CERTIFICATES

System-to-System Authentication for Grantors and Applicants

Understanding the Certificate

What it is: An SSL/TLS certificate (PKI certificate) is a digital credential used to prove the identity of your organization’s system when connecting to Grants.gov System-to-System (S2S) services over mutual TLS (mTLS).

Why you need it: Each time your system sends a request through the S2S interface, Grants.gov uses this certificate to verify the identity of the applicant organization or grantor agency.

Obtaining a Certificate

You must obtain your certificate from an approved Certificate Authority (CA), such as Sectigo, DigiCert, GoDaddy, or InCommon.

Grants.gov will not accept public server certificates, self-signed certificates, or certificates issued by unapproved or free/open CAs because they don't meet federal security standards.

Important Notice About Client Authentication Extended Key Usage (EKU)

Many Certificate Authorities have begun phasing out the Client Authentication EKU from public TLS certificates.

Grants.gov does not require or reject certificates based on EKU. However, your system or vendor’s environment may enforce this attribute for client authentication.

Technical Requirements

Your certificate and S2S connection must meet these standards:

  • Cryptography: 2048‑bit RSA public key, SHA‑2 (e.g., SHA256RSA) digital signature 

  • Protocol: TLS v1.2 or greater 

  • Port: 443 

  • Chain of Trust: Intermediate certificates in the chain must also be SHA‑2. 

Installation and Authorization Process

  1. Request Installation: Once you've obtained your valid certificate, fill out the Certificate Request Form and follow its instructions to submit it to Grants.gov.
    As requested, attach a file from the vendor with the full chain of trust, but do not provide the private key in any files you send to Grants.gov. If there is an issue with connection, Grants.gov will need to verify that all intermediates are registered in Grants.gov.

    Informative status

    Note: You can choose to use one certificate for both the Production and Training environments or use separate ones.

  2. Notification: Grants.gov will notify you by email once your certificate has been successfully installed on their system.

  3. Final Authorization: After installation,

    • Applicants: A user in your organization with the Expanded AOR role or Manage Certificates privilege must log in, go to Manage Certificates, select the installed certificate, and assign roles.

    • Grantor Agencies: A user with the Manage Grantors role must log in, go to Manage Grantor Certificates, select the installed certificate, and assign roles. For more detail on this step, see: Grants.gov Online Help. 

Certificate Lifecycle & Notifications

  • You are responsible for monitoring expiration and renewing before the certificate expires. 

  • Grants.gov may send courtesy email reminders prior to expiration (based on the contact information provided), but timely renewal remains your responsibility. 

  • Renewed certificates must be re‑submitted via the form for installation. 

Using a Third-Party Service Provider

If you use a third-party grant application system (like Cayuse, Huron, or Kuali):

  • The system owner may provide the certificate for you.

  • If the above is not true, you must obtain the certificate and then provide it to the system administrator for their use.