Federal Common Policy CA Removal from Apple Trust Stores Impact
Publish Date: September 13, 2018This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained.
Upcoming changes regarding Apple devices and operating systems could impact your agency. The Federal PKI Policy Authority has elected to remove our U.S. Government Root CA certificate (Federal Common Policy CA [COMMON]) from Apple’s pre-installed Operating System Trust Stores.
Starting in the release of macOS Mojave, iOS 12, and tvOS 12, government users of Apple devices will receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and the government-furnished Apple devices.
Apple Operating System Release Dates
- iOS 12: September 17, 2018
- tvOS 12: September 17, 2018
- macOS Mojave: September 24, 2018
The FPKIPA has also elected to remove the Federal Common Policy CA root certificate from Microsoft's Trust Store.
- How Does this Work?
- What Will Be Impacted?
- What Should I Do?
- Frequently Asked Questions
- Additional Resources
How Does This Work?
Apple currently distributes the Federal Common Policy CA (COMMON) through its pre-installed operating system Trust Stores for iOS, macOS, and tvOS.
Three root CA certificate types reside in Apple’s Trust Stores:
- Trusted Certificates — Trusted certificates that establish a chain of trust.
- Always Ask — Untrusted certificates that are not blocked. If a resource (e.g., website or signed email) chains to one of these certificates, the Apple operating system will ask you to choose whether or not to trust it.
- Blocked — Potentially compromised certificates that will never be trusted.
These certificate types are stored within Apple Keychains:
- Login Keychain — Certificates associated with a user account logged into a device.
- System Keychain — Certificates associated with all user accounts on a device (similar to the Microsoft Windows’ Local Machine certificate store).
- System Roots Keychain — Includes Apple’s pre-installed, trusted root CA certificates. COMMON will be removed from this Keychain.
What Will Be Impacted?
These Apple operating system versions (and all subsequent versions) will be impacted:
macOS | iOS | tvOS |
---|---|---|
Mojave (10.14), Release 9/24/18 | iOS 12, Release 9/17/18 | tvOS 12, Release 9/17/18 |
Government users will receive errors on government-furnished Apple devices if any of these are true:
- Logging into a government network with a PIV credential
- Authenticating to a government Virtual Private Network (VPN) endpoint with a PIV credential
- Authenticating to an internet-facing, government collaboration portal with a PIV credential
- Browsing with Safari, Chrome, or Edge (iOS) to a government intranet website that uses a Federal PKI CA-issued TLS/SSL certificate
- Opening an Apple Mail or Microsoft Outlook email that was digitally signed using a Federal PKI CA-issued certificate
- Opening a Microsoft Office document that was digitally signed with a Federal PKI CA-issued certificate
This change will also impact Federal Government partners that rely on COMMON—for example, a Department of Defense employee sending a digitally signed email to a business partner.
You can mitigate the risk to government missions, intranets, applications, and government-furnished equipment.
If you are unsure whether your applications will be affected, email us at fpki@gsa.gov.
What Should I Do?
To limit the impact to your agency, you will need to redistribute the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate as a trusted root certificate to all government-furnished Apple devices.
To redistribute COMMON, use these procedures:
- Download a Copy of COMMON
- Verify Your Copy of COMMON
- Redistribute COMMON
- macOS Solutions
- iOS Solutions
Download a Copy of COMMON
To download a copy of COMMON, use one of the recommended options:
- Download from http://http.fpki.gov/fcpca/fcpca.crt.
- Email fpki@gsa.gov to request an out-of-band copy for download.
You should never install a root certificate without verifying it. Follow the steps below to verify the authenticity of your copy of COMMON.
Verify Your Copy of COMMON
To verify your copy of COMMON on macOS devices, use one of these steps:
- Click the Spotlight icon and search for terminal.
- Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
-
Run command:
$ shasum -a 256 {DOWNLOAD_LOCATION}/fcpca.crt
Note: Replace {DOWNLOAD_LOCATION} with your preferred location (e.g.,
/Users/Sam.Jackson/Downloads
)
Verify that the certificate hash matches the SHA-256 Thumbprint in the certificate details below:
Federal Common Policy CA (FCPCA/COMMON) | Certificate Details |
---|---|
Federal Common Policy CA (sometimes shown as U.S. Government Common Policy) |
http://http.fpki.gov/fcpca/fcpca.crt |
Distinguished Name | cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US |
SHA-1 Thumbprint | 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1 |
SHA-256 Thumbprint | 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e |
Note: This video shows you how to download and verify a copy of COMMON for macOS.
Redistribute COMMON
macOS Solutions
Redistribute COMMON to government-furnished macOS devices by using one of these options:
- Create, Distribute, and Install an Apple Configuration Profile
- Install COMMON Using Command Line
- Install COMMON Using Apple Keychain Access
Create, Distribute, and Install an Apple Configuration Profile
For macOS and iOS government-furnished devices, you can use Apple Configuration Profiles (XML files) to redistribute and automatically install COMMON.
These steps will help you to create, distribute, and install profiles using Apple’s free Configurator 2 application. Third-party applications are available.
Only System or Mobile Device Management (MDM) Administrators should create, distribute, and install Apple Configuration Profiles.
Create an Apple Configuration Profile
- As an administrator, you will need to first download a copy of COMMON to your device and verify it.
- Then, download and install Configurator 2 from the Apple App Store.
- Open Configurator 2 and click File -> New Profile.
- Under the General tab, enter a unique profile Name (“Federal Common Policy Certification Authority Profile” was used for this example) and Identifier (“FCPCA-0001” was used for this example).
- Under the Certificates tab, click Configure; then browse to and select your verified copy of COMMON.
- (Optional) Add additional agency-specific configurations or customizations.
- Click File -> Save to save your profile to your preferred location.
- Follow the steps to distribute the profile across your enterprise.
Note: This video shows you how to create an Apple Configuration Profile. The steps and example below also show you how to do this.
This profile can be reused.
APPLE CONFIGURATION PROFILE (EXAMPLE)
Before using this profile, you should verify its suitability for your agency.
To use this profile, copy the XML information and save it as a .mobileconfig
file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadCertificateFileName</key>
<string>fcpca.crt</string>
<key>PayloadContent</key>
<data>
MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkG
A1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
A1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24gUG9s
aWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMwMTIwMTE2NDUyN1ow
WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVu
dDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21t
b24gUG9saWN5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2HX7NRY0WkG/Wq9cMAQUHK14RLXqJup1YcfNNnn4fNi9
KVFmWSHjeavUeL6wLbCh1bI1FiPQzB6+Duir3MPJ1hLXp3JoGDG4
FyKyPn66CG3G/dFYLGmgA/Aqo/Y/ISU937cyxY4nsyOl4FKzXZbp
sLjFxZ+7xaBugkC7xScFNknWJidpDDSPzyd6KgqjQV+NHQOGgxXg
VcHFmCye7Bpy3EjBPvmE0oSCwRvDdDa3ucc2Mnr4MrbQNq4iGDGM
UHMhnv6DOzCIJOPpwX7e7ZjHH5IQip9bYi+dpLzVhW86/clTpyBL
qtsgqyFOHQ1O5piF5asRR12dP8QjwOMUBm7+nQIDAQABo4IBMDCC
ASwwDwYDVR0TAQH/BAUwAwEB/zCB6QYIKwYBBQUHAQsEgdwwgdkw
PwYIKwYBBQUHMAWGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNh
L2NhQ2VydHNJc3N1ZWRCeWZjcGNhLnA3YzCBlQYIKwYBBQUHMAWG
gYhsZGFwOi8vbGRhcC5mcGtpLmdvdi9jbj1GZWRlcmFsJTIwQ29t
bW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zl
cm5tZW50LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3ND
ZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MA4GA1UdDwEB/wQEAwIBBjAd
BgNVHQ4EFgQUrQx6dVzl85jEeZgOrCj9l/TnAvwwDQYJKoZIhvcN
AQELBQADggEBAI9z2uF/gLGH9uwsz9GEYx728Yi3mvIRte9UrYpu
GDco71wb5O9Qt2wmGCMiTR0mRyDpCZzicGJxqxHPkYnos/UqoEfA
FMtOQsHdDA4b8Idb7OV316rgVNdF9IU+7LQd3nyKf1tNnJaK0KIy
n9psMQz4pO9+c+iR3Ah6cFqgr2KBWfgAdKLI3VTKQVZHvenAT+0g
3eOlCd+uKML80cgX2BLHb94u6b2akfI8WpQukSKAiaGMWMyDeiYZ
dQKlDn0KJnNR6obLB6jI/WNaNZvSr79PMUjBhHDbNXuaGQ/lj/Rq
DG8z2esccKIN47lQA2EC/0rskqTcLe4qNJMHtyznGI8=
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>Federal Common Policy CA</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Federal Common Policy Certification Authority Profile</string>
<key>PayloadIdentifier</key>
<string>FCPCA-0001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Distribute an Apple Configuration Profile
Only System or MDM Administrators should use these steps. You should never email an Apple Configuration Profile to someone outside your agency's domain.
Use Apple’s Configurator 2 to distribute your Apple Configuration Profile to government-furnished macOS and iOS devices in these ways:
- Physically connect to the user’s device.
- Email a profile to specific users.*
- Share a profile on an agency intranet webpage.*
- Share via over-the-air profile delivery and configuration.
- Share via over-the-air delivery and configuration from an MDM server. (Third-party applications are available.)
For iOS only* — If you download and install COMMON from an email or an intranet website, you will need to manually enable SSL trust for COMMON. This is not needed if you use Configurator 2 with over-the-air (OTA) methods or an MDM enrollment profile to install COMMON. (See Enable Full Trust for COMMON.)
Install an Apple Configuration Profile
We recommend using an automated method to install Apple Configuration Profiles on government-furnished Apple devices (e.g., a desktop configuration management or MDM tool), which will redistribute COMMON. (If you have questions about third-party products, email us at fpki@gsa.gov.)
You can also manually install a profile.
Note: This video shows you how to manually install an Apple Configuration Profile on macOS.
Install COMMON Using Command Line
These steps will install COMMON in the System Keychain. System administrators should use these steps. Non-administrators will encounter permission errors.
- Click the Spotlight icon and search for terminal.
- Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
-
Run the following command:
$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpca.crt
Note: This video shows you how to install COMMON using the command line.
Install COMMON Using Apple Keychain Access
You can use one of these methods to install COMMON by using Apple Keychain Access:
- System Keychain
- Login Keychain
System Keychain
These steps will install COMMON in the System Keychain. System administrators should use these steps. Non-administrators will encounter permission errors.
- Click the Spotlight icon and search for Keychain Access.
- Double-click the Keychain Access icon to open the application.
- Click the System keychain from the left-hand navigation.
- Click File -> Import Items
- Browse to and select your verified copy of COMMON.
- When prompted, enter your administrator username and password.
- Keychain Access will present the installed certificate.
Note: This video shows you how to install COMMON by using the Apple Keychain Access import process.
Login Keychain
These steps will install COMMON in the login Keychain. Both system administrators and non-administrators can use these steps.
- Browse to your downloaded, verified copy of COMMON.
- Double-click on the file.
- Keychain Access will open and present the installed certificate.
Note: This video shows non-administrators how to install COMMON by using
the Apple Keychain Access import process.
iOS Solutions
Redistribute COMMON to government-furnished Apple iOS devices by using one of these options:
Enable full trust for COMMON on Apple iOS devices by using this option:
Install COMMON Using an Apple Configuration Profile in iOS
Apple Configuration Profiles can be used to install COMMON on both macOS and iOS devices.
Review the Apple Configuration Profiles guidance above.
Install COMMON Using Safari Web Browser
The Safari web browser can be used to install COMMON on iOS devices only.
These steps will install COMMON as a trusted root certificate. System administrators or non-administrators can use these steps.
- Launch Safari.
- Navigate to the COMMON root CA certificate: http://http.fpki.gov/fcpca/fcpca.crt.
System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?
- Click Allow.
The COMMON configuration profile appears.
- Click More Details and then the COMMON certificate entry.
- Scroll down to Fingerprints and verify the certificate’s SHA-256 hash.
- At the top left of screen, click Back and Install Profile. Then, click Install (top right).
- When prompted, enter your device passcode.
- Click Install (top right), and Install again.
- Click Done.
- Follow the steps below to enable full trust for COMMON.
Note: This video shows you how to install COMMON using the Safari web browser.
Enable Full Trust for COMMON
This option works for iOS devices only.
These steps will enable “full trust” for certificates that chain to COMMON. Both system administrators and non-administrators can use these steps.
- From the iOS device’s Home screen, go to Settings -> General -> About -> Certificate Trust Settings.
- Beneath Enable Full Trust for Root Certificates, toggle ON for the COMMON root CA certificate entry.
- When the certificate appears, click Continue.
- You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA.
Frequently Asked Questions
1. Is PIV network login impacted?
Yes.
2. What versions are affected?
Please see What Will Be Impacted?.
Additional Resources
- COMMON Removal from Microsoft Certificate Trust List
- macOS Available Trusted Root Certificates List
- iOS Available Trusted Root Certificates List
- tvOS Available Trusted Root Certificates
- Apple Keychains
- Apple Configuration Profile Reference
- Over-the-Air Profile Delivery and Configuration
- Mobile Device Management Best Practices