Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

5. Distribute the certificate to applications

We're calling for all solutions! If you'd like to share your agency's playbook on how to distribute a trusted root CA certificate to an application trust store, create an issue on GitHub or email us at

Many, but not all, software applications leverage the underlying operating system trust store to verify whether a certificate should be trusted.

Collaborate across agency teams to identify applications that rely on custom trust stores to ensure distribution of the Federal Common Policy CA (FCPCA) G2 certificate.

Example applications with custom trust stores:

  • Java and all Java-based applications (for example, Apache Tomcat)
  • Mozilla products (for example, Firefox or Thunderbird)
  • OpenSSL-based applications (for example, Apache HTTP Server or Nginx)

Important! Depending on how these applications are configured, it's likely you'll also need to distribute the intermediate CA certificates issued by the FCPCA G2.

Next, determine if you need to distribute the CA certificates issued by the FCPCA G2.

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit Edit this page