Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

7. Migrate to the Federal Common Policy CA G2

We're calling for all solutions! If you'd like to share your agency's playbook on how to distrust a CA certificate, create an issue on GitHub or email us at fpki@gsa.gov.

For the purpose of these steps, we refer to the existing Federal Common Policy CA (FCPCA) as FCPCA G1.

To migrate from the existing FCPCA G1 to the FCPCA G2 as your agency’s federal trust anchor, you’ll need to:

  1. disable enterprise distribution of the FCPCA G1 as a trusted root CA certificate, and
  2. distrust the FCPCA G1.

Heads up! Test the following steps in a controlled environment before you deploy them across your enterprise. If you do not successfully distribute the FCPCA G2 certificate before you begin these steps, you may cause a denial-of-service, impacting smart card logon for your applications and systems.

FCPCA G1 certificate details

FCPCA G1 Certificate Details
Federal Common Policy CA
(sometimes shown as U.S. Government Common Policy)		 http://http.fpki.gov/fcpca/fcpca.crt
Distinguished Name cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US
Serial Number 0130
SHA-1 Thumbprint 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1
SHA-256 Thumbprint 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e

Disable Distribution of the FCPCA G1

Reference the distribution mechanisms here to review the ways the FCPCA certificate could be distributed across your enterprise. Disable all existing distribution mechanisms. Sample procedures to disable the distribution of the FCPCA G1 are listed below using:


If the FCPCA Was Distributed Using Microsoft Certutil

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. In the drop-down list, select ADSI Edit.
  4. In the top navication, select Action > Connect to .
  5. In the Select a well known Naming Context drop-down list, select Configuration, and click OK.
  6. Browse to the CN=AIA directory (within “CN=Public Key Services, CN=Services”), right-click the entry for the FCPCA, and select Delete.
  7. Browse to the CN=Certification Authorities directory (within “CN=Public Key Services, CN=Services”), right-click the entry for the FCPCA and select Delete.


If the FCPCA Was Distributed Using a Microsoft GPO

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Expand the Group Policy Objects directory.
  5. Right-click the GPO distributing the FCPCA and select Delete.


If the FCPCA Was Distributed Using an Apple Configuration Profile

  1. Identify how the profile is being distributed across the enterprise (e.g., over-the-air profile delivery or from an MDM server)
  2. Use local knowledge to disable the distribution. If you are having trouble with a specific product, email us at fpkirootupdate@gsa.gov.


Distrust the FCPCA G1

Use one of the methods below to distrust the FCPCA G1.

Use Microsoft Group Policy Object

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
  5. Enter a GPO Name and click OK.
  6. Right-click the newly created Group Policy Object (GPO) and click Edit.
  7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
  8. Right-click Untrusted Certificates, and select Import. The Certificate Import Wizard will open.
  9. Browse to and select your copy of FCPCA G1.
  10. Verify that the target Certificate Store presents Untrusted Certificates, and select Next.

  11. Select Finish to complete the import.

    A success message appears.

  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command: 
           gpupdate /force

Note: The following .gif shows you how to distrust the FCPCA G1 on Microsoft Server 2016. Sample Steps


Use macOS Terminal

macOS handles certificate distrust differently than Windows does. The steps below distrust the FCPCA G1 certificate by deleting it from the System and Login Keychains. The absence of the FCPCA G1 certificate from the Keychains results in the certificate not being trusted by the workstation. Only system administrators should follow these steps.

Note: Many Mobile Device Management (MDM) platforms allow administrators to push the command below across an enterprise rather than running it on individual workstations. Use automation wherever possible.

  1. Click the Spotlight icon and search for Terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.

  3. Run the following command:

     $ sudo security delete-certificate -c "Federal Common Policy CA" /Library/Keychains/System.keychain && sudo security delete-certificate -c "Federal Common Policy CA" login.keychain

Note:  This video shows you how to remove the FCPCA G1 certificate using the command line.
This video shows you how to remove the FCPCA G1 certificate using the command line.

Use Linux Command Line

Debian-Based Kernels

  1. Launch the command line.

  2. Change directory with the following command:

         cd /usr/local/share/ca-certificates/

  3. Remove your copy of the Federal Common Policy CA certificate with the following commands (assumes name of certificate file is known):

         sudo rm fcpca.crt

  4. Update Trusted Certificates with the following command:

         sudo update-ca-certificates

  5. Run the following command to verify the Federal Common Policy CA no longer has an entry in the system’s trust list:

        trust list | grep "Federal Common Policy CA"


Red Hat Enterprise Linux, CentOS, and other Non-Debian-Based Kernels

  1. Launch the command line.

  2. Change directory with the following command:

         cd /etc/pki/ca-trust/source/anchors/

  3. Remove your copy of the Federal Common Policy CA certificate with the following commands (assumes name of certificate file is known):

         sudo rm fcpca.crt

  4. Update Trusted Certificates with the following command:

         sudo /bin/update-ca-trust extract

  5. Run the following command to verify the Federal Common Policy CA no longer has an entry in the system’s trust list:

         trust list | grep "Federal Common Policy CA"


Finally, verify migration to the FCPCA G2.

Return to top

IDManagement.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page