Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

How to implement ICAM

ICAM Engineering Guides are for system administrators configuring agency infrastructure, servers, and enterprise applications for authentication and other ICAM processes. The guides are focused on U.S. federal government implementations.

The majority of engineering guides are focused on helping agencies configure PIV credential authentication in the most common operating systems and applications. A new series of FIDO multi-factor authentication playbooks are also included.

Configuration Guides

  1. On-Premise Smart Card Configuration
    1. Windows Domains
    2. Windows Devices
    3. MacOS Devices
    4. SSH Command Line
    5. Firefox Browser
    6. Microsoft Outlook
  2. Cloud Certificate-based Authentication Configuration
    1. Cloud or Hybrid-Joined Azure Entra ID
    2. Okta (Coming soon!)
  3. FIDO2 Configuration
    1. Windows Hello for Business
    2. Security keys (Coming soon!)

ICAM Troubleshooting Tools

ICAM can leverage a number of open source protocols for interoperability and data transfer. The Federal PKI is also a large, distributed ecosystem of over 180 certification authorities. Each certification authority operate independently which presents a challenge in trying to troubleshoot why a PIV card can’t validate. This is a list of tools to help troubleshoot ICAM issues.

  1. Federal PKI Validation
    1. FPKI Ecosystem Changes - This page contains three distinct pages of information as well as an associated certificate bundle.
      1. FPKI Graph - The FPKI Graph displays the relationships between the certification authorities in the Federal PKI (FPKI) ecosystem.
      2. PIV Issuer Information - List of active PIV issuing CAs with end entity certificate distribution points.
      3. FPKI System Change and Notification - List of changes to FPKI CA endpoint URL such as Certificate Revocation List Distribution Points, Online Certificate Status Protocol (OCSP) endpoints and other CA certificate activity.
      4. FPKI Certificate Bundle - A certificate bundle in .p7b format that contains all CA certificfates that chain to the Common Policy CA and can be viewed in the FPKI Graph.
    2. Personal Identify Verification (PIV) Cert Validator Tool - The PIV Certificate Validator is a website application hosted by Max.gov that verifies the certificates found on a PIV card. This tool is helpful in troubleshooting browser authentication issues.
    3. FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022) - A consolidated list of public repository information for FPKI resources.
  2. Federal PKI Deep Analysis
    1. FPKI Certificate Profile Conformance Tool (CPCT) - CPCT is an self-hosted application that analyzes a FPKI certificate for conformance. Use this tool to identify if a FPKI certificate is compliant.
    2. PIV and PIV-I Card Conformance Tool (CCT) - A GSA developed, java tool similar in function to the CPCT, but for PIV and PIV-I smart card testing. This is useful in identifying issues with a smart card.
    3. NIST 85B (800-73-4) Test Tool - Used to pull deep PIV contents when integrating PIV with various infrastructure components.
  3. PKI Tools
    1. PKI Interoperability Test Tool (PITT) for Microsoft Windows - PITT is a utility that allows inspection and troubleshooting of certification path processing for a given PKI using both PKIF and Microsoft CAPI. It’s especially useful for identifying path discovery and validation issues as well as a PKI performance problems.
    2. crt.sh - Certificate Transparency auditor used to find and audit TLS certificate issuances and issues. This is helpful in identifying all publicly issued certificates to a website.
  4. FIDO2 Tools
    1. Coming soon!
  5. Federation Tools
    1. Coming soon!

Find Additional Guides

You can find additional guides across agency websites by using a few simple methods:

  1. Search on the Internet: include the server or application or topic and add “+PIV +CAC”
  2. Search on the Internet: include the server or application or topic and add “+x509”
  3. Search on Max.gov: Max.gov requires you to log in. Try searching for the topic or guide.

If you don’t find what you’re looking for, open an Issue. We can help look through the archives of guides that haven’t been posted yet or help you send a request to the government listserves.

Your contributions are encouraged and welcome! You can contribute to this effort or open an Issue to discuss a need you may have for a guide.

Are you trying to solve a problem?

Your colleagues have likely encountered or solved the same problem. Engineering guides exist across government. This site’s purpose is to organize tips from agency engineers, help link to .gov or .mil information available, and provide a common site for collaboration.

IDManagement.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page