Administrative Subpoena Signature Resources


All CISA administrative subpoenas will be signed with a cryptographic digital signature by an authorized CISA representative.

The following information is provided as a resource for subpoena recipients.

Certificates

CISA administrative subpoenas will be signed using the Department of Homeland Security public key infrastructure. The latest DHS certificate revocation list and DHS CA certificates are posted on the Treasury Department’s CRL’s and Certificates page https://pki.treas.gov/crl_certs.htm.

Hashes/Thumbprints of Authorized Representatives’ X.509 Certificates

The table below contains X.509 certificate hash values that can be used to help determine whether the subpoena signature, once verified, was provided by an authorized representative of CISA.
 

Authorized Representative Validity Period

Hash Algorithm

X.509 Certificate Hash Value

April 26, 2021

to Current

SHA1 (Thumbprint)

3F FC 19 C6 54 AF CC CB 48 C0 30 13 76 FE 23 FB 7F 5F 22 24

SHA256

2E 75 C4 7B 65 87 13 5B 81 6F A2 79 6C 56 A4 CB 59 80 C4 0A 5D 61 77 64 EF 84 48 6E 1E 2C 11 2A


Authorized Representative Validity Period – The authorized representative validity period is the time period during which the CISA representative is authorized to sign CISA administrative subpoenas.  This time period is different from the signer’s certificate validity period.

Hash Algorithm – CISA is providing both the SHA1 and SHA256 hash values for each X.509 certificate. Either hash value can be used to compare with the hash value of the signature in the received subpoena; however, using the SHA256 hash is recommended.* 

X.509 Certificate Hash Value – Hash value of an authorized signer’s X.509 certificate.
 

* The National Institute of Standards and Technology (NIST) has directed federal agencies to stop using the SHA1 algorithm (https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions) due to potential for cryptographic collisions.  CISA is providing SHA1 values for the convenience of organizations unable to obtain the preferred SHA256 values.

Was this webpage helpful?  Yes  |  Somewhat  |  No