Once you have created your token service Service Account, complete the following steps to obtain your PKI Certificate:

  • Go to IdMax/NAMS https://idmax.nasa.gov

  • Select "Manage PKI Certificates for Devices" under the Credentials quick link section.

  • The following screen will display the SSL, Code Signing, IPSec, and Custom certificates that you are managing.

  • Click the “+ Add Certificate” button on the right side of the PKI Certificates frame.

  • The Create new PKI Certificate window will appear.  Select the Authority - “NICA” and select the Certificate Type – “Service Account."

  • The Search Certificates box will appear, enter the AUID of the Service Account that you were granted for your provider.  Note that it will not show up in the search results.

  • Acknowledge the NASA Subscriber Agreement.  When you check this box, the “Create New Certificate” button will appear.  Click it.

  • The Create new PKI Certificate window will close and you will be returned to the original screen with the new Service Account name shown in the list of managed certificates. You can now optionally i) add additional emails for notification, ii) add Backup Owners – this allows another user to manage this certificate without having to transfer ownership and iii) to change the provider associated with this certificate request, if you want.

  • Under “Special Instructions” specify that this request is for an “NDC Service Account Certificate to be use for Client Authentication with the Siteminder Token Service”. Also include the full UPN of the service account, ex. agserviceaccount@ndc.nasa.gov.

  • Once you have added all the additional attributes to this certificate request, click the “Submit Request” button at the bottom to submit your request.

  • Submit a request for a new PKI Certificate

    • Please send an email to arc-dl-pki-support@mail.nasa.gov with the NAMS Modify identifier included in the email. Please specify that this is for a New Service Account NICA certificate. (Note: identifier is in the form Modify-xxxxxxxx one method to retrieve is to click on the timeline process for your request)

    • You will receive your certificate and key via encrypted email.
  • No labels

1 Comment

  1. Matt Martens

    This process doesn't work for me because after clicking on the "Manage PKI Certificates for Devices", the system wants me to login with a NASA Smartcard because "High Access Level Required" for this certificate.   The only option given after clicking on the "Manage PKI Certificates for Devices" is a Smartcard log in, I cannot login with my RSA token.  Currently nobody at LP DAAC will be able to obtain a PKI Certificate to finish this process.  Here is the URL I'm directed to after clicking on the "Manage PKI Certificates for Devices" https://auth.launchpad.nasa.gov/login?level=40&target=https%3a%2f%2fidmax%2enasa%2egov%2ftools%2fpki