6. Distribute the CA certificates issued by the Federal Common Policy CA G2 (optional)
To simplify certificate path building within your enterprise, you can optionally distribute the CA certificates issued by the Federal Common Policy CA (FCPCA) G2. Sample procedures for the distribution of intermediate CA certificates are below:
Use Microsoft Group Policy Object (GPO)
You must have enterprise administrator privileges for the domain to use these procedures. You must run the commands from an agency domain controller.
- Navigate to Server Manager.
- Select Tools.
- Select Group Policy Management from the drop-down list.
- Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
- Enter a GPO Name and click OK.
- Right-click the newly created GPO and click Edit.
- Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
Right-click Intermediate Certification Authorities, and select Import.
The Certificate Import Wizard appears
- Browse to and select the certificates issued by the FCPCA G2 that you want to distribute.
- Verify that the target Certificate Store presents Intermediate Certification Authorities, and select Next.
Select Finish to complete the import.
A success message appears.
- Close the Group Policy Management window.
- Wait for clients to consume the new policy.
- (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:
Use macOS/iOS Configuration Profile
Only System or Mobile Device Management (MDM) Administrators should create, distribute, and install Apple configuration profiles.
Create an Apple configuration profile
- As an administrator, download and verify the certificates issued by the FCPCA G2 that you want to distribute.
- Download and install Configurator 2 from the Apple App Store.
- Open Configurator 2 and click File > New Profile.
- On the General tab, enter a unique profile Name (for example, FPKI Intermediate CA Certificate Distribution Profile) and Identifier (for example, FCPCAG2-Intermediate-0001).
- On the Certificates tab, click Configure.
- Browse to and select the certificates you want to distribute.
- (Optional) Add additional agency-specific configurations or customizations.
- Click File > Save to save your profile to your preferred location.
- Follow the steps to distribute the profile to macOS and iOS devices across your enterprise.
Note: The following video shows you how to create an Apple configuration profile.
Certificates issued by the Federal Common Policy CA G2
|Issued to: Federal Bridge CA G4||Certificate Details|
|Distinguished Name||CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US|
|Validity||October 15, 2020 to December 6, 2029|
|Download Location||Click here|
Certificates pending issuance by the FCPCA G2
The following certificates are expected to be issued by the FCPCA G2 on November 18, 2020.
|CA Operator||CA Distinguished Name|
|Department of State||CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu|
|Department of the Treasury||OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US|
|DigiCert Federal Shared Service Provider||(1) CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US
(2) CN=Symantec SSP Intermediate CA - G4, O=Symantec Corporation, C=US
|Entrust Federal Shared Service Provider||OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US|
|Verizon Federal Shared Service Provider||CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US|
|WidePoint Federal Shared Service Provider||(1) CN=ORC SSP 4, O=ORC PKI, C=US
(2) CN=WidePoint SSP CA 5, OU=Certification Authorities, O=WidePoint, C=US
Next, migrate to the FCPCA G2.