FPKI Certification Authorities Overview
A certification authority is a system that issues digital certificates. These digital certificates are based on cryptography and follow the X.509 standards defined for information security.
The Federal PKI (FPKI) is a network of certification authorities (CAs) that are either root, intermediate, or issuing CAs.
Any CA in the FPKI may be referred to as a Federal PKI CA. The two highest level CAs in the FPKI hierarchy are the FPKI Trust Infrastructure CAs, which are operated and managed by the Federal PKI Management Authority (FPKIMA) Program Office:
- Federal Common Policy Certification Authority
- Federal Bridge Certification Authority
- All Federal PKI Certification Authorities
COMMON serves as the root and trust anchor for the intermediate and issuing CAs operated by federal government Executive Branch agencies.
Public trust for websites
A new effort is in the planning stages to establish another federal government root and issuing CAs dedicated to Public Trust Transport Layer Security (TLS) device certificates. Follow or contribute to the development of the federal government's new certificate policy for this public trust effort at https://github.com/uspki/policies.
Federal Common Policy Certification Authority
The Federal Common Policy CA may be referred to as the FCPCAG2, or as COMMON in documents. As the FPKI root and trust anchor for the federal government, the FCPCAG2 supports government person trust and a small number of agency intranet enterprise devices, including Personal Identity Verification (PIV) credentials. The FCPCA’s design enables any certificate issued by any FPKI CA to validate its certificate path to a single root CA.
A few commercial vendors include the FCPCAG2 root certificate in the commercial-off-the-shelf (COTS) products’ trust stores. This enables federal government systems to trust person and enterprise device certificates issued by FPKI CAs. It is possible to add the FCPCAG2 root certificate to trust stores for government-managed devices and servers, if it’s not available by default.
The FCPCAG2 root certificate is included in the trust stores for some platforms such as Adobe. Other platforms, such as Microsoft, Mozilla, and Apple, do not include the FCPCA by default.
Federal Bridge Certification Authority
The current Federal Bridge Certification Authority (FBCA) is the Federal Bridge CA G4.
The FBCA is a PKI bridge or link between the FCPCA and other CAs that comprise the FPKI network and that may operate under comparable but different certificate policies. The FBCA provides a means to map these certificate policies and CAs and allow certificates to validate to the FCPCA root certificate.
The CAs with certificates signed by the Federal Bridge CA G4 are cross-certified. These CAs have established a trust relationship with the FPKI and are audited annually for conformance to the certificate policies. This cross-certification process has extended the reach of the FPKI well beyond the boundaries of the federal government.
All Federal PKI Certification Authorities
A CA that is part of the FPKI is called a participating certification authority.
For historical records, we might label or identify CA systems using a category that shows when the system was established and for what types of communities it is or was used.
We realize all the acronyms and labels may be confusing and welcome your input to help us improve, add information over time, and simplify where needed.
|Certification Authority Category||Description|
|PKI Shared Service Provider (SSP) Certification Authorities||An SSP CA is subordinate to the FCPCAG2. Any certificate that an SSP CA creates, signs, and issues to people or devices is in the FCPCA trust chain. An SSP must adhere to strict federal IT security standards and requirements. The SSPs are granted a FISMA Authority to Operate (ATO), undergo continuous monitoring, and are contracted by the federal government to issue certificates to federal employees and contractors as well as devices that are deployed in federal agency networks.|
|Private Sector Certification Authorities||A private sector CA that is cross-certified has shown a valid need to conduct business or provide PKI services to the federal government.|
|Other Government Certification Authorities||These CAs are managed and operated by state, local, tribal, territorial, or international governments.|
|Bridge Certification Authorities||Bridge CAs connect member PKIs and are designed to enable interoperability between different PKIs operating under their own certificate policies. A bridge CA is not a root.|
|Federal Agency Legacy||Prior to 2004, some agencies had already deployed and invested in their own PKI and CAs. Some of these agencies opted out of migrating to the SSP Program and continued to manage their existing infrastructures. These federal agencies legacy operate one or more CAs that are cross-certified with a Federal PKI Trust Infrastructure CA.|