Edit this page

7. Migrate to the Federal Common Policy CA G2

We're calling for all solutions! If you'd like to share your agency's playbook on how to distrust a CA certificate, create an issue on GitHub or email us at fpki@gsa.gov.

For the purpose of these steps, we refer to the existing Federal Common Policy CA (FCPCA) as FCPCA G1.

To migrate from the existing FCPCA G1 to the FCPCA G2 as your agency’s federal trust anchor, you’ll need to:

  1. disable enterprise distribution of the FCPCA G1 as a trusted root CA certificate, and
  2. distrust the FCPCA G1.

Heads up! Test the following steps in a controlled environment before you deploy them across your enterprise. If you do not successfully distribute the FCPCA G2 certificate before you begin these steps, you may cause a denial-of-service, impacting smartcard logon for your applications and systems.

FCPCA G1 certificate details

FCPCA G1 Certificate Details
Federal Common Policy CA
(sometimes shown as U.S. Government Common Policy)
http://http.fpki.gov/fcpca/fcpca.crt
Distinguished Name cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US
Serial Number 0130
SHA-1 Thumbprint 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1
SHA-256 Thumbprint 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e

Disable distribution of the FCPCA G1

Reference the distribution mechanisms here to review the ways the FCPCA certificate could be distributed across your enterprise. Disable all existing distribution mechanisms. Sample procedures to disable the distribution of the FCPCA G1 are listed below using:


If the FCPCA was distributed using Microsoft Certutil

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. In the drop-down list, select ADSI Edit.
  4. In the top navication, select Action > Connect to .
  5. In the Select a well known Naming Context drop-down list, select Configuration, and click OK.
  6. Browse to the CN=AIA directory (within “CN=Public Key Services, CN=Services”), right-click the entry for the FCPCA, and select Delete.
  7. Browse to the CN=Certification Authorities directory (within “CN=Public Key Services, CN=Services”), right-click the entry for the FCPCA and select Delete.


If the FCPCA was distributed using a Microsoft GPO

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Expand the Group Policy Objects directory.
  5. Right-click the GPO distributing the FCPCA and select Delete.


If the FCPCA was distributed using an Apple configuration profile

  1. Identify how the profile is being distributed across the enterprise (e.g., over-the-air profile delivery or from an MDM server)
  2. Use local knowledge to disable the distribution. If you are having trouble with a specific product, email us at fpkirootupdate@gsa.gov.


Distrust the FCPCA G1

Use one of the methods below to distrust the FCPCA G1.

Use Microsoft Group Policy Object

You must have enterprise administrator privileges for the domain to perform these steps. You must run these commands from an agency domain controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here.
  5. Enter a GPO Name and click OK.
  6. Right-click the newly created Group Policy Object (GPO) and click Edit.
  7. Navigate to Policies > Windows Settings > Security Settings > Public Key Policies.
  8. Right-click Untrusted Certificates, and select Import. The Certificate Import Wizard will open.
  9. Browse to and select your copy of FCPCA G1.
  10. Verify that the target Certificate Store presents Untrusted Certificates, and select Next.
  11. Select Finish to complete the import.

    A success message appears.

  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. (Optional) To force client consumption, click Start, type cmd, press Enter, and run the following command:
           gpupdate /force
    

Note: The following .gif shows you how to distrust the FCPCA G1 on Microsoft Server 2016. Sample Steps


Use macOS Terminal

Only system administrators should follow these steps to remove the FCPCA G1 certificate from the System and Login Keychains.

Note: Many Mobile Device Management (MDM) platforms allow administrators to push the command below across an enterprise, rather than running it on individual workstations. Use automation wherever possible.

  1. Click the Spotlight icon and search for Terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
  3. Run the following command:

     $ sudo security delete-certificate -c "Federal Common Policy CA" /Library/Keychains/System.keychain && sudo security delete-certificate -c "Federal Common Policy CA" login.keychain
    

Note:  This video shows you how to remove the FCPCA G1 certificate using the command line.


Finally, verify migration to the FCPCA G2.