Federal PKI Graph
Last Update: August 08, 2022
The FPKI Graph displays the relationships between the certification authorities in the Federal PKI (FPKI) ecosystem. It graphically depicts how each certification authority links to another, through cross-certificates, subordinate certificates, or bridge CAs. A P7B file of the weekly FPKI Graph run is available here.
The Federal Common Policy Certification Authority (CA) G2 (“COMMON”) is shown at the center of the graph, and the rings of dots represent the outbound CAs.
- Click on any dot in the graph to see a CA’s inbound and outbound CA certificates.
- Inbound means the CA certificate is signed by the Inbound CA.
- Outbound means the CA has signed the Outbound CA certificate.
- The Search function is on the upper right-hand corner.
- The Zoom scroll bar is in the upper left-hand corner.
You cannot download the certificates from the graph. To download the certificates, you need to retrieve the certificates from the Authority Information Access (AIA) or Subject Information Access (SIA) URIs. (See below for more information on AIAs and SIAs.)
How the FPKI Graph Works
The graph uses information published in each CA certificate’s AIA and SIA extensions. This is public information: all CAs in the FPKI are required to publish and maintain their AIA certificate bundles.
All CA and End Entity certificates that have a certificate path (trust chain) to COMMON will have an AIA extension in their public certificates. An AIA extension contains a URI where you can find the certificate(s) used to sign that CA or End Entity certificate.
Most CA certificates will also have an SIA extension with a URI to the CA certificates that have been issued by that CA. For example, you can find the SIA for COMMON at http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c.
- To use this SIA, retrieve the file (.p7c) using the link above and open it.
- You will find a dozen or more certificates that are issued by COMMON (Root) to other intermediate or issuing CAs.
- The SIA URIs from each of these certificates can then be retrieved to find the next set of signed certificates.
The FPKI Graph was built by using the same tools and code as the Berkley ICSI SSL Notary.