Transport Layer Security (TLS) digital certificates are issued to web servers and other devices to support Hypertext Transfer Protocol Secure (HTTPS) communications.
The Department of Health and Human Services (HHS), under their contract with Entrust, provides two forms of TLS certificates, at no-cost to your IC or program. These standard, single server TLS certificates are:
- Public Trust Certificates -- intended solely for publicly facing web sites.
- Common Policy (Internal Trust) Certificates -- to be used for HHS or NIH-only internal web sites and services.
For information on obtaining, renewing or replacing HHS provided TLS certificates, please refer to the following sections below:
HHS Public Trust TLS Certificates
Public Trust TLS Certificates are intended solely for publicly facing webservers. Public Trust certificates are issued by the IdenTrust Certification Authority and chain up to the IdenTrust Commercial Root CA 1 root Certificate Authority.
Note: To receive HHS Public Trust TLS certificates, the server URL must be in the .nih.gov or .hhs.gov domains.
How to Get HHS Public Trust TLS Certificates
To request an initial Public Trust TLS Certificate follow the instructions in the Public Trust TLS Certificate Request Procedures guide (Microsoft Word - 337KB).
If you are replacing an existing HHS Entrust Public Trust Certificate, please refer to the Renew/Replace instructions below. New certificate requests for servers that have an existing HHS Entrust Public Trust Certificate will be rejected.
Note: To become a NIH TLS authorized requestor please send an email request to USHHSPKIHelpdesk@deloitte.com.
How to Renew/Replace HHS Public Trust TLS Certificates
To renew or replace an existing HHS Entrust Public Trust Certificate, please:
- Generate the Certificate Signing Request (CSR) on your web site or server that has the current Entrust certificate.
- Send a digitally signed email to USHHSPKIHelpdesk@deloitte.com and
- Specify the Common Name (CN) for the webserver (e.g., webserver.nih.gov)
- Attach the CSR file created in step 1.
- You will receive information on how to retrieve the re-issued certificate in a reply email.
Note: Your Prior Public Trust TLS certificate will be automatically revoked seven (7) days after a renewal/replacement certificate is issued.
HHS Common Policy TLS Certificates
Common Policy (Internal Trust) TLS Certificates are to be used for internal web sites and services. Common Policy certificates are issued by the same HHS-FPKI-Intermediate-CA-E1 Certificate Authority used to issue HHS Personal Identity Verification (PIV) digital certificates and chain up to the Federal Common Policy CA root Certificate Authority.
Note: To receive HHS Common Policy TLS certificates, the server URL must be in the .nih.gov or .hhs.gov domains.
How to Get HHS Common Policy TLS Certificates
To request an initial Common Policy TLS Certificate follow the instructions in the Common Policy TLS Certificate Request Procedures guide (Microsoft Word - 626KB).
If you are replacing an existing HHS Entrust Common Policy Certificate, please refer to the Renew/Replace instructions below. New certificate requests for servers that have an existing HHS Entrust Common Policy Certificate will be rejected.
Note: To become a NIH TLS authorized requestor please send an email request to USHHSPKIHelpdesk@deloitte.com.
How to Renew/Replace HHS Common Policy TLS Certificates
To renew or replace an existing HHS Common Policy Certificate, please:
- Send a digitally signed email to USHHSPKIHelpdesk@deloitte.com and requesting certificate replacement.
- Specify the Common Name (CN) of the webserver whose certificate is being replaced (e.g., webserver.nih.gov).
- Do NOT submit a Certificate Signing Request (CSR) file with this request.
- You will be sent a new authorization code and reference code in a reply email.
- Follow the steps documented in Section 4.2.2, Submit a Certificate Signing Request (CSR), of the Common Policy TLS Certificate Request Procedures guide (Microsoft Word - 626KB).
Note: Your Prior Common Policy TLS certificate will be automatically revoked seven (7) days after a renewal/replacement certificate is issued.
Other Sources of TLS Certificates
Commercial vendors provide both standard and advanced (e.g., wildcard, multi-domain, etc.) TLS certificates. These types of TLS certificates may be acquired directly from commercial vendors such as:
Information and Assistance
For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.
For questions or user support, please contact the NIH IT Service Desk.