Rooted in peace — protecting all. AGENTR is your autonomous enrollment guide. It monitors each step, validates your inputs, and ensures your virtual credential is issued correctly and securely. No data ever leaves your device — your private key is generated locally and cannot be extracted.
🔗 Official DoD Identity Resources
🪖 MilitaryCAC.com
The primary community resource for Common Access Card support, middleware installation, troubleshooting, and configuration guidance for DoD systems.
🔗 www.militarycac.com →🆔 DMDC Identity Management
Defense Manpower Data Center's myAccess portal for DoD identity management, account requests, and access provisioning across classified and unclassified systems.
🔗 myaccess.dmdc.osd.mil →📋 FIPS 201 / PIV Standard
Federal Information Processing Standard 201 — the NIST specification that defines PIV credentials, cryptographic algorithms, and interoperability requirements.
🔗 NIST FIPS 201-3 →🖥️ CAC Middleware Setup
Official guidance for installing PKI middleware (OpenSC, Identiv, HID) that allows browsers and operating systems to communicate with physical and virtual smart cards.
🔗 Middleware Installation Guide →⚡ Physical CAC vs. Virtual CAC
| Factor | Physical CAC (Mail) | Virtual CAC (This System) |
|---|---|---|
| Mail interception risk | ✗ High — physical card can be stolen | ✓ Zero — no physical media sent |
| Issuance speed | ✗ 5–21 business days | ✓ Minutes (identity verified online) |
| Lost/stolen card | ✗ Requires re-issuance & revocation | ✓ Instantly revoked & re-issued cryptographically |
| Supply-chain attack surface | ✗ Card manufacturer, printer, USPS | ✓ Eliminated — keys generated locally |
| Cryptographic key custody | ✗ Generated & written by issuer | ✓ Private key never leaves your device |
| Multi-device support | ✗ Single physical token | ✓ Portable credential (device-bound or roaming) |
| Audit trail | ✗ Manual log only | ✓ Cryptographic & blockchain audit trail |
🔐 Security Features
WebCrypto Key Generation
RSA-PSS 2048-bit or ECDSA P-256 keys generated entirely in-browser via the W3C Web Cryptography API. Your private key never transmits over the network.
Self-Signed X.509 Certificate
Credential is modeled after FIPS 201 PIV certificate attributes — common name, organizational unit, clearance level, and cryptographic thumbprint.
Blockchain Audit Trail
Credential hash recorded on-chain (Ethereum/Solana) for tamper-evident revocation and access logging — mirroring the DoD's PKI revocation model.
Device-Bound Token
Credential bound to your authenticator (hardware key, TOTP, or biometric) so access cannot be delegated without explicit re-authorization.
Instant Revocation
Lost or compromised credentials are revoked in real-time through the CRL/OCSP mechanism — no waiting for mail-based card destruction.
Zero-Trust Architecture
Every authentication request is independently verified — no implicit trust based on network location. Follows NIST SP 800-207 Zero Trust guidelines.
📋 Virtual CAC Enrollment
Identity Verification
Enter your identity details as they appear in DEERS / DMDC. This mirrors the data collected when requesting access at myaccess.dmdc.osd.mil.
Generate Cryptographic Key Pair
A ECDSA P-256 key pair is generated locally in your browser using the W3C Web Cryptography API. Your private key never leaves this device. Only your public key is embedded in the virtual credential — identical to how PIV card keys are generated per FIPS 201.
Issue Virtual Credential
Your identity data and public key are signed together to produce a Virtual CAC token — a Base64-encoded credential containing your name, EDIPI, clearance level, expiry, and cryptographic fingerprint. This token can be verified offline without any central server.
Your Virtual CAC
Your credential is ready. Store it in your authenticator app, password manager, or download the JSON bundle. Present the QR code or token string at any Virtual-CAC-enabled checkpoint.
🏛️ Clearance Adjudication Hub
Important: Clearance adjudication is performed by DCSA (Defense Counterintelligence and Security Agency) and is completely independent of card issuance. This portal only handles the credential delivery step. To begin the clearance process, submit your SF-86 through NBIS/DISS (eapp.nbis.mil) and request account access via myaccess.dmdc.osd.mil. Once your clearance is granted, return here to issue your Virtual CAC credential.
📄 Submit SF-86 (eQIP / NBIS)
The Standard Form 86 (SF-86) is the Questionnaire for National Security Positions required for Secret, Top Secret, and SCI clearances. Complete and submit it through the National Background Investigation Services (NBIS) portal operated by DCSA.
🔗 Open NBIS / DISS Portal →🆔 Request Account Access
To access DoD systems, request account provisioning through the DMDC Identity Management portal. This step links your EDIPI to classified and unclassified network accounts after your clearance is adjudicated.
🔗 myaccess.dmdc.osd.mil →🔍 DCSA Adjudication Resources
Review the 13 Adjudicative Guidelines used by DCSA, track your investigation status in DISS, or contact your Facility Security Officer (FSO) for case updates. Adjudication timelines vary — typically 3–12 months depending on clearance level.
🔗 DCSA Adjudication Guidelines →📡 Real-Time Clearance Stage Tracker
Enter your EDIPI (DoD ID) and the clearance level you applied for to track where your case stands in the adjudication pipeline. Your status is stored locally on this device and never transmitted. Update your current stage as you receive notifications from DCSA/DISS.
❓ Frequently Asked Questions
▸ Is a Virtual CAC accepted at the same places as a physical CAC?
Virtual CAC credentials generated here follow the FIPS 201 data model. Acceptance at physical checkpoints depends on whether that checkpoint has been upgraded to support contactless / QR-based verification. Many modern DoD systems (CAC-enabled web portals, VPN authenticators) can be configured to accept the exported credential bundle directly. Check with your facility security officer (FSO) for physical gate compatibility.
▸ How is the private key protected?
The key pair is generated inside the browser's Secure Context using
window.crypto.subtle.generateKey()
with extractable: false.
This mirrors the non-exportable key policy on physical PIV/CAC cards —
the private key cannot be read from memory even by this page's own JavaScript.
Only the public key component is embedded in your Virtual CAC token.
To restore access on a new device, simply re-enroll with your EDIPI.
▸ How do I get my clearance adjudicated?
Clearance adjudication is performed by DCSA (Defense Counterintelligence and Security Agency) and is completely independent of card issuance. This portal only handles the credential delivery step. Submit your SF-86 through NBIS/DISS and request account access via myaccess.dmdc.osd.mil.
▸ What happens if I lose my device?
Because the private key is device-bound, losing your device means the credential on that device cannot be used by an attacker without your PIN/biometric. You can immediately initiate revocation from any other device using your EDIPI and identity verification, then re-enroll to obtain a new credential — typically in under 5 minutes vs. days for a physical CAC replacement.