Requesting and Provisioning Development Certificates

Follow these instructions for obtaining a certificate from the development Treasury CA:

  1. E-mail the PKI Operations team at PKI_Ops@fiscal.treasury.gov to request a device certificate.

  2. Include the Common Name as you want it to appear in the certificate, any Subject Alternative Names (SANs), a group email address, and any special requirements such as embedding both server and client authentication OIDs if needed.

  3. You will receive your activation codes (Reference Number and Authorization Code) by email. The activation code expires in 30 calendar days, but can be re-issued.

  4. Using the instructions of your particular key store (the information Generating a Web or Device Certificate from Treasury may prove helpful) generate a 2048 bit key and generate a Certificate Signing Request (CSR). In the Common Name field, the CN value has to be the reference number from step 3.

  5. Retrieve the certificate using Entrust Web Connector, https://devwc.treasury.gov .

    • Click Web server in the left hand pane.
    • Enter the reference number and authorization code into their respective boxes.
    • Paste the certificate request, including the BEGIN and END lines, into the large text box.
    • In the Options field, choose the format "displayed as PEM encoding of certificate in raw DER".
    • Click Submit Request.
    • Security Manager generates a certificate and sends it to the Enrollment Server. Copy the entire certificate to the clipboard box including the BEGIN and END lines.
    • Paste the certificate into a text file in the same directory as the private key and certificate request.
  6. Import the Web server certificate using your certificate store instructions.

NOTE: If you need to make modifications to the certificate such as adding or removing a SAN, or if you are experiencing problems, send an e-mail to PKI_Ops@fiscal.treasury.gov and we will assist you.