p7b file which launches a Certificate window
  20. Click Install Certificate.. button which launches a Certificate Import wizard
  21. Click Next button and select Place all certificates in the following store radio button
  22. Click Browse button, select Trusted Root Certification Authority option, and click OK button
  23. Click Next button, click Finish button, and click OK button
  24. Close Certificate window by clicking OK button
  25. Go to your Desktop and double-click dodeca2.p7b file which launches a Certificate window
  26. Click Install Certificate.. button which launches a Certificate Import wizard
  27. Click Next button and select Place all certificates in the following store radio button
  28. Click Browse button, select Trusted Root Certification Authority option, and click OK button
  29. Click Next button, click Finish button, and click OK button
  30. Close Certificate window by clicking OK button

6. Certificate Installation Instructions

You must have your smart card or USB token plugged into your computer to pick up your certificates. The Root Certificates must also be installed before proceeding.
  1. After reviewing your ECA Subscriber form, the Symantec ECA Authentication Support team will approve your certificate request. You will then receive an email stating your ECA certificate has been issued. This email contains an approval PIN required to pick-up your ECA Identity certificate.
  2. Plug your smart card or USB token into your computer. Click the link in the email to access the ECA Certificate Installation web page, enter the PIN, and click the Continue button to download and install the ECA Identity certificate on your smart card or USB token.
  3. After installing the ECA Identity certificate, you will immediately download and install the ECA Encryption certificate on your smart card or USB token. Note: Windows may prompt you to select a certificate to pick up the ECA Encryption certificate. If you get a pop-up window, select your ECA Identity Certificate and click the OK button.

Learn More

Find more details here about the ECA Public Key Infrastructure (PKI) Program

Need More Info?

Please see the ECA Certificates Knowledge Center for more help and service advisories.

Contact Us

Technical Support Phone:

1-866-202-5570 (option 2)

For sales support of 10 or more certificates:

1-866-202-5570 and select option 3 or eca_sales@symantec.com

For order status and enrollment questions:

eca-authentication@symantec.com

For installation questions:

eca_support@symantec.com