Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

3. Distribute the certificate to operating systems

We're calling for all solutions! If you'd like to share your agency's playbook on how to distribute a trusted root CA certificate to an operating system trust store, create an issue on GitHub or email us at fpkirootupdate@gsa.gov.

To distribute the Federal Common Policy CA G2 (FCPCA G2) certificate, use one of these options:

Microsoft Solutions

macOS Solutions

iOS Solutions

Linux/Unix Solutions


Microsoft Solutions

Use Microsoft Certutil

You must have Enterprise Administrator privileges for the domain to use these procedures. The commands must be run from an agency domain controller.

  1. Click Start, type cmd, and press Enter.
  2. Run the following command: 
         certutil -dspublish -f [PATH\]fcpcag2.crt RootCA
  3. To verify that FCPCA G2 was distributed, run the following commands: 
         gpupdate /force
     certutil -viewstore -enterprise
  4. Confirm that the output details include FCPCA G2.
  5. Verify the certificate details against the expected values (for example, serial number, hash, etc.).

Note: The following .gif shows you how to distribute the FCPCA G2 using Microsoft Certutil.
A gif that shows the distribution and verification steps performed using Microsoft Certutil

Use Microsoft Group Policy Object (GPO)

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
  5. Enter a GPO Name, and click OK.
  6. Right-click the newly created GPO and click Edit.
  7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.

  8. Right-click Trusted Root Certification Authorities, and select Import.

    The Certificate Import Wizard appears.

  9. Browse to and select your copy of the FCPCA G2.
  10. Verify that the target Certificate Store presents Trusted Root Certification Authorities, and select Next.

  11. Select Finish to complete the import.

    A success message appears.

  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command: 
           gpupdate /force

Note: The following .gif shows you how to distribute the FCPCA G2 with Microsoft GPO.
A gif that shows the distribution and verification steps performed with Microsoft Group Policy Object also known as GPO

Use Third-Party Configuration Management Tools

To follow these steps, you must have Enterprise Administrator privileges for the Domain. You will need to run these commands from an agency domain controller.

You can use third-party configuration management tools, such as BigFix.

  1. Using BigFix, schedule a task and push the certificate file. Run the following command (example): 
         certutil -f -addstore root “fcpcag2.crt”

Use Microsoft Certificate Manager for Unmanaged Devices

To distribute the FCPCA G2 to unmanaged devices:

  1. Click Start, type certmgr.msc, and press Enter.

  2. Right-click Trusted Root Certification Authorities, and select All Tasks > Import.

    The Certificate Import Wizard appears.

  3. Browse to and select your copy of the FCPCA G2.
  4. Verify that the desired Certificate Store displays Trusted Root Certification Authorities, and select Next.

  5. Select Finish to complete the import.

    A success message appears.

Note: If several users share a device, you can run the certlm.msc to simultaneously update the certificate stores for the accounts on the device (vs. updating each account separately).


macOS Solutions

Create, Distribute, and Install an Apple Configuration Profile

For macOS and iOS government-furnished devices, you can use Apple configuration profiles (XML files) to distribute and automatically install the FCPCA G2.

These steps describe how to create, distribute, and install profiles using Apple’s free Configurator 2 application. There are also available third-party applications.

Only System or mobile device management (MDM) administrators should create, distribute, and install Apple configuration profiles.

Create an Apple Configuration Profile

  1. As an administrator, download and verify a copy of the FCPCA G2 to your device.
  2. Download and install Configurator 2 from the Apple App Store.
  3. Open Configurator 2 and click File > New Profile.
  4. On the General tab, enter a unique profile Name (for example, FCPCA G2 Profile) and Identifier (for example, FCPCAG2-0001).
  5. On the Certificates tab, click Configure.
  6. Browse to and select your verified copy of the FCPCA G2.
  7. (Optional) Add additional agency-specific configurations or customizations.
  8. Click File > Save to save your profile to your preferred location.
  9. Distribute the profile across your enterprise.

Note: The following video shows you how to create an Apple configuration profile.
A video that shows the steps to create an Apple configuration profile.

APPLE CONFIGURATION PROFILE (EXAMPLE)

Before using this profile, you should verify that it is suitable for your agency.

To use this profile, copy the XML information and save it as a .mobileconfig file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>fcpcag2.crt</string>
			<key>PayloadContent</key>
			<data>
			MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJKoZIhvcNAQEM
			BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
			A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy
			MB4XDTIwMTAxNDEzMzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMx
			GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UE
			AxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIICIjANBgkqhkiG9w0BAQEF
			AAOCAg8AMIICCgKCAgEA19fTFzEmIRgQKkFty6+99sRRjCTYBYh7LloRpCZs4rgp
			Bk+/5P4aZYd5v01GYBfOKywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf
			77n5JgMhvg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDSt4+7
			5i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9UvhWAPVAhxm8oT4wx
			SOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmSFuEPzivcOrytoPiPfgXMqY/P7zO4
			opLrh2EV5yA4XYEdoyA2dVD8jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4Emt
			Rq82JLqZQlyrMbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7h
			pV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse72yo6MyNF46uu
			mO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4dUG+pQADSstRJ60gePp0IAtQS
			HZYd1iRiXKpTLl0kofB2Y3LgAFNdYmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjL
			ZePhc3qt8ubjhZN2Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcC
			AwEAAaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
			HQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYBBQUHAQsERTBDMEEGCCsG
			AQUFBzAFhjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVk
			QnlmY3BjYWcyLnA3YzANBgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06
			NCj7eIL7/I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hShGoKQ
			cbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141HyeDWdQ6dDXDz6dr
			8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AVz3uqe5k+ObJYpC0aXHNMy1OnFgL6
			oxMeGMlSecU/QUAIf0ncDurYFSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO
			+E3o3QoU+ThCPPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJD
			crTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi9aWAYHJXTzbj
			zGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifgrmPi0/uU1w0crclEsSsya7FI
			BVRTURoSwwda25wIIWPIkQsQK1snJxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5h
			phYQnf8sD8FpoUDjoLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2
			e+aReLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcicsdU8kV2M
			ee/xJ/c0cIHZWMw0HoRZPbo=
			</data>
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>Federal Common Policy CA G2</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Federal Common Policy Certification Authority G2 Profile</string>
	<key>PayloadIdentifier</key>
	<string>FCPCAG2-0001</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Distribute an Apple Configuration Profile

Only System or MDM Administrators should use these steps. You should never email an Apple configuration profile to someone outside your agency's domain.

You can use Apple’s Configurator 2 to distribute your Apple configuration profile to government-furnished macOS and iOS devices in the following ways:

Install an Apple Configuration Profile

We recommend using an automated method to install Apple configuration profiles on government-furnished Apple devices (for example, a desktop configuration management or MDM tool), which will distribute FCPCA G2. (If you have questions about third-party products, email us at fpkirootupdate@gsa.gov.)

You can also manually install a profile.

Note:  The following video shows you how to manually install an Apple configuration profile on macOS.
A video that shows the steps to manually install an Apple configuration profile

Install FCPCA G2 Using Command Line

These steps describe how to install the FCPCA G2 in the System Keychain. You must have system administrator privileges to perform these steps.

  1. Click the Spotlight icon and search for Terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.

  3. Run the following command:

     $ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpcag2.crt

Note:  The following video shows you how to install FCPCA G2 using the command line.
A video that shows the steps to install FCPCA G2 using the macOS command line.

Install FCPCA G2 Using Apple Keychain Access

You can use the System Keychain or Login Keychain to install the FCPCA G2.

System Keychain

These steps describe how to install FCPCA G2 in the System Keychain. You must have system administrator privileges to perform these steps.

  1. Click the Spotlight icon and search for Keychain Access.
  2. Double-click the Keychain Access icon to open the application.
  3. Click the System keychain from the left-hand navigation.
  4. Click File -> Import Items
  5. Browse to and select your verified copy of FCPCA G2.
  6. When prompted, enter your administrator username and password.
  7. Keychain Access will present the installed certificate.

Note:  The following video shows administrators how to install FCPCA G2 by using the Apple Keychain Access import process.
A video that shows the steps for administrators to install FCPCA G2 using the Apple Keychain Access import process.

Login Keychain

These steps describe how to install FCPCA G2 in the Login Keychain. Both system administrators and non-administrators can perform these steps.

  1. Browse to your downloaded, verified copy of FCPCA G2.

  2. Double-click the file.

    Keychain Access opens and displays the installed certificate.

Note:  The following video shows non-administrators how to install FCPCA G2 using the Apple Keychain Access import process.
A video that shows the steps for non-administrators to install FCPCA G2 using the Apple Keychain Access import process.

iOS Solutions

Install FCPCA G2 Using an Apple Configuration Profile in iOS

You can use Apple configuration profiles to install the FCPCA G2 on both macOS and iOS devices.

Review the Apple configuration profiles guidance for instructions.

Install FCPCA G2 Using Safari Web Browser

You can use the Safari web browser to install the FCPCA G2 on iOS devices only.

These steps describe how to install the FCPCA G2 as a trusted root certificate. Both system administrators and non-administrators can perform these steps.

  1. Launch Safari.
  2. Navigate to the FCPCA G2 root CA certificate: http://repo.fpki.gov/fcpca/fcpcag2.crt.

    System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?

  3. Click Allow.

    The FCPCA G2 configuration profile appears.

  4. Click More Details, and then select the FCPCA G2 certificate entry.
  5. Scroll to Fingerprints and verify the certificate’s SHA-256 hash against the expected value.
  6. At the top left of screen, click Back and Install Profile. Then, click Install (top right).
  7. When prompted, enter your device passcode.
  8. Click Install in the upper right corner, and Install again.
  9. Click Done.
  10. Follow the steps below to enable full trust for FCPCA G2.

Note:  The following video shows you how to install FCPCA G2 using the Safari web browser.
A video that shows the steps to install FCPCA G2 in the Safari web browser.

Enable Full Trust for FCPCA G2

This option works for iOS devices only.

These steps describe how to enable “full trust” for certificates that chain to FCPCA G2. Both system administrators and non-administrators can perform these steps.

  1. On the iOS device’s Home screen, select Settings > General > About > Certificate Trust Settings.
  2. Under Enable Full Trust for Root Certificates, toggle ON for the FCPCA G2 root CA certificate entry.

  3. When the certificate appears, click Continue.

    You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA.

iOS full trust


Linux and Unix Solutions

Debian-Based Kernels

  1. Launch the command line.

  2. Change directory with the following command:

         cd /usr/local/share/ca-certificates/

  3. Convert the FCPCAG2 certificate to PEM and set permissions with the following commands:

         sudo openssl x509 -inform der -in [PATH\]fcpcag2.crt -out fcpcag2-pem.crt
     sudo chmod 644 fcpcag2-pem.crt

  4. Update Trusted Certificates with the following command:

         sudo update-ca-certificates


Red Hat Enterprise Linux, CentOS, and Other Non-Debian-Based Kernels

  1. Launch the command line.

  2. Change directory with the following command:

         cd /etc/pki/ca-trust/source/anchors/

  3. Copy your verified copy of FCPCA G2 into the folder and set permissions with the following commands:

         sudo cp [PATH\]fcpcag2.crt .
     sudo chown root.root fcpcag2.crt
     sudo chmod 644 fcpcag2.crt

  4. Update Trusted Certificates with the following command:

         sudo /bin/update-ca-trust extract


Next, verify distribution of the FCPCA G2 certificate as an operating system trusted root.

Return to top

IDManagement.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page