Trust Stores
This page provides a high-level overview of PKI trust stores (also called certificate stores or key stores). It also has a list of public trust stores and settings.
What Is a Trust Store?
Millions of public key certificates are issued to people and devices around the world. Certificates constantly change as some are revoked and others are issued—far too many for you to maintain an up-to-date list.
Every software program that interacts with a certificate either has a native trust store or uses the trust store of the operating system. A trust store is a list of root, intermediate, and sometimes user certificates that are trusted by the operating system or application to process transactions. When you are presented with a person or device certificate from a PIV credential, website, email, or some other digital item, your application will automatically check whether the certificate has a valid path to one of the certificates in its trust store. This type of trust store is sometimes called a private trust store. An application that uses PKI certificates will say in its documentation which trust store is used and how to configure it with either public or private certificates.
What Is a Public Trust Store?
A vendor may also have a public trust program that allows PKI operators to submit their roots for distribution within the vendor’s trust store. Certificates distributed by an application may be called “public certificates” while certificates distributed by your agency or a partner may be called “private certificates.”
A public trust store program refers to the collection of root certification authority (CA) certificates that are included and distributed by default in many operating systems, browsers, or applications (referred to as application trust store for simplicity). The public root CAs contained in these trust stores must comply with the root stores requirements, including any specific compliance requirements such as a third party audit or specific operational requirements. For more information on public certificates, see the CIO Council policy on HTTPS.
What Are the Most Common Public Trust Stores?
Operating systems, browsers, and some commercial software operate public trust stores.
The table below lists some common public trust stores. All applications that use PKI use a trust store, but not all applications’ trust stores are managed by a formal program. The applications in this table manage a formal program. If the Federal Common Policy CA G2 (FCPCAG2) (i.e., COMMON) root certificate is included in a trust store and distributed by default, the Includes FCPCAG2 (COMMON)? column below will say Yes.
| Application | Includes FCPCAG2 (COMMON)? | Trust Store Manager | Platforms Serviced | Program Information Location |
|---|---|---|---|---|
| Microsoft Trusted Root Certificate Program | No | Microsoft Management Console | Windows OS, Internet Explorer Browser, Outlook | Microsoft Trusted Root Program |
| Apple Root Certificate Program | No | Keychain Access Utility | macOS, iOS, tvOS, WatchOS, Safari Browser | Apple Root Certificate Program |
| Mozilla Network Security Services (NSS) | No | Browser trust store | Firefox, Thunderbird, Linux Operating Systems | Mozilla Root Store Policy |
| Adobe Approved Trust List | Yes | Application trust store | Adobe Acrobat | Adobe Approved Trust List |
| Java Root Certificate Program | No | Java Applet | Java Distributions | Including Certificate Authority Root Certificates in Java |
| No | Google Admin Console | Android OS, Chromium OS | Chrome Root Program | |
| Opera | No | Mozilla NSS | Opera Browser | See Mozilla NSS Information Above |
Google Chrome currently uses the trust store of the operating system on Microsoft, Apple, and Android systems. Linux-based systems distribute the Mozilla NSS Library, which may be modified by each version of Linux.
What Federal PKI Certificate Policies Are Trusted by Adobe and How Do I View Them?
A common question is which certificate policy object identifiers (OIDs) are trusted? The Federal PKI certificate policy OIDs trusted by Adobe are:
| Certificate Policies | OIDs | Certificate Use |
|---|---|---|
| Common Hardware | 2.16.840.1.101.3.2.1.3.7 | PIV and Federal Bridge Medium Hardware Token |
| Federal Bridge Medium Hardware Commercial Best Practice | 2.16.840.1.101.3.2.1.3.15 | Federal Bridge Medium Hardware Token (PKI Trusted Roles may not be U.S. citizens) |
| Common High | 2.16.840.1.101.3.2.1.3.16 | High Assurance Policy |
| PIV-I Hardware | 2.16.840.1.101.3.2.1.3.18 | PIV-Interoperable |
Federal PKI certificates may be used for digitally signing documents between federal agencies and with business partners. Adobe is just one option used for digital signatures.
Do the following to view and verify which Federal PKI certificate policy OIDs are trusted by Adobe Acrobat:
- Open Adobe Acrobat.
- Select Edit > Preferences > Signatures > Identities & Trusted Certificates > More.
- Choose Trusted Certificates from the left-hand sidebar.
- Choose Federal Common Policy CA and then the Certificate Details tab.
- Choose the Certificate Viewer window, and click the Policies tab to see Policy Restrictions.
- In Certificate Policies, you will see a comma-separated list of policy OIDs.
