Edit this page

6. Distribute the CA certificates issued by the Federal Common Policy CA G2 (optional)

To simplify certificate path building within your enterprise, you can optionally distribute the CA certificates issued by the Federal Common Policy CA (FCPCA) G2. Sample procedures for the distribution of intermediate CA certificates are below:

Use Microsoft Group Policy Object (GPO)

You must have enterprise administrator privileges for the domain to use these procedures. You must run the commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
  5. Enter a GPO Name and click OK.
  6. Right-click the newly created GPO and click Edit.
  7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
  8. Right-click Intermediate Certification Authorities, and select Import.

    The Certificate Import Wizard appears

  9. Browse to and select the certificates issued by the FCPCA G2 that you want to distribute.
  10. Verify that the target Certificate Store presents Intermediate Certification Authorities, and select Next.
  11. Select Finish to complete the import.

    A success message appears.

  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:
           gpupdate /force
    


Use macOS/iOS Configuration Profile

Only System or Mobile Device Management (MDM) Administrators should create, distribute, and install Apple configuration profiles.

Create an Apple configuration profile

  1. As an administrator, download and verify the certificates issued by the FCPCA G2 that you want to distribute.
  2. Download and install Configurator 2 from the Apple App Store.
  3. Open Configurator 2 and click File > New Profile.
  4. On the General tab, enter a unique profile Name (for example, FPKI Intermediate CA Certificate Distribution Profile) and Identifier (for example, FCPCAG2-Intermediate-0001).
  5. On the Certificates tab, click Configure.
  6. Browse to and select the certificates you want to distribute.
  7. (Optional) Add additional agency-specific configurations or customizations.
  8. Click File > Save to save your profile to your preferred location.
  9. Follow the steps to distribute the profile to macOS and iOS devices across your enterprise.

Note:  The following video shows you how to create an Apple configuration profile.





Certificates issued by the Federal Common Policy CA G2

The following certificates are published in the Federal Common Policy CA G2 certificate’s Subject Information Access extension bundle located at http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c.

Issued to: Federal Bridge CA G4

Certificate Attribute Value
Distinguished Name CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
Validity October 15, 2020 to December 6, 2029
Serial Number 234200beaa6dada658f53b403f418295290cae82
SHA-1 Thumbprint 97db351e069964297a82040eb760c9cc1d74ba33
SHA-256 Thumbprint 74383CA1BB648F96EFE9E6ECADB5A8A359E7DF9BA262EF7C02BD004EAB3895F4
Download Location Click here

Issued to: U.S. Department of State AD Root CA

Certificate Attribute Value
Distinguished Name CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services,
CN=Services, CN=Configuration, DC=state, DC=sbu
Validity November 18, 2020 to November 18, 2023
Serial Number 27634fd321cbfd8c7efc0aeb02876f63da4c0c09
SHA-1 Thumbprint 9b3849f7047964a6654988054956e478ccb75ded
SHA-256 Thumbprint 9744734dbd34f28d3c87a9094387388e7623a272437c612e88d251138c1db93c
Download Location Click here

Issued to: US Treasury Root CA

Certificate Attribute Value
Distinguished Name OU=US Treasury Root CA, OU=Certification Authorities,
OU=Department of the Treasury, O=U.S. Government, C=US
Validity November 18, 2020 to August 14, 2022
Serial Number 2013db2cd30dd29d17edc48535c5e00d8916cf02
SHA-1 Thumbprint d7d298927d339efa414f2565923e28b98acd970a
SHA-256 Thumbprint 209ce84f4b4811542c5c4754a73a9c272ae1458c04493c89c74ed6773aca553f
Download Location Click here

Issued to: DigiCert Federal SSP Intermediate CA - G5

Certificate Attribute Value
Distinguished Name CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US
Validity November 18, 2020 to December 13, 2028
Serial Number 24bc168f9ccb30cfcef8f0a58f26f10181869266
SHA-1 Thumbprint 9aecfbe2de8aea49d220bbf799172c00527fe756
SHA-256 Thumbprint ea86e0baf55eef020ed58196af865f2fa72a77d1be70a779b65a9cbf0b5ee3f2
Download Location Click here

Issued to: Symantec SSP Intermediate CA - G4

Certificate Attribute Value
Distinguished Name CN=Symantec SSP Intermediate CA - G4, O=Symantec Corporation, C=US
Validity November 18, 2020 to November 12, 2024
Serial Number 262bd1f025c8af37334545666ea6c9ea946c2c34
SHA-1 Thumbprint 4c40f62b5c3f13533a8f8a1d44f8b027aaa0fd3d
SHA-256 Thumbprint 09d3f1a7d2e0be1a8d043fdf5d16bf8bf18e0dff2f397f27b0b8ee962de59de5
Download Location Click here

Issued to: Entrust Managed Services Root CA

Certificate Attribute Value
Distinguished Name OU=Entrust Managed Services Root CA, OU=Certification Authorities,
O=Entrust, C=US
Validity November 18, 2020 to August 14, 2029
Serial Number 215e78d99648b021c6394a6566d8e00f46a1e595
SHA-1 Thumbprint 07f5dc58f83778d5b5738a988292c00a674a0f40
SHA-256 Thumbprint e3d6b1b33d0a5df0630b32bf17f9fb632b0471a6cac561f164aa6429ef0699a1
Download Location Click here

Issued to: Verizon SSP CA A2

Certificate Attribute Value
Distinguished Name CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US
Validity November 18, 2020 to December 6, 2026
Serial Number 25fca834ada24a4455a2db0ff4cef7c411198e3a
SHA-1 Thumbprint b2167fd38ff47bb910d8dcc32fcc3b7b63a09ff7
SHA-256 Thumbprint 226508d2a1c926a7092218e743ccd01bab8273291feef66941691592fa7c12b8
Download Location Click here

Issued to: ORC SSP 4

Certificate Attribute Value
Distinguished Name CN=ORC SSP 4, O=ORC PKI, C=US
Validity November 18, 2020 to January 21, 2024
Serial Number 20a0e513367881559a5e7d20d35fa7c6739a42ab
SHA-1 Thumbprint 3e6610b03daca9fa07e1093b60ccb8927c42d83b
SHA-256 Thumbprint 7cd7f21d04beb99d9f833be8697138e3ad4e11313897ee573c066132d21ab5f8
Download Location Click here

Issued to: WidePoint SSP CA 5

Certificate Attribute Value
Distinguished Name CN=WidePoint ORC SSP 5, O=ORC PKI, C=US
Validity November 19, 2020 to November 5, 2030
Serial Number 210b3f17db750e616eb25f3f0b4933e5a98c449b
SHA-1 Thumbprint 80f4731a60fd5f2eb0468d0629310daa50ad210d
SHA-256 Thumbprint 70200179049bdc8cbe94b4880730609489f324f2a770477f7c1859401e644c72
Download Location Click here


Certificates issued to the Federal Common Policy CA G2

Distrusting the certificate below will prevent workstations from building a path from the Federal Common Policy CA G2, through the Federal Bridge CA G4, to the Federal Common Policy CA or any other root. This certificate will not be posted in the FCPCA G2’s Authority Information Access extension bundle until the certificate issued by the Federal Bridge CA G4 to the Federal Common Policy CA is revoked. For more on how to distrust a certificate, click here.

Issued by: Federal Bridge CA G4

Certificate Attribute Value
Distinguished Name CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US
Validity October 15, 2020 to December 6, 2029
Serial Number 129217e6c9126fd816babe02d9192ae2b519e231
SHA-1 Thumbprint edf2d373f4c56b5186087300638e3c5660c9a090
SHA-256 Thumbprint 0b658c27727dfd6cd47e378ae2390ea376d9708ecf4b06775f8ee7bc50119991
Download Location Click here


Next, migrate to the FCPCA G2.