CITE Participation Guide

Prepared By: The FPKI Technical Working Group (TWG)
An FPKI Policy Authority Working Group

Updated: September 7, 2022

Overview

The Community Interoperability Test Environment (CITE) was established as the FPKI integrated test environment. CITE provides the FPKI community with a test environment that tries to mimic the production FPKI hierarchy and is managed by the Federal PKI Management Authority (FPKIMA). It contains a Test Federal Common Policy and Test Federal Bridge that issue test CA certificates to participating Shared Service Providers, Federal Agency PKI, and Non-Federal Affiliates (referred to as FPKI Partners). CITE Participants refer to an FPKI Partner establishing a test PKI certified or cross-certified with the Test Common Policy or Test Bridge CA.

• Testing Use Cases
• Technical Specifications
• Scheduled and Unscheduled Testing
• Repository Availability
• Technical Support Availability
• Test Websites
• Appendix A - Test Policy Object Identifiers

This guide is a practice guide for FPKI Partners who want to either become CITE participants or leverage CITE for FPKI testing.

Testing Use Cases

The main purpose of CITE is interoperability and infrastructure testing of PKI components and Relying Party applications. Additional types of testing may be identified and conducted as necessary and to the extent supported by CITE Participants. CITE should not be used for system stress testing. Infrastructure testing ensures that upgrades, patches, policy changes, new products, and any other changes to the production FPKI do not adversely affect interoperability.

Relying Party application testing ensures that application modules operate as intended. In addition, application testing ensures that the system performs as expected and can properly process transactions that rely on FPKI certificates.

This document does not define how to perform testing in CITE. That is a responsibility of the CITE Participants. Some examples of testing conducted in CITE include:

1. Interoperability testing between cross-certified Certification Authorities (CAs);
2. Transition testing to new algorithms (e.g., SHA-2, ECC);
3. PIV and PIV-I credential interoperability testing;
4. Repository access testing when using content delivery networks, load balancers, or other networking configurations; and
5. Path discovery and/or validation testing for an application

When testing is successful in CITE, assurance is gained that the proposed change(s) will operate in the production FPKI as intended. When tests fail in the CITE, issues are identified and addressed without production FPKI impact.

Technical Specifications

The FPKI Community can use CITE to evaluate PKI or application changes in a test environment that mimics the production FPKI hierarchy and test potential interoperability issues before those changes are deployed to the FPKI. CITE participants shall follow the below technical specifications.

1. The CITE Participant services shall be internet accessible.
2. Repository availability and technical support should be maintained as detailed in the Repository Availability and Technical Support Availability sections.
3. Test environments should emulate the corresponding production environment as closely as possible
   1. Each CITE Participant CA hierarchy shall mimic their production environment. A CITE Participant may limit the number of included Test CAs to one certified or cross-certified CA and either an intermediate and/or issuing CA.
   2. All CAs shall be distinctly marked to denote it is a test CA. The word “Test” or “Development” should be used in the Distinguished Names (DNs).
   3. An exact production replica of all internal CA components (e.g. hardware security modules, network zones, or other non-internet accessible components) is not required.
   4. The CITE Participant repositories should match those in the corresponding production environment as accurately as possible, including operating system versions and patch levels, protocols, and product version and patch levels.
   5. All CITE Participant CA certificates, Certificate Revocation Lists (CRLs), and cross-certificates shall be publicly accessible in the associated repository.
   6. Certificate revocation information should, when applicable, be made available using the same mechanism(s) as in the production environment (e.g., OCSP, CRLs).
4. CITE Participants should provide expired, revoked, and valid test end-entity certificates, including private keys, for application and relying party tests. The sample certificates should be hosted on a publicly accessible directory or website and shared with the FPKI Technical Working Group. The website or directory address may be made available through this guide. CITE Participants should have test certificates representing each of the certificate policies and certificate types that are issued from the corresponding production environment.
5. All CITE Participant CAs and end-entity certificates should match their production counterparts, as applicable.
   1. Test certificates and CRL profiles (including version, key length, extensions, and syntax) shall match that of the production environment.
   2. The CITE CRLs may have a longer validation period than is required in production.
   3. The CITE CA certificates and cross-certificates shall depict the same trust relationships as in the production environment.
   4. CITE Participants should assert test certificate policy Object Identifiers (OIDs), when testing with CITE. See Appendix A - Test Policy Object Identifiers for test OIDs and their production equivalent.
   5. Resource references (such as CRL Distribution Points and Authority Information Access (AIA) points in the CITE certificates shall correspond to appropriately functional repositories.

Scheduled and Unscheduled Testing

Testing and support requests (to include certificate issuance and management requests) shall be scheduled and coordinated in advance. This will allow CITE Participants to appropriately plan and schedule any technical support needed for successful testing.

For unscheduled testing, the CITE and FPKI Partner repositories are internet accessible and available for testing (including vendors and other Relying Parties). Unscheduled testing may be conducted at any time if the below is true.

1. All parties involved agree to provide the necessary support; or
2. The testing party does not need support from any other CITE Participant (in which case, the testing party is willing to accept that services may or may not be available).
   

Repository Availability

CITE Participant repositories should be available during regular business hours for scheduled and unscheduled testing. Each CITE Participant should leave its repository services operational and available 24 hours a day, 7 days a week. CITE Participants should follow the below table on repository availability requirements.

Technical Support Availability

CITE Participants shall provide the FPKI Technical Working Group with email and phone information for at least two technical contacts to help coordinate any technical service issues. In lieu of providing individual names for technical POCs, CITE Participants may establish a group or other organizational-based email addresses for communications with the appropriate technical contacts. This information will only be made available (in a controlled manner) to CITE Participants, FPKI Applicants (if applicable), and vendors supporting the FPKI as needed during testing or troubleshooting. CITE Participants involved in scheduled testing shall provide the issuance, management, and troubleshooting necessary to help resolve any issues.

Test Websites

Appendix A - Test Policy Object Identifiers

The table below lists the current test to production OID equivalent used by the FPKIMA and CITE Participants.

1. Federal PKI Trust Infrastructure Test OIDs
2. Federal Agency PKI Test OIDs
3. Federal Shared Service Provider (SSP) Test OIDs
4. Non-Federal Issuer (NFI) Test OIDs
5. Commercial PKI Bridge Test OIDs

Federal PKI Trust Infrastructure Test OIDs

Federal PKI Federal Bridge

Federal PKI Federal Common Policy

Federal Agency PKI Test OIDs

Department of Defense (DoD)

Department of Defense External CA (DoD ECA)

Department of State (DOS)

Department of the Treasury

GSA FIPS 201 Approved Product List (APL)

Government Printing Office (GPO)

U.S. Patent and Trademark Office (USPTO)

National Aeronautics and Space Administration (NASA)

Federal Shared Service Provider (SSP) Test OIDs

All SSPs directly assert Federal Common Policy OIDs.

See Federal PKI Federal Common Policy

Non-Federal Issuer (NFI) Test OIDs

Entrust Managed Services

DigiCert (and former Symantec and VeriSign)

Exostar

IdenTrust

WidePoint

Commercial PKI Bridge Test OIDs

SAFE Bio-Pharma Bridge

CertiPath Bridge

STRAC Bridge

TSCP Bridge