Cac Replacement

MANUAL KEY RECOVERY PROCESS AIR FORCE Information in this guide is for CAC holders who If no encryption keys appear when attempting the PUBLIC KEY INFRASTRUCTURE have received a replacement CAC Automated Key Recovery process, follow these SYSTEM PROGRAM OFFICE procedures for manual key recovery. a. Open Internet Explorer. Public Key Infrastructure (PKI) supports DoD’s Why Do You Need This Pamphlet? b. Enter the following URL into the Web browser: network security and information assurance efforts through the effective use of digital certificates https://intelshare.intelink.gov/sites/usaf-pki- A new CAC means new PKI certificates. Follow SitePages/Key%20Recovery.aspx encoded in the microchip of the Common Access the instructions in this pamphlet to enable your Card (CAC). c. Click the + sign next to Manual Key Recovery workstation to successfully recognize and use Process and follow the instructions PKI certificates are necessary to access unclassified your new PKI certificates. networks, applications, websites and portals, to d. Allow 5-7 business days to process the request This is a User process.

2016 digitally sign forms, and to digitally sign and encrypt

- Administrator privileges are not needed. unclassified e-mail messages. Visit the AFPKI SPO Website at: When unclassified e-mail messages are digitally https://intelshare.intelink.gov/sites/usaf-pki signed and encrypted, they are protected with 2013

For assistance and additional guidance, these PKI assurances: contact the AFPKI SPO Help Desk at :  Authentication: guarantees an e-mail • Phone: 210-925-2521 (DSN 945) or message actually came from the person who claims to have sent it

• Email: [email protected]  Data Integrity: alerts the recipient when UTLOOK unauthorized changes were made to the

The AFPKI SPO is part of the Air Force Life Cycle O message during transmission

Management Center, C3I & Networks Directorate, Enterprise IT & Cyber Infrastructure Division,  Non-Repudiation: legally binds the sender of Identity Solutions Branch (AFLCMC/HNID), Joint an e-mail to the transaction Base San Antonio - Lackland, TX SING  Confidentiality (with encryption only): assures U

the information in the e-mail is not disclosed to DISTRIBUTION C: Distribution authorized to U.S. Govern- unauthorized entities Insert your new CAC into the card reader. If an ment agencies and their contractors for administrative and error message pops up, remove the CAC and operational use reinsert it into the card reader. MAIL

HANDLING AND DESTRUCTION NOTICE: Handle in EPLACEMENT

compliance with distribution statement and destroy by any E If the issue persists, reboot the computer method that will prevent disclosure of contents or recon- (remove the CAC during the reboot process). struction of the document. Once rebooted, insert the CAC into the reader OPR: AFPKI SPO Help Desk and proceed to Step 1. OE-13-01-114 June 2020 ECURE CAC R S Never leave your CAC unattended in the card reader

Step 1: Remove Previous PKI d. At the next window, in the “Encrypted Email” area, Step 3: Recover a Previous i. The next screen provides a Download link and a Certificates from IE Certificate Store click the Settings button. Email Encryption Key 16-character, case-sensitive password; write the password down EXACTLY as shown. e. In the “Change Security Settings” pop-up, click the a. Insert new CAC in the card reader and open Your new CAC contains a new Email Encryption Delete button until it is grayed out; click OK. j. Click on the Download link, then click Open. Internet Explorer. certificate and corresponding encryption key. Any email f. At the “There is no valid security…” pop-up, click encrypted with your previous encryption key cannot be k. Click Next at the “Welcome to the Certificate Im- b. Click on the Tools icon at the top right-hand OK. opened with the new key; therefore, to read those email port Wizard” screen (do not change default buttons). corner, then click Internet Options. g. At the “Your Certificates were removed success- messages, you must recover the previous encryption key. l. Click Next at the “File to Import” prompt c. Select the Content tab > Certificates button. fully” pop-up, click OK. There are two methods to recover an encryption key: m. At the “Private Key Protection” screen, click the d. Select all “old” certificates (CA-31 or higher) with h. Back in the Trust Center, click the Settings button. AUTOMATED (recommended) and MANUAL. Display Password checkbox, then enter the 16- the following exceptions: character password. i. In the “Change Security Settings” pop-up, click the AUTOMATED KEY RECOVERY DO NOT SELECT n. Verify the password is correct, then click Next. Choose button for Signing Certificate and select a. Open Internet Explorer. • Previously recovered e-mail encryption certifi- the most current DoD Email CA-XX certificate; if o. At the “Certificate Store” prompt, select Automati- b. Enter one of the following URLs into the Web browser cates (“CN” in the “Friendly Name” column) none are showing, click “More Choices” and select cally select the certificate store, then click Next. (case sensitive): • “Software” Group certificates used for the correct certificate; click OK. p. At the “Completing the Certificate Import Wizard” organizational email accounts • https://ara-5.csd.disa.mil/ara/ j. In the “Change Security Settings” pop-up, click the screen, click Finish. • ANY DoD email certificates based on Choose button for the Encryption Certificate and • https://ara-6.csd.disa.mil/ara/ expiration dates only select the most current DoD Email CA-XX certificate; q. At the “Import was successful” pop-up, click OK. c. At the “Window Security” pop-up, select an Identity e. Click the Remove button. click OK > OK. r. Click Return to Key List and repeat these steps to Certificate; click OK. k. At the warning pop-up, click OK; enter your PIN if recover other Encryption Keys as needed. prompted. d. Enter your PIN if/when prompted. The recovered key(s) is/are now installed in the certificate Step 2: Update Outlook l. At the “Your certificates were published success- e. At the “Automatic Key Recovery Agent” page, click store and ready for use. When opening previously Security Profile Settings fully” pop-up, click OK, then click OK to exit the I Accept; a list of encryption keys will appear. encrypted email, MS Outlook automatically selects the Trust Center (you may need to restart Outlook). corresponding encryption key from the certificate store. a. Remove new CAC from the card reader, then f. Based on the date range, select the desired key from reinsert and open Microsoft Outlook. the list (NOTE: the list in not in any order). b. Click File > Options > Trust Center, then click g. Click the blue Recover button. the Trust Center Settings button (on the right). h. Click I Acknowledge, then click OK. c. At the next window, select Email Security.