1. Hardware Ordering Instructions

1. Send an email to ECA Sales (eca_sales@symantec.com) to order a FIPS 140-2 compliant smart card or USB token and pre-pay for your Medium Token Assurance certificate. In this email, please attach the ECA Administrator Kit Order Form and either your company's purchase order or a completed credit card authorization form for payment.
2. If you order a smart card, we will send you a package with a smart card, a smart card reader, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.
3. If you order a USB token, we will send you a package with a USB token, a CD-ROM of PKI Client software, and a sales order number to claim your Medium Token Assurance certificate.

   Note: Please download latest PKI Client software from AR1752. Windows 7 users must download this software.

Do not proceed with these steps until you have received your smart card or USB token package.

1. Install the PKI Client software on your Windows XP, Vista, or 7 computer.

   Note: Mac OS, Apple Safari, Google Chrome, and Internet Explorer 9 are not supported at this time.

   Note: If you have ordered a smart card and smart card reader, Windows Plug And Play does not always install the smart card reader driver. In this case, you need to download and install the smart card reader driver from the Athena Smartcard Solutions web site (http://www.athena-scs.com/downloads.asp):

   • 32-Bit Version: http://www.athena-scs.com/docs/reader-drivers/setup4004x86-en.exe
   • 64-Bit Version: http://www.athena-scs.com/docs/reader-drivers/setup4004x64-en.exe

2. Plug your smart card or USB token in your computer.
3. Change the default password on your smart card or USB token. Enter default password 1234567890 in Current Password field.
4. Enter a new password in the New Password field - it must be at least 8 characters and include at least one letter, one number, and one special character. You must create a new eToken password.

Once this password is successfully created, you can move on to the certificate enrollment instructions.

Do not proceed with these steps until you have received your smart card or USB token package and installed the PKI Client software. You must have your smart card or USB token plugged into your computer at the time of enrollment.

1. Plug your smart card or USB token into your computer.
2. Go to the ECA Certificate Enrollment form.

   Note: Internet Explorer 9 web browser is not supported at this time. If you have Internet Explorer 9 web browser, you will need to downgrade to Internet Explorer 8.

3. In the Select Enrollment Method section, select the Subscriber Enrollment using Trusted Agent radio button.
4. In the ECA Certificate Subscriber Information section, complete all mandatory fields marked with a red asterisk.

   Note: Enter your full legal name exactly as specified on your passport or birth certificate in the First Name and Last Name fields. Note: If you have a suffix after your last name (e.g. Smith, Jr.), enter both your last name and suffix in the Last Name field. Note: Only enter your company's legal business name in the Organization field.

5. In the Select Enrollment Type section, select Token Enrollment.
6. In the Enter Payment Type section, enter your sales order number received via email for the ECA certificate in the Sales Order Number field – DO NOT enter the sales order number associated with the token itself.

   Note: You must add an “11” to the beginning of your 8 digit sales order when enrolling.

7. In the Enter a Challenge Password section, enter a password in both the Challenge Password and Re-enter Challenge Password fields.
8. In the Subscriber Agreement section, read the terms and conditions of the Subscriber Agreement.
9. Click the Accept and Purchase button to submit your certificate request. Then, follow the prompts to install the CA Root Certificate.

The Symantec ECA Authentication team cannot approve your certificate request until you submit your ECA Subscriber Enrollment form.

1. Download and print ECA Subscriber Enrollment form, but do not sign this form yet. You must sign the ECA Subscriber Enrollment form in the presence of a Notary.
2. Fill out Section 1 of the ECA Subscriber Enrollment form.
3. Take the ECA Subscriber Enrollment to a Notary Public. You must present your valid Passport or Birth Certificate, valid Driver's License, and your Work ID Badge to the Notary. Use this checklist to help collect the necessary documents the Notary will require.

   Note: If you do not have a Work ID badge, you must download and print the Subscriber’s Organizational Contact form. Then, a separate full-time employee of your company must fill out and sign the Subscriber’ Organizational Contact form. The purpose of this form is to verify the ECA subscriber's employment within the same organization.

4. Sign the ECA Subscriber Enrollment form in the presence of a valid Notary. The Notary must list and confirm viewing of your ID documentation, stamp, and sign Section 2 of the ECA Subscriber Enrollment form.
5. Mail the signed ECA Subscriber Enrollment form to:

   Symantec Corporation
   Attn: Symantec ECA Authentication Support
   350 Ellis Street
   Mountain View, California 94043

6. Once the ECA Subscriber Enrollment form has been received by the Symantec ECA Authentication team, you will receive an email confirmation within 7 to 10 business days.

You must have your smart card or USB token plugged into your computer to pick up your certificates. The Root Certificates must also be installed before proceeding.

1. After reviewing your ECA Subscriber form, the Symantec ECA Authentication Support team will approve your certificate request. You will then receive an email stating your ECA certificate has been issued. This email contains an approval PIN required to pick-up your ECA Identity certificate.
2. Plug your smart card or USB token into your computer. Click the link in the email to access the ECA Certificate Installation web page, enter the PIN, and click the Continue button to download and install the ECA Identity certificate on your smart card or USB token.
3. After installing the ECA Identity certificate, you will immediately download and install the ECA Encryption certificate on your smart card or USB token.

   Note: Windows may prompt you to select a certificate to pick up the ECA Encryption certificate. If you get a pop-up window, select your ECA Identity Certificate and click the OK button.

You must install both Symantec ECA CA and DoD Root CA certificates to create a chain of trust. Web browsers (e.g. Internet Explorer) and email software (e.g. Microsoft Outlook) validate your ECA Identity and Encryption Certificates by verifying this chain of trust.

Step 1: Download & Install all Symantec ECA Root Certificates

Internet Explorer (Windows Vista & 7)

1. Open the Internet Explorer 7 or 8 web browser
2. Download the first certificate: https://eca2048.verisign.com/CA/ECARootCA2048.cer
3. Click Save button which launches Save As window
4. Select Desktop location, click Save button, and click Close button
5. Click Windows Start button
6. In the Search Programs and Files field, enter mmc, and click Enter button which opens a Console1 window with a Console Root sub-window.

   NOTE: You may need to click Yes to confirm that you wish to allow changes to your computer

7. Click File > Add/Remove Snap-in… option
8. From the Availablesnap-ins list, select Certificates option, and click Add button
9. Select Computer account radio button and click Next button
10. Keep Local computer radio button selection, click Finish button, and click OK button

    NOTE: You may not be prompted to select an account. If not, just click OK.

11. From the left pane under Console Root in blue, expand Certificates (Local computer or current user) option
12. Expand Trusted Root Certification Authorities option
13. Select Certificates folders and right-click your mouse
14. Select All Tasks > Import… which will launch a Certificate Import wizard.
15. Click Next button
16. Click Browse button and go to your Desktop location
17. Select ECARootCA2048.cer file and click Open button
18. Click Next button, click Next button again, click Finish button, and finally click OK button
19. Close the Console1 window

    Note: Click No button unless you wish to save the setup

20. Download the second certificate: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/eca.tech.files/VeriSignECA2048-G3.cer
21. Click Save button which launches Save As window
22. Select Desktop location, click Save button, and click Close button
23. Go to your Desktop and double-click VerisignECA2048-G3.cer file which launches a Certificate window
24. Click Install Certificate.. button which launches a Certificate Import wizard
25. Click Next button and select Place all certificates in the following store radio button
26. Click Browse button, select Intermediate Certification Authorities option, and click OK button
27. Click Next button, click Finish button, and click OK button
28. Close Certificate window by clicking OK button

Internet Explorer (Windows XP)

1. Open the Internet Explorer 6 or 7 web browser
2. Download the first certificate: https://eca2048.verisign.com/CA/ECARootCA2048.cer
3. Click Save button which launches Save As window
4. Select Desktop location, click Save button, and click Close button
5. Go to your Desktop and double-click ECARootCA2048.cer file which launches a Certificate window
6. Click Install Certificate.. button which launches a Certificate Import wizard
7. Click Next button and select Place all certificates in the following store radio button
8. Click Browse button, select Intermediate Certification Authorities option, and click OK button
9. Click Next button, click Finish button, and click OK button
10. Close Certificate window by clicking OK button
11. Download the second certificate: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/eca.tech.files/VeriSignECA2048-G3.cer
12. Click Save button which launches Save As window
13. Select Desktop location, click Save button, and click Close button
14. Go to your Desktop and double-click VerisignECA2048-G3.cer file which launches a Certificate window
15. Click Install Certificate.. button which launches a Certificate Import wizard
16. Click Next button and select Place all certificates in the following store radio button
17. Click Browse button, select Intermediate Certification Authorities option, and click OK button
18. Click Next button, click Finish button, and click OK button
19. Close Certificate window by clicking OK button

Firefox

1. Open the Firefox web browser
2. Download the first certificate: https://eca2048.verisign.com/CA/ECARootCA2048.cer
3. Keep Save File option and click OK button
4. Download the second certificate: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/eca.tech.files/VeriSignECA2048-G3.cer
5. Keep Save File option and click OK button
6. In the main toolbar, click Tools > Options which launches Options window
7. Click Encryption tab and click View Certificates… button which launches Certificate Manager window
8. Click Authorities tab and click Import… button which a Select File window
9. Select ECARootCA2048.cer file and click Open button which launches Downloading Certificate window
10. Select all three checkboxes and click OK button
11. Click Import… button again which a Select File window
12. Select VeriSignECA2048-G3.cer file and click Open button which launches Downloading Certificate window
13. Select all three checkboxes and click OK button
14. Close Certificate Manager window by clicking OK button
15. Close Options windows by clicking OK button

Step 2: Download & Install DoD Root Certificates

Internet Explorer (Windows XP, Vista, & 7)

1. Open the Internet Explorer 6, 7, or 8 web browser
2. Go to DoD Class 3 PKI web site: http://dodpki.c3pki.chamb.disa.mil/rootca.html
3. Click on Download Root CA 2 Certificate (filename: rel3_dodroot_2048.p7b)
4. Click Save button which launches Save As window
5. Select Desktop location, click Save button, and click Close button
6. Click on Download External Certification Authority (ECA) Root CA (filename: dodeca.p7b)
7. Click Save button which launches Save As window
8. Select Desktop location, click Save button, and click Close button
9. Click on Download External Certification Authority (ECA) Root CA 2 Certificate (filename: dodeca2.p7b)
10. Click Save button which launches Save As window
11. Select Desktop location, click Save button, and click Close button
12. Exit Internet Explorer web browser
13. Go to your Desktop and double-click rel3_dodroot_2048.p7b file which launches a Certificate window
14. Click Install Certificate.. button which launches a Certificate Import wizard
15. Click Next button and select Place all certificates in the following store radio button
16. Click Browse button, select Trusted Root Certification Authority option, and click OK button
17. Click Next button, click Finish button, and click OK button
18. Close Certificate window by clicking OK button
19. Go to your Desktop and double-click dodeca.p7b file which launches a Certificate window
20. Click Install Certificate.. button which launches a Certificate Import wizard
21. Click Next button and select Place all certificates in the following store radio button
22. Click Browse button, select Trusted Root Certification Authority option, and click OK button
23. Click Next button, click Finish button, and click OK button
24. Close Certificate window by clicking OK button
25. Go to your Desktop and double-click dodeca2.p7b file which launches a Certificate window
26. Click Install Certificate.. button which launches a Certificate Import wizard
27. Click Next button and select Place all certificates in the following store radio button
28. Click Browse button, select Trusted Root Certification Authority option, and click OK button
29. Click Next button, click Finish button, and click OK button
30. Close Certificate window by clicking OK button

Firefox

1. Open the Firefox web browser
2. Go to DoD Class 3 PKI web site: http://dodpki.c3pki.chamb.disa.mil/rootca.html
3. Click on Download Root CA 2 Certificate http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac (filename: rel3_dodroot_2048.cac)
4. Select all three checkboxes and click OK button
5. Click OK button twice to ignore warning messages
6. Click on Download External Certification Authority (ECA) Root CA http://dodpki.c3pki.chamb.disa.mil/dodeca.cac (filename: filename: dodeca.cac)
7. Select all three checkboxes and click OK button
8. Click OK button twice to ignore warning messages
9. Click Download External Certification Authority (ECA) Root CA 2 Certificate http://dodpki.c3pki.chamb.disa.mil/dodeca2.cac (filename: filename: dodeca2.cac)
10. Select all three checkboxes and click OK button
11. Click OK button twice to ignore warning messages
12. Exit Firefox web browser