Enabling Enterprise Trust of the Common Policy Certificate

This guide provides information on distributing the Federal Common Policy CA G2 (FCPCAG2) certificate to government-furnished workstations and devices as a trusted root certificate.

This guide is written for systems administrators who need to enable trust for the Federal Common Policy Root G2 (“FCPCAG2”) within their enterprise. This guide replaces the previous FCPCA migration guide since the migration to FCPCAG2 has been completed. This guide contains the portions of the previous guide that are still useful, including information about how to distribute the FCPCAG2 root certificate, and how to verify that the certificate is working as intended.

Enabling Enterprise trust of the FCPCA Root Certificate requires the following steps:

1. Obtain and verify the FCPCAG2 Certificate
2. Distribute the certificate to operating systems
3. Verify operating system distribution
4. Distribute to applications
5. Distribute intermediate certificates

This guide ends by presenting answers to Frequently Asked Questions

Step 1 - Obtain and verify the FCPCA root certificate

The first step in this process is to obtain a copy of the FCPCAG2 root certificate and verify its authenticity.

Download a Copy of the FCPCA root certificate

To download a copy of the FCPCAG2 root certificate, use one of these recommended options:

• Download the certificate from http://repo.fpki.gov/fcpca/fcpcag2.crt
• Email fpki-help@gsa.gov to request an out-of-band copy for download.

Verify Your Copy of the FCPCA root certificate

To verify your copy of the FCPCA root certificate, use one of these options:

On Windows: Use Microsoft Certutil

1. Click Start, type cmd, and press Enter.

2. Run the following command:

    certutil -hashfile {DOWNLOAD_LOCATION}\fcpcag2.crt SHA256
   

Note: The following video shows you how to verify your copy of the FCPCA root certificate on Microsoft Server 2016. Click for a larger version

On macOS: Use Terminal

1. Click the Spotlight icon and search for Terminal.
2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.

3. Run the following command:

    shasum -a 256 {DOWNLOAD_LOCATION}/fcpcag2.crt
   

Note: The following video shows you how to verify your copy of the FCPCA root certificate on macOS Catalina (10.15). Click for a larger version

On Linux/Unix: Use the Command Line

1. Open the command line.

2. Run the following command:

    sha256sum {DOWNLOAD_LOCATION}/fcpcag2.crt
   

After you have verified the certificate, you are ready to distribute the FCPCA root certificate certificate within your environment.

• You can distribute it to operating systems in your environment or
• you can distribute it to applications within your environment.

Step 2 - Distribute to operating systems

To distribute the Federal Common Policy CA G2 (FCPCAG2) certificate, use one of these options:

For Microsoft Windows

• Use Microsoft Certutil
• Use Microsoft Group Policy Object (GPO)
• Use third-party configuration management tools
• Use Microsoft Certificate Manager for unmanaged devices

For macOS

• Use an Apple configuration profile
• Use the command line
• Use Apple Keychain

For iOS

• Use an Apple configuration profile
• Use the Safari Web Browser
• Enable Full Trust for the FCPCA root certificate

For Linux/Unix

• Use the command line

Microsoft Solutions

Use Microsoft Certutil

1. Click Start, type cmd, and press Enter.

2. Run the following command:

    certutil -dspublish -f [PATH\]fcpcag2.crt RootCA
   

3. To verify that the FCPCA root certificate was distributed, run the following commands:

    gpupdate /force
    certutil -viewstore -enterprise
   

4. Confirm that the output details include the FCPCAG2 root certificate.
5. Verify the certificate details against the expected values (for example, serial number, hash, etc.).

Note: The following video shows you how to distribute the FCPCAG2 root certificate using Microsoft Certutil. Click for a larger version.

Use Microsoft Group Policy Object (GPO)

1. Navigate to Server Manager.
2. Select Tools.
3. Select Group Policy Management from the drop-down list.
4. Right-click your desired domain(s) and select Create a GPO in this domain, and Link it here.
5. Enter a GPO Name, and click OK.
6. Right-click the newly created GPO and click Edit.
7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.

8. Right-click Trusted Root Certification Authorities, and select Import.

   The Certificate Import Wizard appears.

9. Browse to and select your copy of the FCPCAG2 root certificate.
10. Verify that the target Certificate Store presents Trusted Root Certification Authorities, and select Next.

11. Select Finish to complete the import.

    A success message appears.

12. Close the Group Policy Management window.
13. Wait for clients to consume the new policy.

14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:

    gpupdate /force

Note: The following video shows you how to distribute the FCPCA root certificate with Microsoft GPO. Click for a larger version.

Use Third-Party Configuration Management Tools

You can use third-party configuration management tools, such as BigFix.

1. Using BigFix, schedule a task and push the certificate file. Run the following command (example):

    certutil -f -addstore root “fcpcag2.crt”
   

Use Microsoft Certificate Manager for Unmanaged Devices

To distribute the FCPCAG2 root certificate to unmanaged devices:

1. Click Start, type certmgr.msc, and press Enter.
2. Right-click Trusted Root Certification Authorities, and select All Tasks > Import.
3. When the Certificate Import Wizard appears, browse to and select your copy of the FCPCAG2 root certificate.
4. Verify that the desired Certificate Store displays Trusted Root Certification Authorities, and select Next.
5. Select Finish to complete the import.
6. A success message appears.

Note: If several users share a device, you can run the certlm.msc to simultaneously update the certificate stores for the accounts on the device (vs. updating each account separately).

macOS Solutions

Create, Distribute, and Install an Apple Configuration Profile

For macOS and iOS government-furnished devices, you can use Apple configuration profiles (XML files) to distribute and automatically install the FCPCAG2 root certificate.

These steps describe how to create, distribute, and install profiles using Apple’s free Configurator 2 application. There are also available third-party applications.

Create an Apple Configuration Profile

1. As an administrator, download and verify a copy of the FCPCA root certificate to your device.
2. Download and install Configurator 2 from the Apple App Store.
3. Open Configurator 2 and click File > New Profile.
4. On the General tab, enter a unique profile Name (for example, FCPCA Profile) and Identifier (for example, FCPCA-0001).
5. On the Certificates tab, click Configure.
6. Browse to and select your verified copy of the FCPCAG2 root certificate.
7. (Optional) Add additional agency-specific configurations or customizations.
8. Click File > Save to save your profile to your preferred location.
9. Distribute the profile across your enterprise.

Note: The following video shows you how to create an Apple configuration profile. Click for a larger version.

APPLE CONFIGURATION PROFILE (EXAMPLE)

To use this profile, copy the XML information and save it as a .mobileconfig file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>fcpcag2.crt</string>
            <key>PayloadContent</key>
            <data>
            MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJKoZIhvcNAQEM
            BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
            A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy
            MB4XDTIwMTAxNDEzMzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMx
            GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UE
            AxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIICIjANBgkqhkiG9w0BAQEF
            AAOCAg8AMIICCgKCAgEA19fTFzEmIRgQKkFty6+99sRRjCTYBYh7LloRpCZs4rgp
            Bk+/5P4aZYd5v01GYBfOKywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf
            77n5JgMhvg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDSt4+7
            5i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9UvhWAPVAhxm8oT4wx
            SOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmSFuEPzivcOrytoPiPfgXMqY/P7zO4
            opLrh2EV5yA4XYEdoyA2dVD8jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4Emt
            Rq82JLqZQlyrMbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7h
            pV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse72yo6MyNF46uu
            mO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4dUG+pQADSstRJ60gePp0IAtQS
            HZYd1iRiXKpTLl0kofB2Y3LgAFNdYmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjL
            ZePhc3qt8ubjhZN2Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcC
            AwEAAaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
            HQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYBBQUHAQsERTBDMEEGCCsG
            AQUFBzAFhjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVk
            QnlmY3BjYWcyLnA3YzANBgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06
            NCj7eIL7/I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hShGoKQ
            cbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141HyeDWdQ6dDXDz6dr
            8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AVz3uqe5k+ObJYpC0aXHNMy1OnFgL6
            oxMeGMlSecU/QUAIf0ncDurYFSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO
            +E3o3QoU+ThCPPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJD
            crTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi9aWAYHJXTzbj
            zGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifgrmPi0/uU1w0crclEsSsya7FI
            BVRTURoSwwda25wIIWPIkQsQK1snJxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5h
            phYQnf8sD8FpoUDjoLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2
            e+aReLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcicsdU8kV2M
            ee/xJ/c0cIHZWMw0HoRZPbo=
            </data>
            <key>PayloadDescription</key>
            <string>Adds a CA root certificate</string>
            <key>PayloadDisplayName</key>
            <string>Federal Common Policy CA</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Federal Common Policy Certification Authority Profile</string>
    <key>PayloadIdentifier</key>
    <string>FCPCA-0001</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Distribute an Apple Configuration Profile

You can use Apple’s Configurator 2 to distribute your Apple configuration profile to government-furnished macOS and iOS devices in the following ways:

• Physically connect to the user’s device.
• Email a profile to specific users.*
• Share a profile on an agency intranet webpage.*
• Share via over-the-air profile delivery and configuration (Apple Developer Library).
• Share via over-the-air delivery and configuration from an MDM server (Apple Developer Library). Third-party applications are also available.

*For iOS only – If you download and install the FCPCAG2 root certificate from an email or an intranet website, you will need to manually enable SSL trust for FCPCA. This is not needed if you use Configurator 2 with over-the-air (OTA) methods or an MDM enrollment profile to install the FCPCAG2 root certificate. (See Enable Full Trust for FCPCA.)

Install an Apple Configuration Profile

We recommend using an automated method to install Apple configuration profiles on government-furnished Apple devices (for example, a desktop configuration management or MDM tool), which will distribute FCPCA. (If you have questions about third-party products, email us at fpki@gsa.gov.)

You can also manually install a profile.

Note:The following video shows you how to manually install an Apple configuration profile on macOS.

Install FCPCA Using Command Line

1. Click the Spotlight icon and search for Terminal.
2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.

3. Run the following command:

    sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpcag2.crt
   

Note:The following video shows you how to install FCPCA using the command line. Click for a larger version

Install FCPCA Using Apple Keychain Access

You can use the System Keychain or Login Keychain to install the FCPCA root certificate.

System Keychain

1. Click the Spotlight icon and search for Keychain Access.
2. Double-click the Keychain Access icon to open the application.
3. Click the System keychain from the left-hand navigation.
4. Click File -> Import Items
5. Browse to and select your verified copy of FCPCAG2.
6. When prompted, enter your administrator username and password.
7. Keychain Access will present the installed certificate.

Note:The following video shows administrators how to install FCPCAG2 by using the Apple Keychain Access import process. Click for a larger version

Login Keychain

1. Browse to your downloaded, verified copy of FCPCA.
2. Double-click the file.
3. Keychain Access opens and displays the installed certificate.

Note:The following video shows non-administrators how to install FCPCA using the Apple Keychain Access import process. Click for a larger version

iOS Solutions

Install FCPCA Using an Apple Configuration Profile in iOS

You can use Apple configuration profiles to install the FCPCA root certificate on both macOS and iOS devices.

Review the Apple configuration profiles guidance for instructions.

Install FCPCA Using Safari Web Browser

You can use the Safari web browser to install the FCPCA root certificate on iOS devices only.

1. Launch Safari.
2. Navigate to the FCPCA root CA certificate: http://repo.fpki.gov/fcpca/fcpcag2.crt.
3. System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?
4. Click Allow. The FCPCA root certificate configuration profile appears.
5. Click More Details, and then select the FCPCA certificate entry.
6. Scroll to Fingerprints and verify the certificate’s SHA-256 hash against the expected value.
7. At the top left of screen, click Back and Install Profile. Then, click Install (top right).
8. When prompted, enter your device passcode.
9. Click Install in the upper right corner, and Install again.
10. Click Done.
11. Follow the steps below to enable full trust for FCPCA.

Note:The following video shows you how to install FCPCA using the Safari web browser. Click for a larger version

Enable Full Trust for FCPCA

This option works for iOS devices only.

1. On the iOS device’s Home screen, select Settings > General > About > Certificate Trust Settings.
2. Under Enable Full Trust for Root Certificates, toggle ON for the FCPCA root CA certificate entry.
3. When the certificate appears, click Continue.

You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA.

Linux and Unix Solutions

Debian-Based Kernels

1. Launch the command line.

2. Change directory with the following command:

    cd /usr/local/share/ca-certificates/
   

3. Convert the FCPCA certificate to PEM and set permissions with the following commands:

    sudo openssl x509 -inform der -in [PATH\]fcpcag2.crt -out fcpcag2-pem.crt
    sudo chmod 644 fcpcag2-pem.crt
   

4. Update Trusted Certificates with the following command:

    sudo update-ca-certificates
   

Red Hat Enterprise Linux, CentOS, and Other Non-Debian-Based Kernels

1. Launch the command line.

2. Change directory with the following command:

    cd /etc/pki/ca-trust/source/anchors/
   

3. Copy your verified copy of FCPCAG2 into the folder and set permissions with the following commands:

    sudo cp [PATH\]fcpcag2.crt .
    sudo chown root.root fcpcag2.crt
    sudo chmod 644 fcpcag2.crt
   

4. Update Trusted Certificates with the following command:

    sudo /bin/update-ca-trust extract
   

Next, verify distribution of the FCPCAG2 certificate as an operating system trusted root.

Step 3 - Verify operating system distribution

To verify that the Federal Common Policy CA G2 (FCPCAG2) certificate has been distributed to your agency’s workstations and devices, use one of these options:

Verifying - Microsoft Windows

• Automated Solutions (Recommended)
  • Use BigFix
  • Use LANDesk 2016
• Manual Solutions
  • Use Microsoft Certificate Manager
  • Use Microsoft Registry Editor

macOS

• Use Keychain Access

iOS

• Use Settings

Linux/Unix

• Use the Command Line

Verifying on Microsoft Windows

Use BigFix

1. Download the BigFix Enterprise Suite (.bes) analysis file: FPKIRootG2Detection.bes.

2. Use Certutil or another tool to verify the .bes file’s SHA-256 hash (required):

    certutil -hashfile [DOWNLOAD_LOCATION]\FPKIRootDetection.bes SHA256
   

3. The file’s hash must match this one:

    03bca16f7d21be344d954105b5ccb3caf578588cf6b8bd6f1cd03dfe298361bb
   

4. Log into BigFix:Start > IBM BigFix > IBM BigFix Console.
5. Import the FPKIRootG2Detection.bes file:File > Import > Open. The Create Analysis window appears.
6. Assign the file:for Create in site, select site name, and for Create in domain, select domain name. Click Okay.
7. On the left side panel, click Analyses to see a list of imported analysis files.
8. Click Federal Common Policy CA Distribution Detection (i.e., FPKIRootG2Detection.bes) and click the Results tab to see the distribution analysis. If the analysis was not activated by default, right-click the file and then click Activate Globally.
9. For each workstation or device listed, “Has FCPCA Been Distributed?” should say True. If False, you’ll need to investigate the cause of the failure. If you can’t find a cause, please contact us at fpkirootupdate@gsa.gov.

Use LANDesk 2016

1. Open LANDesk 2016:Start > LANDesk Management > Desktop Manager.
2. Create a custom registry data item:Tools > Reporting/Monitoring > Manage software list.
3. Expand Custom Data, and click Registry items.
4. Click Add to add a new registry item.

5. Add the data shown below for Windows 32-bit or 64-bit versions, based on GPO or Certutil distribution of FCPCA.

   • Microsoft Windows 32-bit Versions

     • GPO Distribution

       Root Key: HKLM
       Key: SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028
       Value: BLOB
       Attribute Name: Custom Data – FCPCAWin32 GPO – Certificate
     

     • Certutil Distribution

       Root Key: HKLM
       Key: SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028
       Value: BLOB
       Attribute Name: Custom Data – FCPCAWin32 certutil – Certificate
     

   • Microsoft Windows 64-bit Versions

     • GPO Distribution

       Root Key: HKLM
       Key: SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028
       Value: BLOB
       Attribute Name: Custom Data – FCPCAWin64 GPO - Certificate
     

     • Certutil Distribution

       Root Key: HKLM
       Key: SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028
       Value: BLOB
       Attribute Name: Custom Data – FCPCAWin64 certutil - Certificate
     

6. Create a query for the registry item:on the left side panel, expand Network View, and click Queries.
7. Right-click My Queries, select New Query, and enter a query name (e.g., FCPCA Verification: Win32 Machines).
8. Under Machine Component, expand Computer, click Custom Data, and select the registry item.
9. For Boolean, select Exists.
10. For Displayed Scanned Values, click Insert and add the BLOB value from above.
11. Double-click the new query name to verify FCPCA distribution. The results will be similar to these (Click for a larger version):

Use Microsoft Certificate Manager

1. Open Microsoft Certificate Manager:Start; then type certlm.msc and press Enter.
2. Go to Trusted Root Certification Authorities > Certificates. To see whether FCPCAG2 was successfully distributed, look for Federal Common Policy CA G2 shown with Intended Purposes of ALL and a Friendly Name of None, as shown here (Click for a larger version):

Optional:

1. Open Microsoft Certificate Manager: Start; then type certlm.msc and press Enter.
2. Select Trusted Root Certification Authorities from the left side panel, then select View > Options.
3. In the View Options box, select the Physical certificate stores checkbox.
4. On the left side panel, click the > icon next to Trusted Root Certification Authorities to see the subdirectories.
5. Verify the distribution of FCPCA:
   • For Certutil-distributed copies of FCPCAG2, click Enterprise > Certificates. FCPCAG2 should appear in the certificates list.
   • For GPO-distributed copies of FCPCA, click Group Policy > Certificates. FCPCAG2 should appear in the certificates list.

Use Microsoft Registry Editor

1. Verify that FCPCAG2 has been distributed to a specific workstation or device:open the Microsoft Registry Editor:Start; type regedit.exe and press Enter.
2. The following registry keys will appear for GPO- or Certutil-distributed copies of FCPCAG2:

GPO-distributed FCPCA

HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\
HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\

Certutil-distributed FCPCA

HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\
HKLM:\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\

Verifying - macOS

Use Keychain Access

1. Click the Spotlight icon and search for Keychain Access.
2. Double-click the Keychain Access icon.
3. Ensure that an entry for FCPCA exists in the login or System Keychain Certificates repository. Click for a larger version

Verifying - iOS

Use Settings

1. Select Settings > About > Certificate Trust Settings.
2. Verify that Federal Common Policy CA G2 has full trust enabled.

Verifying - Linux and Unix

Use the Command Line

1. Launch the command line.

2. Run the following command to verify the Federal Common Policy CA G2 has an entry in the system’s trust list:

    trust list | grep "Federal Common Policy CA"

Next, distribute the FCPCA certificate to application trust stores.

Step 4 - Distribute to applications

Many, but not all, software applications leverage the underlying operating system trust store to verify whether a certificate should be trusted.

Collaborate across agency teams to identify applications that rely on custom trust stores to ensure distribution of the Federal Common Policy CA G2 (FCPCAG2) certificate.

Example applications with custom trust stores:

• Java and all Java-based applications (for example, Apache Tomcat)
• Mozilla products (for example, Firefox or Thunderbird)
• OpenSSL-based applications (for example, Apache HTTP Server or Nginx)

Next, determine if you need to distribute the CA certificates issued by the FCPCAG2 root certificate.

Step 5 - Distribute intermediate certificates

Do I Need to Distribute the Intermediate CA Certificates?

Operating Systems

You might need to distribute the intermediate CA certificates issued by the FCPCA root certificate, depending upon your enterprise operating systems’ type and configuration.

• Microsoft Windows: Intermediate CA certificate distribution is recommended.
  • Typically, Windows clients are able to dynamically build paths to a trusted root CA certificate through Microsoft’s Certificate Chaining Engine (CCE).
  • Distributing the intermediate CA certificates improves system performance and prioritizes use of the FCPCAG2 root certificate.
  • There are instances where dynamic validation can fail, for example, when firewall rules prevent Microsoft from navigating to a certificate’s Authority Information Access extension Uniform Resource Locator. Email us at fpki@gsa.gov with any questions or issues.

• macOS or iOS: Intermediate CA certificate distribution is required.

• Linux or Unix: Intermediate CA certificate distribution is required.

Applications

Many, but not all, software applications leverage the underlying operating system trust store to verify whether a certificate should be trusted.

Collaborate across agency teams to identify applications that rely on custom trust stores to ensure distribution of the intermediate CA certificates issued by the FCPCAG2 root certificate.

Example applications with custom trust stores that may require intermediate CA certificate installation:

• Java and all Java-based applications (for example, Apache Tomcat)
• Mozilla products (for example, Firefox or Thunderbird)
• OpenSSL-based applications (for example, Apache HTTP Server or Nginx)

Which Certificates Do I Need to Distribute?

Identify which, if any, of the intermediate CA certificates issued by the Federal Common Policy CA G2 are currently being distributed across your agency.

A recommended starting point would be to replicate the existing configuration for CA certificates issued by the Federal Common Policy CA, instead of distributing the new certificates issued by the Federal Common Policy CA G2.

If you’re not sure which intermediate CA certificates issued by the FCPCA you need to distribute, consider distributing all of them or email us for help at fpki@gsa.gov.

How Do I Distribute the Intermediate CA Certificates?

Recommended solutions for distributing intermediate CA certificates are listed below.

Use Microsoft Group Policy Object

1. Navigate to Server Manager.
2. Select Tools.
3. Select Group Policy Management from the drop-down list.
4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
5. Enter a GPO Name and click OK.
6. Right-click the newly created GPO and click Edit.
7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
8. Right-click Intermediate Certification Authorities, and select Import.
9. The Certificate Import Wizard appears
10. Browse to and select the certificates issued by the FCPCA that you want to distribute.
11. Verify that the target Certificate Store presents Intermediate Certification Authorities, and select Next.
12. Select Finish to complete the import.
13. A success message appears.
14. Close the Group Policy Management window.
15. Wait for clients to consume the new policy.

16. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:

     gpupdate /force
    

Use Apple Configuration Profile

Distribute Intermediate CA certificates with an Apple Configuration Profile

1. As an administrator, download and verify the certificates issued by the FCPCA that you want to distribute.
2. Download and install Configurator 2 from the Apple App Store.
3. Open Configurator 2 and click File > New Profile.
4. On the General tab, enter a unique profile Name (for example, FPKI Intermediate CA Certificate Distribution Profile) and Identifier (for example, FCPCA-Intermediate-0001).
5. On the Certificates tab, click Configure.
6. Browse to and select the certificates you want to distribute.
7. (Optional) Add additional agency-specific configurations or customizations.
8. Click File > Save to save your profile to your preferred location.
9. Follow the steps to distribute the profile to macOS and iOS devices across your enterprise.

Note:The following video shows you how to create an Apple configuration profile. Click for a larger version

Use Linux Command Line

The steps to distribute an intermediate CA certificate are the same as the steps to distribute a root CA certificate.

Certificates Issued By the Federal Common Policy CA

The following certificates are published in the Federal Common Policy CA certificate’s Subject Information Access extension bundle located at http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c.

• Issued to: Federal Bridge CA G4
• Issued to: U.S. Department of State AD Root CA
• Issued to: US Treasury Root CA
• Issued to: DigiCert Federal SSP Intermediate CA - G6
• Issued to: DigiCert Federal SSP Intermediate CA - G5
• Issued to: Symantec SSP Intermediate CA - G4
• Issued to: Entrust Managed PKI Federal Root CA G2
• Issued to: Entrust Managed Services Root CA
• Issued to: Verizon SSP CA A2
• Issued to: WidePoint ORC SSP CA 5
• Issued to: WidePoint SSP Intermediate CA

Issued to: Federal Bridge CA G4

Issued to: U.S. Department of State AD Root CA

Issued to: US Treasury Root CA

Issued to: DigiCert Federal SSP Intermediate CA - G6

Issued to: DigiCert Federal SSP Intermediate CA - G5

Issued to: Symantec SSP Intermediate CA - G4

Issued to: Entrust Managed PKI Federal Root CA G2

Issued to: Entrust Managed Services Root CA

Issued to: Verizon SSP CA A2

Issued to: WidePoint ORC SSP CA 5

Issued to: WidePoint SSP Intermediate CA

Certificates issued to the Federal Common Policy CA

Distrusting the certificate below will prevent workstations from building a path from the Federal Common Policy CA, through the Federal Bridge CA G4, to the Federal Common Policy CA or any other root.

Issued by: Federal Bridge CA G4

The easiest way to verify your migration to the Federal Common Policy CA G2 (FCPCAG2) is to validate one of your PIV credential certificates.

Verify Migration on Windows

1. Click Start, type certmgr.msc, and then press Enter.
2. Double-click Personal, and then Certificates.
3. Browse to and select any of the certificates found on your PIV credential (the Issued To column displays your name).
4. Double-click the certificate and select the Certification Path tab.
5. Verify the certificate chain begins with the FCPCA (pictured below).

Note: It’s okay if different certification authorities appear below the FCPCAG2 for your certificate. Click for a larger version

Verify Migration on macOS

1. Click the Spotlight icon and search for Keychain Access.
2. Double-click the Keychain Access icon to open the application.
3. In the left navigation, click the Login keychain.
4. Browse to and select any of the certificates found on your PIV credential (the Name column displays your name).
5. Verify the This certificate is valid message appears beneath the certificate details.

Note: It’s okay if a different name appears in the keychain access screen. It should show the name of the user that the PIV certificate was issued to. Click for a larger version

Frequently Asked Questions

If your question does not appear in this list, send it to fpki@gsa.gov.

What happens if I don’t distribute the FCPCAG2 root certificate in my environment?

1. (High Impact) Authentication failures

   • Workstations
   • Websites
   • Applications (internal and cross-agency)
   • Virtual Private Networks (VPNs)

2. (Medium Impact) Error fatigue

   • Unexpected application errors and system behavior for legacy and government-off-the-shelf (GOTS) products

3. (Low Impact) Digital signature validation failures

• Email
• Documents and files (for example, Microsoft Word)

What errors can occur in Windows if I don’t distribute the FCPCA root certificate?

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Chrome error when PIV authentication fails because the user’s certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Microsoft Outlook error when a digital signature certificate for an email doesn’t chain to a trusted root CA: Click for a larger version

What errors can occur in macOS if I don’t distribute the FCPCA root certificate?

Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Safari error where client (PIV) authentication fails because a user’s certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Chrome error where client (PIV) authentication fails because a user’s certificate doesn’t chain to a trusted root CA: Click for a larger version

What errors can occur in iOS if I don’t distribute the FCPCA root certificate?

Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain to a trusted root CA: Click for a larger version

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain to a trusted root CA: Click for a larger version

How can I verify that the FCPCA root certificate has been successfully distributed to my workstation or device?

Please review the steps to verify distribution of the FCPCA root certificate.

Do I need to distribute the FCPCA root certificate to my Bring Your Own Device (BYOD) program device?

As a BYOD program device user, you’ll need to distribute the FCPCAG2 root certificate if you:

• use your PIV credential to log into intranet sites or VPNs,
• validate PIV digital signatures in emails or documents, or
• navigate to intranet pages whose SSL/TLS certificates chain to the FCPCAG2 root certificate.

How do I configure my unmanaged Windows system to trust the new Federal Common Policy CA?

1. Download a copy of the FCPCA certificate from http://repo.fpki.gov/fcpca/fcpcag2.crt
2. Download the bundle of FPKI intermediate CA certificates for unmanaged devices (fpki-unmanaged-bundle.p7b)
3. Update your Trust Store:
   • Click Start, type certmgr.msc, and press Enter.
   • Right-click Trusted Root Certification Authorities (on the left-hand navigation), and select All Tasks > Import. Click Next once the Certificate Import Wizard opens.
   • Browse to and select your copy of the FCPCA root certificate. Click Next several times until the certificate import process is complete.
   • When prompted, verify the certificate thumbprint matches 99B4251E2EEE05D8292E8397A90165293D116028 (additional spaces may appear depending on your Windows Version).
   • Click Yes.
   • Right-click Intermediate Certification Authorities (on the left-hand navigation), and select All Tasks > Import. Click Next once the Certificate Import Wizard opens.
   • Browse to and select your copy of fpki-unmanaged-bundle.p7b, making sure “All Files” are presented to view the .p7b file (this appears in a drop-down box next to the “File Name” input box). Click Next several times until the certificate import process is complete.

To verify your distribution (assumes certmgr.msc is still open):

1. Verify an entry for the FCPCAG2 root certificate
   • Use the left-hand navigation to browse to Trusted Root Certification Authorities > Certificates
   • Press the F5 key to refresh the folder contents
   • Verify an entry exists for the Federal Common Policy CA (both the Issued To and Issued By columns will present “Federal Common Policy CA G2”.)
2. Verify entries for the intermediate CA certificates issued by the Federal Common Policy CA G2
   • Use the left-hand navigation to browse to Intermediate Certification Authorities > Certificates
   • Press the F5 key to refresh the folder contents
   • Sort the data by clicking on the Issued By column
   • Verify nine (9) entries for certificates issued by the Federal Common Policy CA G2

Note: The following video demonstrates the distribution steps outlined above. Click for a larger version

How do I configure my unmanaged macOS device to trust the new Federal Common Policy CA?

1. Download a copy of fpki-unmanaged-bundle.mobileconfig
2. Browse to and double-click on your copy of fpki-unmanaged-bundle.mobileconfig.
3. Navigate to System Preferences -> Profiles
4. Verify the profile contents and click Install (twice)

Note:The following video shows you how to install FCPCAG2 and the intermediate CA certificates using an Apple configuration profile on macOS. Click for a larger version

How do I configure my unmanaged iOS device to trust the new Federal Common Policy CA?

1. Launch Safari.
2. Navigate to a copy of the fpki-unmanaged-bundle.mobileconfig

   System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?

3. Click Allow.
4. Navigate to Settings -> General -> Profile
5. Select the “Distribute FCPCA and Intermediate CA Certificates” profile
6. Select More Details and select the certificate entry for the FCPCAG2
7. Scroll to Fingerprints and verify the certificate’s SHA-256 hash against the expected value.
8. At the top left of screen, click Back and Install Profile. Then, click Install (top right).
9. When prompted, enter your device passcode.
10. Click Install in the upper right corner, and Install again.
11. Click Done.
12. Enable full trust for the FCPCA.

Note:The following video shows you how to install FCPCAG2 and the intermediate CA certificates using the Safari web browser. Click for a larger version

How do I configure the Firefox web browser to trust the new Federal Common Policy CA?

The following steps will allow Firefox to use the underlying operating system trust store. Follow these steps only after distributing the Federal Common Policy CA G2 to your Windows or macOS device.

1. Open Firefox.
2. Enter about:config in the address bar and continue to the list of preferences.
3. Set the preference security.enterprise_roots.enabled to true.
4. Restart Firefox.

Note:The following video shows you how to configure the Firefox web browser to trust the certificates included in the operating system trust store. Click for a larger version