Identity Management

What is NATO PKI and what does it do


A Public Key Infrastructure is a combination of policies, procedures, and computer hardware and software products providing a controlled framework for managing private and public key pairs. An effective Public Key Infrastructure is primarily focused on management rather than just the technology. A PKI also provides access to identifiers known as Public-Key Certificates.
A Public-Key Certificate is an electronic data structure that binds an entity (e.g. user) to a public key. While public keys must be published and highly available, changes to the public encryption keys must not be allowed, otherwise an attacker could replace a recipient’s public key with his own. The sender would then mistakenly encrypt the message for the attacker instead of for the intended recipient. Many of the regulations, means, and infrastructure installations are established to protect the authenticity and integrity of the public keys.

Purpose of the NATO PKI

To support Intra-NATO and NATO-To-Nations communications, NATO is developing a Public Key Infrastructure (PKI) called NATO PKI (NPKI). This NPKI will be a framework that will be made up of services that provide for the management of public key certificates, which in turn can enable secure communications based on integrity and authenticity/authentication among NATO organisations and between NATO and other organisations and countries.

NATO PKI history

The first NATO PKI Ad-hoc working group was hosted in April 1998. The PKI for the NU/NR network is operational since Q4 2006. NCSA is hosting the PKI for the NS network since 2010.
In 2011 NCSA will host the PKI for the NATO Messaging System (NMS), this specific PKI is dedicated for the NMS and will only provide PKI services during NMS phase 1. All present NPKI systems are considered an interim solution, NC3A is developing a cost estimate for the definite NPKI.

Microsoft ROOT CA Program

Currently NATO is working on the implementation of the NATO ROOT CA certificate in the Microsoft ROOT CA program. This program automatically inserts the NATO ROOT CA certificate in the appropriate certificate store on an end-users terminal. This delivers users a secure access to NATO web sites (which are secured with a NATO Secure Socket Layer (SSL) certificate).
What is SSL? SSL provides an encrypted tunnel between the end-users terminal and the web server. In order to provide secure communication between the end-user terminal and a NATO secured web site before the Microsoft ROOT CA program is effective NCSA has come up with an interim solution. Please click on the "Installing NATO ROOT CA Certifcate" button and follow the instructions.

Installing NATO ROOT CA Certificate

How to apply for a NPKI Certificate

To apply for a NATO Public Key certificate you need to fill out the certificate request form.

PKI Links

NATO PKI Documents

  • NPKI Handbook V2.0
  • Certificate Practice Statement for the NU/NR V1.0
  • NATO PKI Certificate policy V2.0
  • Subscriber agreement for Subscribers Sponsors
  • Subscriber agreement for NU/NR PKI trusted roles

Documents Request

Documents Request form

Certificate Request for NU / NR

Certificate Request form
Please enter a search term !