A certification authority is a system that issues digital certificates. These digital certificates are based on cryptography, and follow the X.509 standards defined for information security.
The Federal PKI is a network of hundreds of certification authorities (CA) that are either root, intermediate or issuing certification authorities.
Any CA in the Federal PKI may be referred to as a Federal PKI CA. The four highest level CAs in the Federal PKI hierarchy are the Federal PKI Trust Infrastructure CAs and are operated and managed by the Federal PKI Management Authority (FPKIMA) program office.
- Federal Common Policy Certification Authority
- Federal Bridge Certification Authority 2013
- Federal Bridge Certification Authority 2016
- SHA-1 Federal Root Certification Authority G2
These Federal PKI Trust Infrastructure CAs serve as the root and trust anchors for the intermediate and issuing certification authorities operated by:
- Federal Government Agencies
- State, Local, Tribal, Territorial, and International Governments
- Commercial Partners
Public trust for websites
A new effort is in the planning stages to establish another Federal Government Root and Issuing CAs dedicated to Public Trust Transport Layer Security (TLS) device certificates. Follow or contribute to the development of the Federal Government's new certificate policy for this Public Trust effort at https://github.com/uspki/policies
Federal Common Policy Certification Authority
For the Federal Government executive branch agencies, there is one Root Certification Authority. This certification authority is named Federal Common Policy CA and may be referenced by either the acronym FCPCA or as COMMON in documents.
FCPCA serves as the Federal PKI trust anchor for the Federal Government to support government enterprise devices and person trust, including Personal Identity Verification (PIV) credentials. The design of FCPCA enables any certificate issued by any Federal PKI CA to validate its certificate path to a single root CA.
Many commercial vendors include the FCPCA root certificate in their commercial-off-the-shelf (COTS) products’ Trust Stores. This enables Federal Government systems to trust person and enterprise device certificates issued by Federal PKI CAs. It is also possible to add the Federal Common Policy CA root certificate into trust stores for government managed devices and servers, if it is not available by default.
The Federal Common Policy CA certificate is included in the trust stores for some platforms such as Microsoft and Adobe. Other platforms including Mozilla and Firefox do not include the Federal Common Policy CA by default.
Federal Bridge Certification Authority
The Federal Bridge Certification Authority (FBCA) is a PKI Bridge or link between the Federal Common Policy CA and other CAs that comprise the Federal PKI network and which may operate under comparable but different certificate policies.
The FBCA provides a means to map these certificate policies and CAs to allow the certificates to validate to the Federal Common Policy Certification Authority root certificate.
There are two Federal Bridge Certification Authorities:
- Federal Bridge CA 2013
- Federal Bridge CA 2016
The CAs signed by these Federal Bridge CAs are cross-certified. These CAs have established a trust relationship and are audited for conformance to the certificate policies. This cross-certification process has extended the reach of the Federal PKI well beyond the boundaries of the Federal Government.
SHA-1 Federal Root Certification Authority
The SHA-1 Federal Root CA G2 (SHA-1 FRCA) is a Certification Authority supporting Federal entities that still have certificates that have the deprecated SHA-1 signature hash algorithm. The SHA-1 Federal Root CA was created and maintained to facilitate backwards interoperability for those legacy systems unable to fully transition to SHA-256 and to support the migrations over time.
The SHA-1 hash algorithm has been deemed to be not secure enough for today’s standards. Federal organizations should no longer be using certificates with this hash.
Certificates using the SHA-1 signature hash algorithm under current policy are limited to legacy enterprise systems and are being completely phased out.
All Federal PKI Certification Authorities
A Certification Authority that is part of the Federal PKI is called a participating Certification Authority. There are hundreds of participating Certificate Authorities that form the Federal PKI network.
We might label or identify the certification authority systems by a category that shows when the system was established, what types of communities it is or was used for, and for historical records purposes.
We realize all the acronyms and labels may be confusing, and welcome your input to help us improve and add information over time.
|Certification Authority Category||Description|
|PKI Shared Service Provider||A Shared Service Provider (SSP) CA is subordinate to the Federal Common Policy CA (FCPCA). Any certificate the SSP CA creates, signs and issues to people or devices are in the trust chain of the FCPCA. An SSP must adhere to strict Federal IT security, standards and requirements. The Shared Service Providers are granted a FISMA Authority to Operate (ATO), undergo continuous monitoring, and are contracted by the Federal government to issue certificates to Federal employees, contractors and federal devices that are deployed in Federal agency networks.|
|Private Sector Certification Authorities||A Private Sector Certification Authority that is cross-certified has shown a valid need to either conduct business or provide PKI services to the Federal government.|
|Access Certificates for Electronic Services (ACES) Certification Authorities||The ACES Certification Authorities issues certificates to authorized U.S. business representatives who have a need to digitally sign documents or access some web based systems. ACES was established in the late 1990’s and was the predecessor for the development of today’s Federal Public Key Infrastructure.|
|Other Government Certification Authorities||These are CAs managed and operated by State, Local, Tribal, Territorial, or international government organizations.|
|Bridge Certification Authorities||Bridge CAs connect member PKIs and are designed to enable interoperability between different PKIs operating under their own Certificate Policy. A Bridge CA is not a Root.|
|Federal Agency Legacy||Prior to 2004, there were agencies that had already deployed and invested in their own PKI and Certification Authorities. Some of these agencies opted out of migrating to the Shared Service Provider program and continue to manage their existing infrastructures. These Federal Agencies Legacy one or more Certification Authorities that is cross-certified with one or more FPKI Trust Infrastructure CAs.|