FIS Training Resources

Exostar’s Federated Identity Service (FIS) is a fully-managed public key infrastructure (PKI) service for the issuance and maintenance of digital certificates. As part of a suite of identity management services offered by Exostar, FIS is a comprehensive PKI solution that enables full lifecycle management of certificates, strong authentication practices, and controlled access to applications through Exostar’s Managed Access Gateway (MAG) – minimizing risk and assuring resources and intellectual assets are protected over the extended enterprise, because it is operationally modeled after and compliant with U.S Federal Bridge Certificate Authority security policies and federal best-practice guidelines, FIS is ideal to enable sensitive online transactions and secure access to information.

A Digital Certificate is the digital equivalent of an ID card and is issued by trusted third parties known as certification authorities (CAs), such as Exostar. A certificate may contain multiple attributes about its owner, which can be used to uniquely identify them online to systems or through email. Digital certificates are typically used to establish one’s identity online and do not authorize the holder of the certificate to perform any specific function within an online application.

FIS is a subscriber service managed by Exostar that can issue multiple types of digital certificates for various levels of assurances: Signature, Encryption and Authentication.

Levels of assurance:
– Basic Level of Assurance Certificates – Identity (BLOA-Identity)
– Basic Level of Assurance Certificates – SecureEmail (BLOA-SecureEmail)
– Medium Level of Assurance (MLOA) Software Digital Certificates: Software Digital Certificates that are modeled after CertiPath policies.
– Medium Level of Assurance (MLOA) Hardware Digital Certificates: Hardware Digital Certificates that are modeled after CertiPath policies.

A software issue has been discovered in the Exostar Certificate Issuance control when used on the Microsoft Windows 7.x platform that forces Strong Key protection to be used on all private keys generated and used for Exostar FIS certificates. Detailed information on this issue, along with information for users with existing certificates ready to renew on Microsoft WINDOWS 7.x platform is available here.

Your certificate contains attributes that uniquely associate you to your employer. If you leave this employer, the certificate information will not be valid.

During the FIS subscription process, one user can be assigned the FIS Administrator role. To add an additional FIS Administrators, the Organization Administrator can upgrade a user account as follows:
1.  Designate a user to assign the FIS Administrator role and access their Exostar MAG Platform Details page by going to the Administration tab then completing a search for users.
2.  After completing search, click the user ID link to open the user’s profile.
3.  Scroll to the Application Settings section and select Application Admin from the Role column.
4.  An application list is now available for selection. Select Federated Identity Service (FIS).
5.  Click Continue and then review the changes you made. Click Submit to save the changes.
The user receives an email providing information their account has been upgraded to the FIS Administrator role. This process may be utilized to upgrade a user to an administrator role for any other application. The Organization Administrator can also set-up a new user account with the administrator roles by selecting the appropriate role from the Role drop-down list.

When the user submits a certificate renewal request, the FIS Administrator may be able to change certain attributes of the certificate. All certificate information is pre-populated based on the certificate the user requested for renewal. Some users, due to a prior out-of-band certificate renewal, may have no value for the Validity Period field. The FIS Administrator must select a value of 1 year or 3 years.

If you do not think the user continues to need digital certificates, you can deny the renewal request. Note the user is able to submit additional renewal requests for the same certificate until the certificate expires. For more information, please see the FIS Administrator Responsibilities page.

Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article # 940275), the dialog box does not contain the intended informational message that is supposed to display. When you encounter this error, select Yes. If you click No, you receive the following message and must restart the download process: Error! Filename not specified.

Error displays when you attempt to download digital certificates and the KMA is not downloaded.  Try and download KMA, if you are unable to download KMA reach out to your system administrators to understand the policy for downloads. KMA cannot be downloaded using Internet Explorer.  You can download KMA with Chrome, MS Edge, or Firefox.

This error message is received when either the Exostar Certificate Revoke List URL is blocked by the proxy/corporate policies. To confirm the issue, try to access the following two sets of URLs. If either of these URLs fails, then you need to contact IT Support within your organization to ensure that the host name is added to the list of “allowed” URLs.
FIS URLS: (Host URL: http://www.fis.evincible.com)

– FIS Root CA 2.crl

– FIS Root CA 2.p7c

– FIS Signing CA 2.crl

– FIS Signing CA 2.p7c

This error message is presented when the user is attempting to renew certificates but is not logged in with the expiring certificates. Click on the link highlighted in blue in the error message and you will be presented with the certificate selection list or the system will automatically pick up a valid certificate and complete the login process. You should then click the Renew button if your certificate is eligible for renewal.

This message is presented if your certificate is not eligible for renewal. A certificate can be renewed from the date of expiration to 90 days prior to this date. If the date of expiration has passed, or it’s before 90 days, then your certificate cannot be renewed.

Who can receive this error:  Users who require FIS certificates to access applications such as ForumPass, Rolls-Royce Global Supplier Portal or Lockheed Martin One Aero.

How to resolve this issue:
1.  Retry accessing the application. Sometimes the system is unable to connect with the Certificate store to retrieve the certificates due to connectivity issues. Log out of Exostar’s MAG Platform and retry accessing the application using your certificates. If this does not work, go to step 2.
2.  Check if your certificate is expired. If they are expired, remove expired certificates, re-apply for a valid certificate.
IMPORTANT: If you have MLOA or BLOA SecureEmail certificates, make sure that you do not remove the expired encryption certificate.
3.  Check your certificate prompt settings;
4.  Check if your certificate is valid.

Open IE > Tools > Internet Options > Content > Certificates > Select the appropriate certificate>View>Certification Path

If any of the certificates listed are highlighted in red, your certificate is invalid. If the top-level certificates is highlighted in red, contact Exostar Customer Support. Remove all invalid certificates and re-apply for a valid certificate.

This error is encountered when your email client is unable to search for the Boeing root certificates. Follow the instructions below to install the relevant Boeing root certificates:
1. Go to http://www.boeing.com/crl/.
2. Select the following certs: Secure Messaging.crt & The Boeing Company Root Certificate Authority.crt.
3. Click on each of the certs under the Authority Information section.
4. Select Open.
5. Click Install Certificate (take all defaults).
6. Click Next, click Next and click Finish.
7. Select OK to close the dialog box that states the Import was successful. 

If you already have digital certificates from another vendor, you cannot use them to access applications via Exostar’s Managed Access Gateway (MAG). To be able to access your applications, you are required to get Exostar FIS certificates for the appropriate assurance level. Contact your project partner for detailed information on the assurance level of the certificates.

A MLOA digital certificate is valid for 1 or 3 years from the date of issue, depending upon the option selected when your certificate was issued. You will be sent a renewal notice before the expiration of your certificate. If you do not renew your certificates within your renewal period, your certificates will expire and you will be required to go through the in-person proofing process again to obtain valid digital certificates. The certificates will not be valid after the expiration date.

Your certificates are valid for one year from the date of issue. You will be sent a renewal notice before the expiration of your certificate. If you do not renew your certificates within your renewal period, your certificates will expire and will not be valid for use after the expiration date.

Exostar’s MLOA certificates are CertiPath compliant, which means they can be used throughout the aerospace and defense industry to enable secure information sharing. They may be used to support multiple functions, including: 
– Secure Email (digital signature and encryption)
– Secure Logon
– Server Authentication
– Code Signing
– Document Signing

If you have a certificate that expires within 90 days, you are able to complete a renewal request for the certificate. When you renew a certificate, you provide all information to the FIS Administrator (FISA) to approve you for the correct certificate. In addition, irrespective of the type of certificate you are renewing, you receive the passcode to download the certificate in an email. You can only renew an unexpired certificate. You can always re-apply for a new certificate. You generally re-apply for a new certificate:
– If you want to upgrade from Basic Level of assurance (BLOA – Identity) to either BLOA (Secure Email) or Medium Level of Assurance (MLOA) certificates.
– If your current certificate has expired. If you re-apply for an MLOA certificate, you are required to complete face-to-face proofing session with an Exostar Trusted Agent.
Please see the Renew Certificates page for more information on the renewal process and please see the Reapply Certificates page for more information on the reapplication process.

Yes, you can bring an original or certified copy of your birth certificate instead of the social security card for the proofing activity. Please note you also require an additional form of identification along with your birth certificate. List of acceptable forms of identification is provided here. Review this list prior to meeting your proofing agent.

No, you may not use your company-issued photo-ID as a valid form of ID along with a driver’s license. Refer to the list of acceptable forms of identification provided here. Review this list prior to meeting your proofing agent.

Unless your in-house notary is a designated National Notary Association (NNA) approved Trusted Enrollment Agent (TEA), you may not use your in-house notary for in-person vetting for MLOA certificates. If your in-house notary is a designated TEA, you should provide this information to Exostar during initial contact to ensure users from your organization may be assigned appropriately for proofing activity.

The National Institute of Standards and Technology (NIST), a bureau of the US Department of Commerce, is responsible for setting US Federal Government standards for computing and IT systems.  Due to recent advances in computing power, NIST has identified the need for Federal IT systems to migrate to a newer version of the Secure Hash Algorithm (SHA) than is used in many Internet-connected operating systems, applications, and hardware products.


All departments within the Federal government are required to transition to the new standard, “SHA-256”, starting on January 1, 2011, with a phase out of the previous standard by January 1, 2013.  However, many commercial IT products and vendor solutions may require patches or version upgrades in order to be compatible with the new Federal standard.

The US Federal Government will begin issuing credentials using SHA-256 on or about January 1, 2011.  Electronic transactions such as secure email (S/MIME) and secure network sessions (SSL, IPSec) may transition to the new standard through 2012. Further information may be obtained at the following US Government web sites:
– http://www.idmanagement.gov/   
– http://www.nist.gov/cybersecurity-portal.cfm

A virtual private network (VPN) is a private and secure network that is typically applied on top of an existing corporate network.  Generally, one may login to VPN software to access corporate email and other resources while outside of their office. 

In Microsoft Windows, navigate to My Computer, right click, and select Properties.  The operating system and service pack level displays.

To determine whether specific patches are installed, navigate to Control Panel, then to Add or Remove Program, and select the Show Updates check box in the upper portion of the window. Your Windows patch information should display within the window.

If you are not able to access your computer settings or Windows control panel, you may need to contact your IT support organization for assistance.

[For questions 6, 7, and 8] The following are the Microsoft and Adobe test findings for SHA-256 as of September, 2010.  Exostar will post additional information as it becomes available.  However, the page is intended for informational purposes only, and Exostar makes no representation or warranty regarding the accuracy or completeness of the information provided.  Supplier IT departments should coordinate directly with their operating system and application vendors.

Microsoft Windows 7: SHA-256 is supported by the OS – No action is required
Microsoft Windows Vista: SHA-256 is supported by the OS – No action is required
Microsoft Windows 2008 Server: SHA-256 is supported by the OS – No action is required
Microsoft Windows XP Service: A SHA-256 patch is available from the vendor, but is not broadly distributed
Microsoft Windows 2003 Server: A SHA-256 patch is available from the vendor, but is not broadly distributed
Microsoft Windows XP Service Pack 2 (and previous): No OS vendor patch is planned – An upgrade to a current/supported OS version is needed to support SHA-256
Microsoft Windows 2000: No OS vendor patch is planned – An upgrade to a current/supported OS version is needed to support SHA-256
Microsoft Windows 95/98/ME: No OS vendor patch is planned – An upgrade to a current/supported OS version is needed to support SHA-256