Signature Verification

All CISA administrative subpoenas will be signed with a cryptographic digital signature by an authorized CISA representative.

The following information is provided as a resource for subpoena recipients.

Certificates

CISA administrative subpoenas will be signed using the Department of Homeland Security public key infrastructure. The latest DHS certificate revocation list and DHS CA certificates are posted on the Treasury Department’s CRL’s and Certificates page https://pki.treas.gov/crl_certs.htm.

Hashes/Thumbprints of Authorized Representatives’ X.509 Certificates

The information below contains X.509 certificate hash values that can be used to help determine whether the subpoena signature, once verified, was provided by an authorized representative of CISA.

  • Authorized Representative Validity Period

    • September 8, 2022 To Current 

  • Hash Algorithm
    • SHA1 (Thumbprint)
  • X.509 Certificate Hash Value
    • 52 41 E7 80 D0 95 BF DA C8 66 79 32 18 B3 89 9E 65 BA 00 6C
  • Authorized Representative Validity Period

    • September 8, 2022 To Current 

  • Hash Algorithm
    • SHA256
  • X.509 Certificate Hash Value
    • 1C 8E 76 64 85 C4 82 97 19 0D B4 44 00 F9 CE 72 0A 7B 92 5F 38 F7 81 5B F4 C6 C8 B0 B2 00 F3 6E
  • Authorized Representative Validity Period

    • March 21, 2022 To Current

  • Hash Algorithm
    • SHA1 (Thumbprint)
  • X.509 Certificate Hash Value
    • 5F B6 82 49 4C F3 49 9C 9D 2E DA E8 93 D2 7B 46 46 BB 0C 37
  • Authorized Representative Validity Period

    • March 21, 2022 To Current

  • Hash Algorithm
    • SHA256
  • X.509 Certificate Hash Value
    • AF 72 CE 33 9A E1 1F 58 61 C1 90 D7 F0 DC 68 57 B5 72 E2 B4 17 0D 7E 75 90 45 64 77 D9 2D F9 3E
  • Authorized Representative Validity Period

    • July 13, 2021 To Current

  • Hash Algorithm
    • SHA1 (Thumbprint)
  • X.509 Certificate Hash Value
    • 22 D4 A8 F9 55 86 A4 09 73 E9 C3 1C 90 E8 42 2A 68 D0 20 65
  • Authorized Representative Validity Period

    • July 13, 2021 To Current

  • Hash Algorithm
    • SHA256
  • X.509 Certificate Hash Value
    • 1B 02 40 C8 2A 8E 32 A6 4E E8 AF B1 6D B4 8F 21 DB D3 6D 52 BA B8 83 09 40 D7 FF C7 DE 84 7F AB
  • Authorized Representative Validity Period

    • April 26, 2021 to July 12, 2021

  • Hash Algorithm
    • SHA1 (Thumbprint)
  • X.509 Certificate Hash Value
    • 2E 75 C4 7B 65 87 13 5B 81 6F A2 79 6C 56 A4 CB 59 80 C4 0A 5D 61 77 64 EF 84 48 6E 1E 2C 11 2A

Authorized Representative Validity Period – The authorized representative validity period is the time period during which the CISA representative is authorized to sign CISA administrative subpoenas.  This time period is different from the signer’s certificate validity period.

Hash Algorithm – CISA is providing both the SHA1 and SHA256 hash values for each X.509 certificate. Either hash value can be used to compare with the hash value of the signature in the received subpoena; however, using the SHA256 hash is recommended.* 

X.509 Certificate Hash Value – Hash value of an authorized signer’s X.509 certificate.

* The National Institute of Standards and Technology (NIST) has directed federal agencies to stop using the SHA1 algorithm (https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions) due to potential for cryptographic collisions.  CISA is providing SHA1 values for the convenience of organizations unable to obtain the preferred SHA256 values.