Federal Public Key Infrastructure Guide Introduction
Welcome to the Federal Public Key Infrastructure (FPKI) Guides! In these guides, you will find commonly used links, tools, tips, and information for the FPKI.
These guides are open source and a work in progress and we welcome contributions from our colleagues. We encourage you to contribute and share information you think is helpful for the Federal PKI community.
What Is the Federal PKI?
The Federal PKI is a network of certification authorities (CAs) that issue:
- PIV credentials and person identity certificates
- PIV-Interoperable credentials and person identity certificates
- Other person identity certificates
- A small number of federal enterprise device identity certificates
The participating certification authorities and the policies, processes, and auditing of all the participants are collectively referred to as the Federal Public Key Infrastructure (FPKI or Federal PKI).
The Federal PKI includes U.S. federal, state, local, tribal, territorial, and international governments, as well as commercial organizations, that work together to provide services for the benefit of the federal government.
Use the FPKI Graph to see the relationships between the certification authorities in the Federal PKI ecosystem. It graphically depicts how each certification authority links to another through cross-certificates, subordinate certificates, or bridge CAs.
What Is an Example of an Identity Certificate?
A PIV certificate is a simple example. Although there are many types of identity certificates, it’s easiest to explain PIV certificates since you might have one:
- Identity certificates are issued and digitally signed by a certification authority.
- The certification authority that issued and digitally signed your PIV certificates is called an intermediate certification authority. The intermediate certification authority’s certificate was issued by another certification authority.
- This process of issuing and signing continues until there is one certification authority that is called the root certification authority.
The full process of proving identity when issuing certificates, auditing the certification authorities, and the cryptographic protections of the digital signatures establish the basis of trust.
For the U.S. federal government Executive Branch agencies, there is one root certification authority, called the Federal Common Policy Certification Authority (COMMON), plus dozens of intermediate certification authorities and bridged certification authorities. See a graph of the Federal PKI, including the business communities.
Why Should Agencies Use Certificates from the Federal PKI?
All federal agencies should use the Federal PKI for:
- Facilities access, network authentication, and some application authentication for applications based on a risk assessment
- Document sharing and digital signatures
- Signed and encrypted email communications across federal agencies
- Trust with federal agencies and industry
- Support for technical non-repudiation
- Authentication and encryption
- Digital signatures
These four core capabilities are made possible by leveraging digital certificates; their policies, standards, and processes; and a mission-critical trust infrastructure.
Why Is the Federal PKI Important?
The Federal PKI is important to federal agencies, other government entities, and businesses that need access to federal facilities or participate in delivering federal government services.
|Security||Improved facilities, network, and application access through cryptography-based, federated authentication. Federal PKI credentials reduce the possibility of data breaches that can result from using weak credentials, such as username and password. Specifically, the Federal PKI closes security gaps in user identification and authentication, encryption of sensitive data, and data integrity.|
|Compliance||Using the Federal PKI means compliance with several Executive Orders, laws (e.g., FISMA, E-Government Act), initiatives, and standards. The Federal PKI verifies that participating certification authorities are audited and operated in a secure manner.|
|Interoperability||Improved interoperability with other federal agencies and non-federal organizations that trust Federal PKI certificates. The Federal PKI helps reduce the need for issuing multiple credentials to users.|
|Return on Investment||The Federal PKI improves business processes and efficiencies. For example, leveraging digital signing, encryption, and non-repudiation allows federal agencies to migrate from manual processing to automated processing, especially around document processing/sharing, and enhances communications between two or more federal employees for internal efficiency and effectiveness.|
Where Can I Find the Policies and Standards?
- X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework is the certificate policy for the U.S. Federal Root Certification Authority.
- X.509 Certificate and CRL Profiles for the U.S. Federal PKI Common Policy Framework specifies certificate and CRL extensions profiles for certificates and CRLs issued under COMMON.
- X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) is the certificate policy for the FBCA.
- X.509 Certificate and CRL Extensions Profile for the FBCA specifies certificate and CRL extensions profiles for Federal PKI infrastructure systems.
- X.509 Certificate and CRL Extensions Profile for PIV-I Cards specifies certificate and CRL extensions profiles for use with Personal Identity Verification Interoperable (PIV-I) cards.
- OMB Circular A-130, Managing Federal Information as a Strategic Resource (2016) establishes general policy for the planning, budgeting, governance, acquisition, and management of federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services.