This guide provides a high-level overview of what application trust stores are, a list of commonly used application trust stores, and where to find them.
- What is a Trust Store?
- What are the most commonly used Trust Stores?
- How do I set dynamic path validation for the trust store in Windows operating systems?
- How do I check which Federal PKI certificate policies are trusted by Adobe?
What is a Trust Store?
There are millions of identity certificates issued to people and devices in the world. The certificates constantly change as some certificates are revoked and others are issued - far too many for your computer to maintain an up-to-date list.
Instead, a list of trusted root certificates is maintained. When you are presented with an person or device certificate from a PIV credential, website, email, or some other digital item, your system or application will check to see if the presented certificate has a valid certificate path to one of the trusted root certificates in the trust store.
This list of trusted root certificates are contained within what is known as a Trust Store in either an application or operating system.
What are the most commonly used Trust Stores?
Operating systems, browsers, and some commercial software use trust stores to verify whether the certificate you are being presented should be trusted.
Here is a table of common trust stores, and whether the Federal Common Policy CA (FCPCA) root certificate is included.
|Trust Store||Includes FCPCA?||Trust Store Manager||Platforms serviced||Program Information Location|
|Microsoft Root Certificate Program||Yes||Microsoft Management Console||Windows OS, Internet Explorer Browser, Outlook||http://aka.ms/RootCert|
|Apple Root Certificate Program||Yes||Keychain Access utility||iOS, WatchOS, OS X, Safari Browser||https://www.apple.com/certificateauthority/ca_program.html|
|Mozilla Network Security Services (NSS)||No (application in progress)||Browser Trust Store||Firefox, Thunderbird, Linux Operating Systems||https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/|
|Adobe Approved Trust List||Yes||Application Trust Store||Adobe Acrobat||https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html|
|Java Root Certificate Program||No (pending application)||Java Applet||Java Distributions||http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html|
|No||Google Admin Console||Chrome Browser, Android, and ChromiumOS||https://www.chromium.org/Home/chromium-security/root-ca-policy|
|Opera||No longer operates its own program and relies upon Mozilla.|
Google Chrome uses the underlying trust library of the operating system on Windows or Apple OS X systems. Linux-based systems distribute the Mozilla NSS Library which may be modified by each version of Linux.
In Microsoft, the Federal Common Policy CA is called: U.S. Government Common Policy.
How do I set dynamic path validation for the trust store in Windows operating systems?
With dynamic path validation (as opposed to static path validation), the certificate validation software will build the certificate chain based on the Authority Information Access (AIA) entry in the certificate.
Dynamic path validation is a registry setting:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\ CertDllCreateCertificateChainEngine\Config
- Create a new DWORD entry
- Add MaxAIAUrlRetrievalCertCount as the name
- Set the value to 30
- A system reboot is required
All registry settings for managed Federal Government computers should use group policy objects or the automated configuration management tools available in your agency.
How do I check which Federal PKI certificate policies are trusted by Adobe?
Federal PKI certificates may be used for digitally signing documents between federal agencies, and with business partners. Adobe is just one option used for digital signatures and a common question is which certificate policies are trusted.
You can view which certificate policies are trusted in Acrobat by following these steps:
- Open Adobe Acrobat.
- Edit > Preferences > Signatures > Identities & Trusted Certificates
- Choose Trusted Certificates from the left-hand sidebar
- Choose Federal Common Policy CA , then the Certificate Details tab
- Choose Certificate Viewer window, click on the Policies tab, and you will see Policy Restrictions
- In Certificate Policies , you will see a comma-separated list of policy Object Identifiers (OIDs).
This is the current list for Federal Common Policy CA:
|Common Policy||Common OID||Certificate Use|
|Common Hardware||2.16.8184.108.40.206.220.127.116.11||PIV and Federal Bridge Medium Hardware Token|
|Federal Bridge Medium Hardware Commercial Best Practice*||2.16.818.104.22.168.22.214.171.124||Federal Bridge Medium Hardware Token (PKI Trusted Roles may not be U.S. Citizens)|
|Common High||2.16.8126.96.36.199.188.8.131.52||High Assurance Policy|
|SHA-1 Hardware||2.16.8184.108.40.206.220.127.116.11||SHA-1 Medium Hardware Tokens through SHA-1 Federal Root CA|