This is a high-level overview of trust stores (also called certificate stores) and a list of commonly used trust stores and settings.
What is a trust store?
There are millions of identity certificates issued to people and devices around the world. Certificates constantly change as some are revoked and others are issued—far too many for your computer to maintain an up-to-date list.
Instead, a trust store (a list of trusted root certificates) is maintained. When you are presented with a person or device certificate from a PIV credential, website, email, or some other digital item, your operating system or application will check to see whether the certificate has a valid path to one of the trusted root certificates in its trust store. The trust store is usually embedded in an operating system or software.
What are the most commonly used trust stores?
Operating systems, browsers, and some commercial software use trust stores to verify whether a certificate with which you are being presented should be trusted.
Here are some common trust stores. If the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate is included in a trust store and distributed by default, the Includes FCPCA (COMMON)? column below will say Yes.
|Includes FCPCA G2||Trust Store Manager||Platforms Serviced||Program Information Location|
|Microsoft Trusted Root Certificate Program||Yes||No||Microsoft Management Console||Windows OS, Internet Explorer Browser, Outlook||Microsoft Trusted Root Program|
|Apple Root Certificate Program||No||No||Keychain Access Utility||macOS, iOS, tvOS, WatchOS, Safari Browser||Apple Root Certificate Program|
|Mozilla Network Security Services (NSS)||No||No||Browser trust store||Firefox, Thunderbird, Linux Operating Systems||Mozilla Root Store Policy|
|Adobe Approved Trust List||Yes||Yes||Application trust store||Adobe Acrobat||Adobe Approved Trust List|
|Java Root Certificate Program||No||No||Java Applet||Java Distributions||Including Certificate Authority Root Certificates in Java|
|No||No||Google Admin Console||Android OS, Chromium OS||Chrome Root Program|
|Opera||No||No||Mozilla NSS||Opera Browser||See Mozilla NSS Informatiom Above|
Google Chrome uses the trust store of the operating system on Microsoft, Apple, and Android systems. Linux-based systems distribute the Mozilla NSS Library, which may be modified by each version of Linux.
What Federal PKI certificate policies are trusted by Adobe and how do I see them?
A common question is which certificate policy object identifiers (OIDs) are trusted? The Federal PKI certificate policy OIDs trusted by Adobe are:
|Certificate Policies||OIDs||Certificate Use|
|Common Hardware||2.16.8184.108.40.206.220.127.116.11||PIV and Federal Bridge Medium Hardware Token|
|Federal Bridge Medium Hardware Commercial Best Practice||2.16.818.104.22.168.22.214.171.124||Federal Bridge Medium Hardware Token (PKI Trusted Roles may not be U.S. citizens)|
|Common High||2.16.8126.96.36.199.188.8.131.52||High Assurance Policy|
Federal PKI certificates may be used for digitally signing documents between federal agencies and with business partners. Adobe is just one option used for digital signatures.
To see and verify which Federal PKI certificate policy OIDs are trusted by Adobe Acrobat:
- Open Adobe Acrobat.
- Edit > Preferences > Signatures > Identities & Trusted Certificates > More.
- Choose Trusted Certificates from the left-hand sidebar.
- Choose Federal Common Policy CA and then the Certificate Details tab.
- Choose the Certificate Viewer window, and click the Policies tab to see Policy Restrictions.
- In Certificate Policies, you will see a comma-separated list of policy OIDs.