Edit this page

3. Distribute the certificate to operating systems

We're calling for all solutions! If you'd like to share your agency's playbook on how to distribute a trusted root CA certificate to an operating system trust store, create an issue on GitHub or email us at fpkirootupdate@gsa.gov.

To distribute the Federal Common Policy CA G2 (FCPCA G2) certificate, use one of these options:

Microsoft Solutions

macOS Solutions

iOS Solutions

Linux/Unix Solutions

Important! If your enterprise systems do not have dynamic path validation enabled, you may also need to distribute the intermediate CA certificates issued by the FCPCA G2. These certificates will be available after November 18, 2020.



Microsoft Solutions

Use Microsoft Certutil

You must have Enterprise Administrator privileges for the domain to use these procedures. The commands must be run from an agency domain controller.

  1. Click Start, type cmd, and press Enter.
  2. Run the following command:
         certutil -dspublish -f [PATH\]fcpcag2.crt RootCA
    
  3. To verify that FCPCA G2 was distributed, run the following commands:
         gpupdate /force
         certutil -viewstore -enterprise
    
  4. Confirm that the output details include FCPCA G2.
  5. Verify the certificate details against the expected values (for example, serial number, hash, etc.).

Note: The following .gif shows you how to distribute the FCPCA G2 using Microsoft Certutil.
A .gif that shows the distribution and verification steps performed using Microsoft Certutil

Use Microsoft Group Policy Object (GPO)

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
  5. Enter a GPO Name, and click OK.
  6. Right-click the newly created GPO and click Edit.
  7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
  8. Right-click Trusted Root Certification Authorities, and select Import.

    The Certificate Import Wizard appears.

  9. Browse to and select your copy of the FCPCA G2.
  10. Verify that the target Certificate Store presents Trusted Root Certification Authorities, and select Next.
  11. Select Finish to complete the import.

    A success message appears.

  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:
           gpupdate /force
    

Note: The following .gif shows you how to distribute the FCPCA G2 with Microsoft GPO.
A .gif that shows the distribution and verification steps performed with Microsoft Group Policy Object (GPO)

Use third-party configuration management tools

To follow these steps, you must have Enterprise Administrator privileges for the Domain. You will need to run these commands from an agency domain controller.

You can use third-party configuration management tools, such as BigFix.

  1. Using BigFix, schedule a task and push the certificate file. Run the following command (example):
         certutil -f -addstore root “fcpcag2.crt”
    

Use Microsoft Certificate Manager for unmanaged devices

To distribute the FCPCA G2 to unmanaged devices:

  1. Click Start, type certmgr.msc, and press Enter.
  2. Right-click Trusted Root Certification Authorities, and select All Tasks > Import.

    The Certificate Import Wizard appears.

  3. Browse to and select your copy of the FCPCA G2.
  4. Verify that the desired Certificate Store displays Trusted Root Certification Authorities, and select Next.
  5. Select Finish to complete the import.

    A success message appears.

Note: If several users share a device, you can run the certlm.msc to simultaneously update the certificate stores for the accounts on the device (vs. updating each account separately).



macOS Solutions

Create, distribute, and install an Apple configuration profile

For macOS and iOS government-furnished devices, you can use Apple configuration profiles (XML files) to distribute and automatically install the FCPCA G2.

These steps describe how to create, distribute, and install profiles using Apple’s free Configurator 2 application. There are also available third-party applications.

Only System or mobile device management (MDM) administrators should create, distribute, and install Apple configuration profiles.

Create an Apple configuration profile

  1. As an administrator, download and verify a copy of the FCPCA G2 to your device.
  2. Download and install Configurator 2 from the Apple App Store.
  3. Open Configurator 2 and click File > New Profile.
  4. On the General tab, enter a unique profile Name (for example, FCPCA G2 Profile) and Identifier (for example, FCPCAG2-0001).
  5. On the Certificates tab, click Configure.
  6. Browse to and select your verified copy of the FCPCA G2.
  7. (Optional) Add additional agency-specific configurations or customizations.
  8. Click File > Save to save your profile to your preferred location.
  9. Distribute the profile across your enterprise.

Note: The following video shows you how to create an Apple configuration profile.


APPLE CONFIGURATION PROFILE (EXAMPLE)

Before using this profile, you should verify that it is suitable for your agency.

To use this profile, copy the XML information and save it as a .mobileconfig file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>fcpcag2.crt</string>
			<key>PayloadContent</key>
			<data>
			MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJKoZIhvcNAQEM
			BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
			A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy
			MB4XDTIwMTAxNDEzMzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMx
			GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UE
			AxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIICIjANBgkqhkiG9w0BAQEF
			AAOCAg8AMIICCgKCAgEA19fTFzEmIRgQKkFty6+99sRRjCTYBYh7LloRpCZs4rgp
			Bk+/5P4aZYd5v01GYBfOKywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf
			77n5JgMhvg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDSt4+7
			5i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9UvhWAPVAhxm8oT4wx
			SOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmSFuEPzivcOrytoPiPfgXMqY/P7zO4
			opLrh2EV5yA4XYEdoyA2dVD8jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4Emt
			Rq82JLqZQlyrMbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7h
			pV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse72yo6MyNF46uu
			mO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4dUG+pQADSstRJ60gePp0IAtQS
			HZYd1iRiXKpTLl0kofB2Y3LgAFNdYmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjL
			ZePhc3qt8ubjhZN2Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcC
			AwEAAaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
			HQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYBBQUHAQsERTBDMEEGCCsG
			AQUFBzAFhjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVk
			QnlmY3BjYWcyLnA3YzANBgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06
			NCj7eIL7/I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hShGoKQ
			cbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141HyeDWdQ6dDXDz6dr
			8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AVz3uqe5k+ObJYpC0aXHNMy1OnFgL6
			oxMeGMlSecU/QUAIf0ncDurYFSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO
			+E3o3QoU+ThCPPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJD
			crTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi9aWAYHJXTzbj
			zGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifgrmPi0/uU1w0crclEsSsya7FI
			BVRTURoSwwda25wIIWPIkQsQK1snJxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5h
			phYQnf8sD8FpoUDjoLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2
			e+aReLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcicsdU8kV2M
			ee/xJ/c0cIHZWMw0HoRZPbo=
			</data>
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>Federal Common Policy CA G2</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Federal Common Policy Certification Authority G2 Profile</string>
	<key>PayloadIdentifier</key>
	<string>FCPCAG2-0001</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Distribute an Apple configuration profile

Only System or MDM Administrators should use these steps. You should never email an Apple configuration profile to someone outside your agency's domain.

You can use Apple’s Configurator 2 to distribute your Apple configuration profile to government-furnished macOS and iOS devices in the following ways:

Install an Apple configuration profile

We recommend using an automated method to install Apple configuration profiles on government-furnished Apple devices (for example, a desktop configuration management or MDM tool), which will distribute FCPCA G2. (If you have questions about third-party products, email us at fpkirootupdate@gsa.gov.)

You can also manually install a profile.

Note:  The following video shows you how to manually install an Apple configuration profile on macOS.


Install FCPCA G2 Using Command Line

These steps describe how to install the FCPCA G2 in the System Keychain. You must have system administrator privileges to perform these steps.

  1. Click the Spotlight icon and search for Terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
  3. Run the following command:

     $ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpcag2.crt
    

Note:  The following video shows you how to install FCPCA G2 using the command line.


Install FCPCA G2 Using Apple Keychain Access

You can use the System Keychain or Login Keychain to install the FCPCA G2.

System Keychain

These steps describe how to install FCPCA G2 in the System Keychain. You must have system administrator privileges to perform these steps.

  1. Click the Spotlight icon and search for Keychain Access.
  2. Double-click the Keychain Access icon to open the application.
  3. Click the System keychain from the left-hand navigation.
  4. Click File -> Import Items
  5. Browse to and select your verified copy of FCPCA G2.
  6. When prompted, enter your administrator username and password.
  7. Keychain Access will present the installed certificate.

Note:  The following video shows administrators how to install FCPCA G2 by using the Apple Keychain Access import process.


Login Keychain

These steps describe how to install FCPCA G2 in the Login Keychain. Both system administrators and non-administrators can perform these steps.

  1. Browse to your downloaded, verified copy of FCPCA G2.
  2. Double-click the file.

    Keychain Access opens and displays the installed certificate.

Note:  The following video shows non-administrators how to install FCPCA G2 using the Apple Keychain Access import process.




iOS Solutions

Install FCPCA G2 Using an Apple configuration profile in iOS

You can use Apple configuration profiles to install the FCPCA G2 on both macOS and iOS devices.

Review the Apple configuration profiles guidance for instructions.

Install FCPCA G2 Using Safari Web Browser

You can use the Safari web browser to install the FCPCA G2 on iOS devices only.

These steps describe how to install the FCPCA G2 as a trusted root certificate. Both system administrators and non-administrators can perform these steps.

  1. Launch Safari.
  2. Navigate to the FCPCA G2 root CA certificate: http://repo.fpki.gov/fcpca/fcpcag2.crt.

    System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?

  3. Click Allow.

    The FCPCA G2 configuration profile appears.

  4. Click More Details, and then select the FCPCA G2 certificate entry.
  5. Scroll to Fingerprints and verify the certificate’s SHA-256 hash against the expected value.
  6. At the top left of screen, click Back and Install Profile. Then, click Install (top right).
  7. When prompted, enter your device passcode.
  8. Click Install in the upper right corner, and Install again.
  9. Click Done.
  10. Follow the steps below to enable full trust for FCPCA G2.

Note:  The following video shows you how to install FCPCA G2 using the Safari web browser.


Enable Full Trust for FCPCA G2

This option works for iOS devices only.

These steps describe how to enable “full trust” for certificates that chain to FCPCA G2. Both system administrators and non-administrators can perform these steps.

  1. On the iOS device’s Home screen, select Settings > General > About > Certificate Trust Settings.
  2. Under Enable Full Trust for Root Certificates, toggle ON for the FCPCA G2 root CA certificate entry.
  3. When the certificate appears, click Continue.

    You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA.

iOS full trust



Linux/Unix Solutions

  1. Launch the command line.

  2. Change directory with the following command:
         cd /usr/local/share/ca-certificates/
    
  3. Copy your verified copy of FCPCA G2 into the folder and set permissions with the following commands:

         sudo cp [PATH\]fcpcag2.crt .
         sudo chmod 644 [PATH\]fcpcag2.crt	
    
  4. Update Trusted Certificates with the following command:
         sudo update-ca-certificates
    


Next, verify distribution of the FCPCA G2 certificate as an operating system trusted root.