This site requires JavaScript to be enabled
NIH Public Knowledge Base > Application > Certificate Chains: Download links
Certificate Chains: Download links
Article: KB0020936 Published: 2024-01-25 Last modified: 2024-02-12


General Information


A certificate chain is a string of certificates from the one you are using (e.g., your certificate) to a certificate that is trusted by your computer. The first link of the chain is a self-signed certificate that a Root Certificate Authority (CA) issues to itself. The next link of the chain is a certificate that the Root CA issues to a Subordinate CA. The last link of the chain is an end-entity certificate that a Subordinate CA issued to you, a webserver, or some other person or device. A certificate chain is broken if your computer does not trust the Root CA or cannot find the certificates that link the end-entity to the trusted root.

Most digital certificates problems are caused by broken certificate chains.

 

Types of Certificate Chains


NIH DPKI Certificate Chain and CRLs
Used to trust internal NIH Domain Controllers, webservers and desktops.

HHS Entrust FCPCA Root G2 Certificate Chain
Used to trust smart cards and some internal NIH webservers.

HHS Public Trust Certificate Chain
Public Trust Certificates -- intended solely for publicly facing web sites.

See below for more information on these certificates.

Note: You need system administrative privileges to install root certificates. If you do not have system administrative privileges, please contact the NIH IT Service Desk to have these certificates installed on your computer.

 

Certificate Chains


For information on obtaining, renewing or replacing HHS provided TLS certificates, please refer to the following sections:

 

NIH DPKI Certificate Chain and CRLs


The NIH Device Public Key Infrastructure (NIH DPKI) is the enterprise Certificate Authority (CA) used by all systems of the internal network. This infrastructure issues digital certificates to NIH & HRSA Active Directory Domain Controllers needed to support Smartcard authentication. NIH DPKI also issues certificates and uniquely identifies and authenticates internal websites, services, applications, endpoints and more on NIH & HRSA networks. NIH DPKI provides secure and reliable AD-integrated PKI services at scale and in automation.

Note: Please assess browser configurations prior to downloading the below certifications. Browsers should be set to accept downloads and pop-ups from the NIHDPKICRL.NIH.gov website. However, if the download is still not appearing as expected, please right-click the specified cert link and select “Save As,” and then “Save.”


NIH-DPKI-ROOT-1A.cer (expires 9/17/2045)
Thumbprint (ce432244a6da633144c4dec6e7e55d835d8a7d8f)

NIH-DPKI-CA-1A.cer (expires 9/18/2025)
Thumbprint (6575199e4af8fe6cd9be0f17a87f878702654d88)

NIH Domain Controllers
NIH-DPKI-CA-1A.cer (expires 6/14/2033) NEW
Thumbprint (7a52e193eb189dc6c47ebee32f5a3854913a072b)

NIH DPKI Certificate Revocation List (CRL)
NIH DPKI CRLs can be downloaded from this link: http://NIHDPKICRL.NIH.GOV/CertData.

Back to top


HHS Entrust FCPCA Root G2


This certificate chain is the trust path used by HHS smart card certificates (issued since (10/14/2020) and HHS Internal Common Policy TLS certificates issued by Entrust.

Note: Please assess browser configurations prior to downloading the below certifications. Browsers should be set to accept downloads and pop-ups from the NIHDPKICRL.NIH.gov website. However, if the download is still not appearing as expected, please right-click the specified cert link and select “Save As,” and then “Save.”


Federal Common Policy CA G2 (expires 10/14/2040)
Root Certificate Store
Thumbprint 99b4251e2eee05d8292e8397a90165293d116028

Entrust Managed Services Root CA-G2 (expires 8/14/2029)
Intermediate Certificate Store
Thumbprint 07f5dc58f83778d5b5738a988292c00a674a0f40

Entrust Managed Services Root CA (expires 7/23/2025)
Intermediate Certificate Store
Thumbprint 855d98c924b3ee6216b1b8e25b4342f70565c394

HHS-FPKI-Intermediate-CA-E1 (expires 7/20/2025)
Intermediate Certificate Store
Thumbprint d5e311406437c35a79bc023c2bbb57049f5d8f77

HHS-FPKI-Intermediate-CA-E1 (expires 7/23/2029)
Intermediate Certificate Store
**Updated as of 2022**
Thumbprint 492a40e6477eed5c39a58c24d6f3d5bffb0e1083

As of June 2022, PIV certificates are being issued by this CA.

Back to top


HHS Public Trust Certificate Chain


As of Fall 2022, HHS Public Trust certificates will utilize IdenTrust.

Note: Please assess browser configurations prior to downloading the below certifications. Browsers should be set to accept downloads and pop-ups from the NIHDPKICRL.NIH.gov website. However, if the download is still not appearing as expected, please right-click the specified cert link and select “Save As,” and then “Save.”


IdenTrust Commercial Root CA 1 (expires 1/16/2034)
Root Certificate Store
Thumbprint (df717eaa4ad94ec9558499602d48de5fbcf03a25)

HydrantID Server CA O1 (expires 12/12/2029)
Intermediate Certificate Store
Thumbprint 3c97cbb4491fc8d63d12b4890c28548164198edb

Back to top

 

Verifying an SSL Certificate's Thumbprint


  1. Locate the certificate
  2. Double click on the entry
  3. Click the Details tab
  4. Scroll to Thumbprint
  5. The Thumbprint details will be displayed

Back to top

 

Information and Assistance


The following KB article can help you diagnose and fix certificate chain problems: HHS ID Badge: Manage your Certificate Chains (Windows).

For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides. 

Back to top

 

NIH IT Service Desk Contact Information


Local: 301-496-4357
Toll-Free: 1-866-319-4357
TTY: 711
NIH IT Service Desk Portal: http://itservicedesk.nih.gov/


 


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo
Rate this article