-
DELIVERING CYBER DEFENSE AND IDENTITY ASSURANCE SOLUTIONS TO THE AIR FORCE
https://intelshare.intelink.gov/sites/usaf
-pki/
Air Force
Public Key Infrastructure
System Program Office
-
’
’
-
-
.
OPR: AFPKI SPO CI-13-01-114 November 2021
The AFPKI SPO is aware of the inconvenience imposed upon you to complete the 3-step process outlined here. With your experience in
mind, we have automated the process as much as we can and will connue to work to make the CAC replacement transion seamless.
a. Insert your new CAC in the card reader and click the buon (Windows icon at boom le of system tray)
b. Click on >
c. Select the tab > buon
d. Select all “old” cercates
Previously recovered email encrypon cercates “” “”)
DoD email cercates based on expiraon dates only
e. Click the buon, then click at the warning
a. Remove your new CAC from the card reader and reinsert it
b. Open then click > > >
c. At the next window, select
d. At the next window, in the “” area, click the buon
e. In the “” pop-up, click the buon unl it is grayed out; click
f. Back in the , click the buon
g. In the “” pop-up, click the buon for and
select the most current -cercate; if none are showing, click “”
and select the correct cercate; click
h. Verify the shown is “;” if not, click the drop-down arrow, select
“”
i. In the “” pop-up, click the buon for and
select the most current -cercate; click
j. Verify the shown is “-;” if not, click the drop-down arrow,
select “-” then click
k. At the warning pop-up, click ; enter your if prompted
l. Once all windows are populated and all three checkboxes are checked, click “” Your work-
staon is now congured to use the PKI cercates on your new CAC.
Ex: Signing Certificate
Ex: Encryption Certificate
Your new CAC contains a new Email Encrypon cercate and corresponding public/private encrypon key pair. Any email encrypted
with your cannot be opened with the new key; therefore, to read those email messages, you must
. There are two methods to recover an encrypon key: (recommended) and .
a. Open a browser and type in one of the following URLs (case sensive)
-
-
b. When prompted to choose a cercate, select your -, then enter your PIN if prompted
c. At the “” (AKRA) page, click . Note the list of all your escrowed encrypon keys available
for recovery. Review the list, then based on the date range, select the key that
matches the meframe of the encrypon key you wish to recover.
: Key Usage must be “” no other cercates can
be recovered
: DO NOT RECOVER any encrypon keys with a “Not Valid Before…”
date within one day of your newly issued CAC
d. Click the blue buon
For more PKI related informaon, visit the AFPKI Website at hps://go.intelink.gov/AFPKI (case sensive; CAC required)
For PKI technical support, contact the AFPKI Help Desk at 210-925-2521 (DSN 945) or e-mail: [email protected]
OPR: AFPKI SPO CI-13-01-114 November 2021
When aempng the Automated Key Recovery process, if no encrypon keys appear, follow these procedures for the
process. This process is for .
a. Open an Internet browser
b. Enter the following URL into the web browser:
hps://intelshare.intelink.gov/sites/usaf-pki/SitePages/Manual%20Key%20Recovery%20Process.aspx
c. Download and complete the , then submit the completed form to the Air Force Key Recovery Agent
(AF KRA) via a digitally signed email to: afpki.registra[email protected]. Enter “” as the subject
d. Allow 5-7 business days to process the request (if this is an urgent request, include “” in the subject line and provide
juscaon for the urgency in the body of the e-mail message)
To manually recover SIPRNet encrypon keys, obtain the form from the or from your
issuing Local Registraon Authority (LRA). The request should include the Token ID (i.e., 20-character number located on the back of
the token). and your current SIPRNet token to submit the form to the AF KRA via digitally signed, unen-
crypted email to the AF KRA SIPRNet email address: USAF.JBSA.AFLCMC.MBX.AFPKI.Registra[email protected]. (DO NOT SEND THE
REQUEST ON NIPRNET).
e. At the pop-up window asking for acknowledgement that you are the subscriber of the escrowed key selected, click “
” then click
The AKRA returns with a “” link and a complex, -
-
DO NOT click the Download link unl you’ve the pass-
word as shown or captured a screenshot (copy/paste will not
work). : this page is only available for a few minutes.
f. Once you’ve captured the password, click on the “” link, then click (do not click Save)
g. Click at the “” screen
h. Click at the “” prompt
i. At the “” screen, check the “” checkbox, then enter
the -
j. Verify the password is correct, then click
k. At the “” prompt, select “” then click
l. At the “” screen, click
m. At the “” pop-up, click
The recovered key is now installed in the cercate store and ready for use. When opening previously encrypted email, MS Outlook
will automacally select the corresponding encrypon key from the cercate store to decrypt the message.
