When using the Grants.gov applicant S2S interface, you must establish your identity by passing a personal user authentication certificate for each request. A personal user authentication certificate is also known as an SSL client, PKI, web browser, or email certificate.
Obtaining a Certificate
Your personal user authentication certificate must be purchased from a recognized Certificate Authority (CA) such as Comodo, DigiCert, Entrust, GoDaddy, Incommon, Symantec, or Thawte, and then sent to Grants.gov for installation.
Your certificate must have a 2048 bit public RSA key and use a SHA-2 based digital signature (for example SHA256RSA), so care must be taken when ordering your certificate.
Personal user authentication certificates may be difficult to find on the Certificate Authority websites, so we recommend that you contact sales departments directly and explain that you need a 2048 bit SSL client certificate that uses SHA-2. Some certificate authorities do not issue certificates valid for client authentication by default. You may need to explicitly request a certificate with the client authentication attribute included.
Below is an example of a certificate valid for Client Authentication:
Additionally, you must utilize Port 443 with the SHA-2 based digital signature. Please note that all intermediate certificates in the certificate chain must also be SHA-2 in order to work with port 443.
- Port 443 will only support:
- SHA-2 Certificates
- TLS v1.1 and TLS v1.2
- Port 446 will only support:
- SHA-1 Certificates
- SSL v2, SSL v3, and TLS v1.0
Users should obtain a new SHA-2 based digital signature certificate from a recognized CA and move to port 443 by December 31, 2015. Port 446 will not be available in any environment beginning January 1, 2016.
Note that you are responsible for monitoring your certificate expiration date in order to obtain a renewal from the CA before your certificate expires. Renewed certificates must also be sent to Grants.gov for installation. Grants.gov will not accept self-signed certificates as these cannot guarantee your identity and do not meet federal security standards.
Requesting Certificate Installation
Once you have obtained a certificate, fill out the and return to Grants.gov by following the instructions on the form. Grants.gov will notify you by email once it has been installed. You have the option to use separate certificates for the Production and Training environments or to use a single certificate for both environments.
Authorizing the Certificate
After certificate installation, your EBiz POC must approve the AOR status of the account that is associated with your certificate. AOR Authorization instructions can be found on the registration help pages.
Using an S2S Service Provider
If you are using a 3rd party grants application system (for example Cayuse), the system owner may provide you with a personal user authentication certificate. Otherwise, you will need to obtain the certificate and supply that to the system owner.