Index of documents supporting the Grant of Approval to the Ministry of Defence’s
Defence Root Certification Authority service.

  1. What the tScheme Approved Service Mark signifies.
  2. Approved Service - Service Description
  3. Approval Profiles used in the assessment:
    Base Approval Profile tSd0111 3.00
    Approval Profile for a Certification Authority tSd0102 3.01
    Approval Profile for Signing Key Pair Management tSd0103 3.02
    Approval Profile for Certificate Generation tSd0104 3.01
    Approval Profile for Certificate Dissemination tSd0105 3.01
    Approval Profile for Certificate Status Management tSd0106 3.01
    Approval Profile for Certificate Status Validation tSd0107 3.01
    Approval Profile for Registration tSd0042 3.02

Back to Grant details

What the tScheme Approved Service Mark signifies

When a trust service carries the tScheme Mark, you can be secure in the knowledge that:

For each service, tScheme approval is regularly reviewed and may be withdrawn.

This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.


Approved Service - Service Description

Defence Root Certification Authority (DRCA)

This Grant of Approval relates to the MoDís service known as the Defence Root Certification Authority (DRCA). It does not cover the wider Defence Public Key Infrastructure (DPKI).

The DPKI X.509 Certificate Policy Version 3.0 (dated 8 Oct 08 | OID 1.2.826.0.1310.100.3) provides a full description of the DPKI and the DRCA’s role. This policy document is publicly available at

The DRCA provides Trust Services for the Defence environment and is the ultimate trust point for the DPKI. It provides support to authentication, integrity, confidentiality and non-repudiation services through the use of X.509 certificates.

The DPKI Trust Service (using the DRCA as its root) is a pan-MoD provision that will be available to all MoD recognised projects, applications, services and entities that require it - subject to approval from the DPKI Policy Management Authority (DPMA)1. Through interoperability, the DPKI will extend its Trust Services to Organisations and Nations that the MoD has a business or operational requirement, such as NATO, the US DoD and TSCP.

The DRCA (specifically the Hardware Security Module) maintains the Root private signing key for the DPKI. It provides all sub-ordinate CAs with their Public and Private keys that are embedded into certificates. It also provides revocation information by issuing Authority Revocation Lists (ARL)2 on a monthly basis to these CAs as well as emergency ARLs when required.

A strict process is followed to ensure the identity of those who request sub-ordinate certificates or emergency revocations and a validation process is invoked to ensure they are authorised to do so.

To become a customer of the DRCA, the potential customer must outline their justification for wanting to enrol by raising a DRCA Subordinate CA Request. The DPMA will decide on a case-by-case basis whether to permit or deny the request, the outcome of which will be relayed back to the customer. The DRCA Subordinate CA Request document outlines the customer request procedures, the obligations of the involved parties and the request forms themselves. Customers could potentially be any organisation or Ally that has a business or operational relationship with the MoD.

1 The DPMA is the governing body of the DPKI.

2 ARL is a term unique to Entrust technology. For clarity in this document, the term ARL can be interpreted as CRL (Certificate Revocation List).


The tScheme Code of Conduct

Participants in the electronic trust services industry strive: