[Donald]

They're likely referring to different parts of the federal government maintaining separate PKI. For example, the DoD has separate certificate structure (https://public.cyber.mil/pki-pke/) and these certificates aren't commonly pre-installed on platforms used by US citizens.

[boris-ning-usds]

Ah, understood.

Most federal agencies have their own internal PKI systems, and DoD is probably more unique than others because the infrastructure is bigger, older, and has different regulations governing them.

Most civilian agencies such as VA aside from DoD - should utilize public PKI / public CA for their certificates.

[tcberry]

I don't know if calling out the VA specifically is particularly fair on my part – it's possible my issue has been solely when attempting to access DoD sites secured by DoD certificates. Does any other government org in-house their certificates for internal sites in this way that is completely divorced from other root authorities?

[boris-ning-usds]

Feedback and comments are always welcome, at least I welcome them :D.

I can't speak for all government agencies, but generally there is an internal CA for hosting internal sites. I remember reading a comment from the Federal PKI guide that these sorts of infrastructure goes back to before 2004.

"Prior to 2004, some agencies had already deployed and invested in their own PKI and CAs. Some of these agencies opted out of migrating to the SSP Program and continued to manage their existing infrastructures. These Federal Agencies Legacy operate one or more CAs that are cross-certified with a Federal PKI Trust Infrastructure CA." - https://fpki.idmanagement.gov/ca/

Here's a very short list of public CA certificates from Treasury and it lists out public key certificate for many other agencies as well. - https://pki.treas.gov/crl_certs.htm