Certificate Chains

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​Most digital certificates problems are caused by broken certificate chains.

A certificate chain is a string of certificates from the one you are using (e.g., your certificate) to a certificate that is trusted by your computer. The first link of the chain is a self-signed certificate that a Root Certificate Authority (CA) issues to itself. The next link of the chain is a certificate that the Root CA issues to a Subordinate CA. The last link of the chain is an end-entity certificate that a Subordinate CA issued to you, a webserver, or some other person or device. A certificate chain is broken if your computer does not trust the Root CA or cannot find the certificates that link the end-entity to the trusted root.

The following certificate chains are used at NIH as part of the HHS PKI:

 

NIH DPKI Certificate Chain and CRLs

Please refer to the guides below before downloading and installing these certificates.

NIH Device PKI Certificate Chain 

The NIH Device Public Key Infrastructure (NIH DPKI) is the enterprise Certificate Authority (CA) used by all systems of the internal network. This infrastructure issues digital certificates to NIH & HRSA Active Directory Domain Controllers needed to support Smartcard​​ authentication. NIH DPKI also issues certificates and uniquely identifies and authenticates internal websites, services, applications, endpoints and more on NIH & HRSA networks. NIH DPKI provides secure and reliable AD-integrated PKI services at scale and in automation.​

  NIH-DPKI-ROOT-1A.cer (expires 9/17/2045)​

         NIH-DPKI-CA-1A.cer​​​ (expires 9/18/2025)
Thumbprint (6575199e4af8fe6cd9be0f17a87f878702654d88​)
 NIH Domain Controllers
​        NIH-DPKI-CA-1A.cer​​​ (expires 6/14/2033)​ NEW
Thumbprint (7a52e193eb189dc6c47ebee32f5a3854913a072b​)
​​            NIH Domain Controllers​

 

​NIH DPKI Certificate Revocation List (CRL)

NIH DPKI CRLs can be downloaded from this link: http://NIHDPKICRL.NIH.GOV/CertData

HHS PKI Certificate Chains and CRLs

Please refer to the guides below before downloading and installing these certificates.

HHS Entrust FCPCA Root ​G2

This certificate chain is the trust path used by HHS smart card certificates (issued since (10\14\2020) and HHS Internal Common Policy TLS certificates issued by Entrust.

Certificate Icon Federal Common Policy CA G2​ (expires 10/14/2040)
            Root Certificate Store

Thumbprint​
99b4251e2eee05d8292e8397a90165293d116028​

     Certificate Icon Entrust Managed Services Root CA (expires 8/14/2029)
                 Intermediate Certificate Store

​Thumbprint​
07f5dc58f83778d5b5738a988292c00a674a0f40​

       Certificate Icon Entrust Managed Services Root CA (expires 7/23/2025)
                 Intermediate Certificate Store

Thumbprint
855d98c924b3ee6216b1b8e25b4342f70565c394

         Certificate Icon  HHS-FPKI-Intermediate-CA-E1 (expires 7/20/2025)
                    Intermediate Certificate Store

Thumbprint
d5e311406437c35a79bc023c2bbb57049f5d8f77

Certificate Icon   HHS-FPKI-Intermediate-CA-E1​ (expires 7/23/2029)
         ​ Intermediate Certificate Store
NEW 2022!

Thumbprint
492a40e6477eed5c39a58c24d6f3d5bffb0e1083​

As of June 2022 PIV certificates are being issued by this CA.


          Certificate Icon Your PIV Certificate


HHS Public Trust Certificate Chain

As of Fall 2022 HHS Public Trust certificates will utilize IdenTrust.

Certificate Icon IdenTrust Commercial Root CA 1 (expires 1/16/2034)
Root Certificate Store
   Thumbprint (df717eaa4ad94ec9558499602d48de5fbcf03a25)
Certificate Icon HydrantID Server CA O1​ (expires 12/12/2029)
Intermediate Certificate Store
Thumbprint (3c97cbb4491fc8d63d12b4890c28548164198edb)



The following guides will help you diagnose and fix certificate chain problems:


Verifying a SSL Certificate's Thumbprint​

  • Locate the certificate
  • Double click on the entry
  • Click the Details tab
  • Scroll to Thumbprint
  • The Thumbprint details will be displayed

You need system administrative privileges to install root certificates. If you do not have system administrative privileges, please contact the NIH IT Service Desk to have these certificates installed on your computer.


Information and Assistance

For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.

For questions or user support, please contact the NIH IT Service Desk.​​​​​​​​​