Skip to content

Installing ECA Tokens

The purpose of this documentation is to outline the entire process of aquiring an ECA hardware token from Identrust and provisioning the token to work with Platform one Applications, specifically to access IL-5 resources

Equipment used: - MacBook Pro M2 - IOGEAR GSR203 card reader - LENTION 4-in-1 USB-C hub

Step 1: Acquire ECA

  • Hardware Tokens are the only thing Authorized for IL-5 Access
  • Acquiring an ECA token from Identrust must be accomplished within 30 days of purchase to receive the token. If this is not completed within the time frame the process must be reinitiated.

1.1 ECA Submission Process

To begin the ECA acquisition process, you need a voucher from your company, or to use your own credit card to purchase an ECA from

  1. Go to ECA Certificates for DoD Access | IdenTrust
  2. Click the BUY NOW hyperlink
  3. Scroll to the bottom of the page, and under “DoD ECA Programs,” check No ECA Agency Affiliation Is Required / Click NEXT
  4. “I Live in the US.” Click Yes / Click NEXT
  5. “Select A Certificate” Check ECA Medium Token Assurance | Hardware Storage $185.00 - $445.00 / Click NEXT
  6. “Please Select The Certificate Validity Period” Check 1 Year - $185.00 / “Please Select The Storage Device For Your Certificate” Check HID Smart Card - $71.00 / Click NEXT
    • *Note: If a card reader is required you have three options available
      • You can select "HID Smart card with card reader"
      • Inquire with your company if the company will provide one to you
      • Purchase one online
      • Note: The card reader provided by Identrust has a USB-A interface, this means you will need to purchase a USB hub/dongle for your computer if it only has USB-C ports.
  7. “Verify Your Selections” Click BUY NOW
  8. “Retrieve Your Certificate” (Voucher, if you have one) Enter Voucher – Provided by your company
  9. Scroll down to Program Affiliation Select NO PROGRAM AFFILIATION IS REQUIRED / Click NEXT
  10. “Headquarters Information” (Organization Name) Enter your company name (Your Email Address) Enter your email address and corporate postal code
  11. Search Results Select your company name / click SELECT ORGANIZATION / (Confirm Your Organization Information) Pop up / Click Yes
  12. “Personal Information” Complete all Fields – NOTE: enter your home address or where you want the PKI card sent. Click Next
  13. Once your account is created you should be asked to download the “DoD ECA Medium Assurance | Software Storage & Medium Token Assurance | Hardware Storage Certificate Forms Packet”

1.2 ECA Authorization Verification

Once you have downloaded and printed the “DoD ECA Medium Assurance | Software Storage & Medium Token Assurance | Hardware Storage Certificate Forms Packet” please read through it carefully. The steps below are extracted from the documentation.

NOTE: This will need to be WET SIGNED and original. Photocopies or scans are not allowed. IdenTrust must receive the inked paper.

At the Bottom of Page 2 under Applicant put the following information
- Print Applicants legal first and last name: (do not use nickname)
- Print Organization name - Address line 1 - City, State/Province, Country, Postal Code - Organization Officer's name - Organization Officer's title - Organization Officer's telephone number - Organization Officer's email

Your organization Officer will WET sign on "Organization Officer's Signature" and Date it on "Date Organization Officer signed"

Page 4 must be completed in the presence of a licensed notary in your county. Do not mark or sign this paper at home. All the material needs to be filled in in front of the notary, or the notary may choose to not sign it.

You will need to present an ID for 2 of the 3 lists below.

  • US Citizens: One from List A and one from list B or C, – or – One from List B and one from List C.
  • Non-US Citizens: Valid Passport and one from List B.

If you made more than one citizenship assertion in your certificate request, you must provide a valid passport for each.

Photo ID document that establishes identity and citizenship

- Passport from country of citizenship

- Certificate of U.S. Citizenship issued by USCIS (formerly INS)

- Certificate of Naturalization issued by a court of competent jurisdiction prior to October 1, 1991 or the USCIS (INS) since that date
Photo ID document that establishes identity

- Military ID w/ photo
- Driver’s license or government issued ID card w/ photo

- Permanent or Unexpired Temporary Resident Card issued by the USCIS w/ photo
Document that establishes US Citizenship

- Consular Report of Birth from a US Consulate (Form FS-240)

- Certificate of Birth Abroad issued by the US Department of State (Form DS-1350)

- Original or certificated copy of birth certificate issued by County, State or government authority bearing an official seal

Once this form is signed by the notary, you will mail it to the address provided on part 2.

Registration Department
IdenTrust Services
5225 W. Wiley Post Way, Ste 450
Salt Lake City, UT 84116-2898

This should be sent in a document mailer, with full tracking for best results. IdenTrust may not claim to have received your documents if you do not have a tracking number on them, at which point you need to start over.

NOTE: IdenTrust will physically call your registered phone number for your company. They must speak to the person who signed the form in part 1. If they cannot contact or reach that person, your application will be on hold. Do not submit this paperwork directly preceding your security officers known out of office status or vacation as this will cause the application process to fail and you will need to re-complete it.

1.3 ECA Aquisition

Once your paperwork is complete, and has been approved (typically 3-5 business days from Identrust receiving the paperwork) you will receive an email with instructions on certificate installation.

DO NOT PROCEED until you physically have your token.

Once you have received you card and card reader you can continue on to Step 2: Provisioning your ECA Card

Step 2: Provision your ECA Card

Once you have received your physical token.

2.1 Install OpenSC

Installing OpenSC is fairly simple, you will want to navigate to the OpenSC releases page and download the latest version in dmg format. In this dmg will be an installer and an uninstaller. Use the installer to install the software and it's libraries into your computer. Alternatively for the more advanced MacOS user, there is a brew formula available, no documentation is provided for the brew formula with this guide, if you're familiar with brew this may be a better alternative for you. However, please keep in mind, all library paths will be different than this guide and you will need to sort that out yourself.

2.2 Reboot Your Computer

While this seems unnecessary on a Mac, I found that a reboot cleanly allowed the card reader to initialize after OpenSC was installed. Please reboot your computer at this point without your smart card in the reader. Upon rebooting, log back into your computer, and insert your smart card only after you've reached your desktop. Once you insert your card, you should have a notification window showing that the card was detected and asking to pair it to your user account. This pairing process allows you to login to your computer with the smart card and pin. This is also a good indicator that your smart card is being read properly and is ready for use.

2.3 (Optional) Testing OpenSC

Once OpenSC is installed, and your card reader is plugged in, you've rebooted, you can test your card reader.

Open a terminal on your computer and use this command with your card in your card reader:

$ /Library/OpenSC/bin/pkcs11-tool --login --test

You should get output that looks very similar to the following:

$ /Library/OpenSC/bin/pkcs11-tool --login --test

Using slot 0 with a present token (0x0)  
Logging in to "Johnny Example:A0000B0000000...".  
Please enter User PIN: ******  

C_SeedRandom() and C_GenerateRandom():  
  seeding (C_SeedRandom) not supported  
  seems to be OK  
  all 4 digest functions seem to work  
  MD5: OK  
  SHA-1: OK  
  RIPEMD160: OK  
Signatures (currently only for RSA)  
  testing key 0 (CAC Cert 5)  -- can't be used for signature, skipping  
  testing key 1 (CAC Cert 14)  
  all 4 signature functions seem to work  
  testing signature mechanisms:  
    RSA-X-509: OK  
    RSA-PKCS: OK  
    MD5-RSA-PKCS: OK  
    SHA256-RSA-PKCS: OK  
  testing key 1 (CAC Cert 14) with 1 mechanism  
    RSA-X-509: OK  
Verify (currently only for RSA)  
  testing key 0 (CAC Cert 5) -- can't be used to sign/verify, skipping  
  testing key 1 (CAC Cert 14) with 1 mechanism  
    RSA-X-509: OK  
Decryption (currently only for RSA)  
  testing key 0 (CAC Cert 5)  
    RSA-X-509: OK  
    RSA-PKCS: OK  
  testing key 1 (CAC Cert 14) -- can't be used to decrypt, skipping  
No errors

Once you get the "no errors" line, your card is now communicating properly with your computer and you can move on to configuration applications to consume your new ECA.

LikeBe the first to like this

2.4 Retrieve IdentTrust Certificates

Open the email "Your IdenTrust Certificate has been Approved!" sent by and follow the instructions.

  • Proceed to URL:
  • Enter Activation code and password (Password was set up during your ECA Submission process)
  • Click "YES - I am ready to retrieve"
  • Download and open IdentTrust Retrieval Application and follow the prompts to test functionality.

Step 3: Install Certificates

In order to properly access sites and have your ECA work on websites, you need to trust the certificates that are being used throughout the various DOD websites you'll be accessing. This can be done by installing the corresponding DOD CA roots to your computer.

DOD Certificates

First, you're going to need to install the various DOD certificates. Instead of duplicating information, the website is considered the greater source of truth when it comes to this information. You can view the DOD certificate installation process located here.

These certificates should also be installed in Firefox, so please make sure you follow the steps in the above article fully from beginning to end, with an emphasis on step 5a.

IdenTrust Certificates

You're also going to want to install the IdenTrust ECA certificate which you can find here. You'll want to download and install the certificates exactly how you did for the DOD Certificates above.

Step 4: Configure Applications

If configuration was not done automatically below are some things to try. When configuring a new application that allows for the introduction of a new PKCS11 library, the library you want to use is /Library/OpenSC/lib/ , this library is what will be used to enable SmartCard/PIV in your various applications. If you choose to install OpenSC via brew, your actual library path will differ. Depending on when you installed brew and what platform you installed it on, the library could be in /usr/local or in /opt  somewhere. The documentation past this point assumes you installed OpenSC from the GitHub page and it's located at the standard location in /Library/OpenSC  though.