Edit this page

Apple Removal Solutions

In September 2018, the U.S. Government is removing the Federal Common Policy Certification Authority (CA) root certificate from the Apple certificate stores. This change will affect all federal agency devices using Apple macOS Mojave, iOS 12, or tvOS 12, and may have an impact on the following services:

  • Personal Identity Verification (PIV) credential authentication to government networks
  • Agency web applications implementing client authentication (e.g., PIV authentication)
  • Validation of digital signatures
  • Other applications that leverage the Apple certificate stores

The root certificate is available immediately and will remain unchanged. Please use one of the Solutions to mitigate negative impacts.


Solutions

To limit the impact to your agency, you’ll need to redistribute the COMMON root CA certificate as a trusted root certificate to all government-furnished Apple devices.

To redistribute COMMON, follow these procedures:

  1. Download a Copy of COMMON
  2. Verify Your Copy of COMMON
  3. Redistribute COMMON
    - macOS Solutions
    - iOS Solutions

Download a Copy of COMMON

To download a copy of COMMON, use one of these recommended options:

  1. Download from http://http.fpki.gov/fcpca/fcpca.crt.
  2. Email fpki@gsa.gov to request an out-of-band copy for download.

You should never install a root certificate without verifying it. Follow the steps below to verify the authenticity of your copy of COMMON.

Verify Your Copy of COMMON

These steps work for macOS only.

  1. Click the Spotlight icon and search for terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
  3. Run command:

     $ shasum -a 256 {DOWNLOAD_LOCATION}/fcpca.crt
    

Note:  Replace {DOWNLOAD_LOCATION} with your preferred file download location (e.g., /Users/Sam.Jackson/Downloads)

Verify that the certificate hash matches the SHA-256 Thumbprint in the certificate details below:

Federal Common Policy CA (FCPCA/COMMON) Certificate Details
Federal Common Policy CA
(sometimes shown as U.S. Government Common Policy)
http://http.fpki.gov/fcpca/fcpca.crt
Distinguished Name cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US
SHA-1 Thumbprint 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1
SHA-256 Thumbprint 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e

Note:  This video shows you how to download and verify a copy of COMMON.


macOS Solutions

Install COMMON on your agency’s government-furnished macOS devices using one of these options:

Create, Distribute, and Install an Apple Configuration Profile

This option works for both macOS and iOS devices.

You can use Apple Configuration Profiles (XML files) to redistribute and automatically install COMMON on your agency’s government-furnished Apple devices. These steps will help you to create, distribute, and install Configuration Profiles using Apple’s free Configurator 2 application. Numerous third-party applications can also be used to create, distribute, and automatically install Configuration Profiles to managed Apple devices.

System or mobile device management (MDM) administrators should create, distribute, and install Configuration Profiles.

Create an Apple Configuration Profile

  1. As an administrator, you’ll need to first download a copy of COMMON to your device and verify it.
  2. Then, download and install Configurator 2 from the Apple App Store.
  3. Open Configurator 2 and click File -> New Profile.
  4. Under the General tab, enter a unique profile Name (“Federal Common Policy Certification Authority Profile” was used for this example) and Identifier (“FCPCA-0001” was used for this example).
  5. Under the Certificates tab, click Configure; then browse to and select your verified copy of COMMON.
  6. (Optional) Add additional agency-specific configurations or customizations.
  7. Click File -> Save to save your profile to a preferred file location.
  8. Follow the steps to distribute the profile across your enterprise.

Note:  This video shows you how to create an Apple Configuration Profile.
Also see the Example Apple Configuration Profile shown below the video.
This profile can be reused.


EXAMPLE APPLE CONFIGURATION PROFILE

This example Apple Configuration Profile can be used to redistribute and automatically install COMMON as a trusted root CA for both macOS and iOS government-furnished devices. To use this profile, copy the XML information and save it as a .mobileconfig file.

Before using this profile, you should verify its suitability for your agency.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>fcpca.crt</string>
			<key>PayloadContent</key>
			<data>
			MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkG
			A1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
			A1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24gUG9s
			aWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMwMTIwMTE2NDUyN1ow
			WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVu
			dDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21t
			b24gUG9saWN5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
			CgKCAQEA2HX7NRY0WkG/Wq9cMAQUHK14RLXqJup1YcfNNnn4fNi9
			KVFmWSHjeavUeL6wLbCh1bI1FiPQzB6+Duir3MPJ1hLXp3JoGDG4
			FyKyPn66CG3G/dFYLGmgA/Aqo/Y/ISU937cyxY4nsyOl4FKzXZbp
			sLjFxZ+7xaBugkC7xScFNknWJidpDDSPzyd6KgqjQV+NHQOGgxXg
			VcHFmCye7Bpy3EjBPvmE0oSCwRvDdDa3ucc2Mnr4MrbQNq4iGDGM
			UHMhnv6DOzCIJOPpwX7e7ZjHH5IQip9bYi+dpLzVhW86/clTpyBL
			qtsgqyFOHQ1O5piF5asRR12dP8QjwOMUBm7+nQIDAQABo4IBMDCC
			ASwwDwYDVR0TAQH/BAUwAwEB/zCB6QYIKwYBBQUHAQsEgdwwgdkw
			PwYIKwYBBQUHMAWGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNh
			L2NhQ2VydHNJc3N1ZWRCeWZjcGNhLnA3YzCBlQYIKwYBBQUHMAWG
			gYhsZGFwOi8vbGRhcC5mcGtpLmdvdi9jbj1GZWRlcmFsJTIwQ29t
			bW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zl
			cm5tZW50LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3ND
			ZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MA4GA1UdDwEB/wQEAwIBBjAd
			BgNVHQ4EFgQUrQx6dVzl85jEeZgOrCj9l/TnAvwwDQYJKoZIhvcN
			AQELBQADggEBAI9z2uF/gLGH9uwsz9GEYx728Yi3mvIRte9UrYpu
			GDco71wb5O9Qt2wmGCMiTR0mRyDpCZzicGJxqxHPkYnos/UqoEfA
			FMtOQsHdDA4b8Idb7OV316rgVNdF9IU+7LQd3nyKf1tNnJaK0KIy
			n9psMQz4pO9+c+iR3Ah6cFqgr2KBWfgAdKLI3VTKQVZHvenAT+0g
			3eOlCd+uKML80cgX2BLHb94u6b2akfI8WpQukSKAiaGMWMyDeiYZ
			dQKlDn0KJnNR6obLB6jI/WNaNZvSr79PMUjBhHDbNXuaGQ/lj/Rq
			DG8z2esccKIN47lQA2EC/0rskqTcLe4qNJMHtyznGI8=
			</data>
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>Federal Common Policy CA</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Federal Common Policy Certification Authority Profile</string>
	<key>PayloadIdentifier</key>
	<string>FCPCA-0001</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Distribute an Apple Configuration Profile

These options work for both macOS and iOS devices.

System or MDM administrators should use these steps. You should never email an Apple Configuration Profile to someone outside your agency domain.

  1. Use Apple’s Configurator 2 to distribute your Apple Configuration Profile to government-furnished devices connected via USB.
  2. Email a profile to select agency users.*
  3. Share a profile on an agency intranet webpage.*
  4. Share via over-the-air profile delivery and configuration.
  5. Share over-the-air using a Mobile Device Management server. (Third-party applications are available to assist with this process.)

    *Note: For iOS only — If you download and install COMMON from an email or an intranet website, you’ll need to manually enable SSL trust for COMMON. This step is not needed when you use Configurator 2, over-the-air (OTA) methods, or an MDM enrollment profile to install COMMON. (See Enable Full Trust for COMMON.)

Install an Apple Configuration Profile

We recommend using an automated method, such as a desktop configuration management or MDM tool, to install Apple Configuration Profiles on your agency’s managed Apple devices. However, you can also manually install a profile. (If you have questions about third-party products, email us at fpki@gsa.gov.)

Note:  This video shows you how to manually install an Apple Configuration Profile on macOS.


Install COMMON Using Command Line

These steps will install COMMON in the System Keychain. System administrators should use these steps. Non-administrators will encounter permission errors.

  1. Click the Spotlight icon and search for terminal.
  2. Double-click the Terminal icon (black monitor icon with white “>_”) to open a window.
  3. Run the following command:

     $ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpca.crt
    

Note:  This video shows you how to install COMMON using the command line.


Install COMMON Using Apple Keychain Access

System Keychain

These steps will install COMMON in the System Keychain. System administrators should use these steps. Non-administrators will encounter permission errors.

  1. Click the Spotlight icon and search for Keychain Access.
  2. Double-click the Keychain Access icon to open the application.
  3. Click the System keychain from the left-hand navigation.
  4. Click File -> Import Items
  5. Browse to and select your verified copy of COMMON.
  6. When prompted, enter your administrator username and password.
  7. Keychain Access will present the installed certificate.

Note:  This video shows system administrators how to install COMMON by using
the Apple Keychain Access import process.


Login Keychain

These steps will install COMMON in the login Keychain. Both system administrators and non-administrators can use these steps.

  1. Browse to your downloaded, verified copy of COMMON.
  2. Double-click on the file.
  3. Keychain Access will open and present the installed certificate.

Note:  This video shows non-administrators how to install COMMON by using
the Apple Keychain Access import process.


iOS Solutions

Install COMMON on your agency’s government-furnished Apple iOS devices by using one of these options:

Enable full trust for COMMON on Apple iOS devices by using this option:

Install COMMON Using an Apple Configuration Profile in iOS

Apple Configuration Profiles can be used to install COMMON on both macOS and iOS devices.

Please review the guidance above on Apple Configuration Profiles.

Install Using Safari Web Browser

This option works for iOS devices only.

These steps will install COMMON as a trusted root certificate. System administrators or non-administrators can use these steps.

  1. Launch Safari.
  2. Navigate to the COMMON root CA certificate: http://http.fpki.gov/fcpca/fcpca.crt.

    System message says: The website is trying to open Settings to show you a configuration profile. Do you want to allow this?

  3. Click Allow.

    The COMMON Configuration Profile appears.

  4. Click More Details and then the COMMON certificate entry.
  5. Scroll down to Fingerprints and verify the certificate’s SHA-256 hash.
  6. At the top left of screen, click Back and Install Profile. Then, click Install (top right).
  7. When prompted, enter your device passcode.
  8. Click Install (top right), and Install again.
  9. Click Done.
  10. Follow the steps below to enable full trust for COMMON.

Note:  This video shows you how to install COMMON using the Safari web browser.


Enable Full Trust for COMMON

This option works for iOS devices only.

These steps will enable “full trust” for certificates that chain to COMMON. Both system administrators and non-administrators can use these steps.

  1. From the iOS device’s Home screen, go to Settings -> General -> About -> Certificate Trust Settings.
  2. Beneath Enable Full Trust for Root Certificates, toggle ON for the COMMON root CA certificate entry.
  3. When the certificate appears, click Continue.
  4. You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA.


Frequently Asked Questions


Where can I get the DHS Federal Network Resilience (FNR) Webinar slides?

The FNR Webinar slides (.pdf) can be found here.

If I redistribute COMMON today, it won’t get erased when I update to the next major release of my Apple device’s operating system, right?

Correct. We have verified this on both macOS and iOS.

I’m still not sure I get it. Can you explain this change to me in a different way?

  • Current State: Apple distributes COMMON from its certificate stores to all Apple devices. This means that Apple trusts COMMON as a known root certification authority. Because Apple trusts COMMON, it trusts all Federal PKI CA-issued certificates because they validate to COMMON.
  • Future State: When COMMON is removed from Apple’s certificate stores, Apple devices will not trust COMMON or any Federal PKI CA-issued certificates. If an agency has not redistributed COMMON by this time, users could experience authentication errors and other issues. We can prevent errors and issues by redistributing COMMON.

What happens if I don’t redistribute COMMON?

1. (High Impact) Authentication failures

  • Workstations
  • Websites
  • Applications (internal and cross-agency)
  • Virtual Private Networks (VPNs)

2. (Medium Impact) Error fatigue

  • Removal of COMMON could result in unexpected application errors and system behavior for legacy and Government, off-the-Shelf (GOTS) products

3. (Low Impact) Digital-signature validation failures

  • Email
  • Documents and files (e.g., Microsoft Word)

What kinds of errors or messages would I see (macOS)?

Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

safari_untrusted_ssl

Sample Safari error where client (PIV) authentication fails due to a user’s certificate not chaining to a trusted root CA:
safari_untrusted_auth

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

chrome_untrusted_ssl

Sample Chrome error where client (PIV) authentication fails due to a user’s certificate not chaining to a trusted root CA:
chrome_untrusted_auth

What kinds of errors or messages would I see (iOS)?

Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

ios_safari_untrusted_ssl

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

ios_chrome_untrusted_ssl

Which Apple product operating systems will be affected?

macOS iOS tvOS
Mojave (10.14) iOS 12 tvOS 12

If you use other Apple operating system versions (e.g., tvOS, watchOS) in your environment, please let us know (fpki@gsa.gov)!

When will this change occur?

The Federal community’s target date for mitigation actions was August 31, 2018. Apple operating system release dates below:

macOS iOS tvOS
Release 9/24/2018 Release 9/17/2018 Release 9/17/2018

Is COMMON changing?

No. COMMON will not change. The only change will be in how COMMON is distributed to workstations and devices.

How can I verify that COMMON has been redistributed to my system (macOS)?

  1. Click the Spotlight icon and search for Keychain Access.

  2. Double-click the Keychain Access icon.

  3. Ensure an entry for COMMON exists in either the login or System Keychain Certificates repository.

verify_common_macOS

How can I verify that COMMON has been redistributed to my system (iOS)?

  1. Navigate to…
    • Settings
    • About
    • Certificate Trust Settings
  2. Then, verify that the Federal Common Policy CA is listed with “full trust.”

verify_common_iOS

Can multiple copies of COMMON coexist in my workstation’s or device’s certificate store?

Yes! But don’t worry - an enterprise-distributed copy of COMMON won’t conflict with Apple’s distributed copy.

My agency gets PIV cards from [Issuer Name]. I won’t be affected by this change, right?

Incorrect. Your PIV credential issuer has no impact on whether your agency is affected by this change. The impact is related to how COMMON is distributed to federal enterprise devices by agency-specific configuration management practices. It is not related to how credentials are generated or issued. (See What happens if I don’t redistribute COMMON?.)

Will my PIV credentials break or need to be updated or replaced when this change occurs?

No. PIV credentials will not break, need to be updated, or replaced. Our credentials will not be changing or affected by this update.

Do I need to redistribute COMMON to my “Bring Your Own Device” (BYOD) program device?

As a BYOD program device user, if you perform one of these activities, you’ll need to redistribute COMMON:

  • PIV credential login (to intranet sites or VPNs)
  • Validating PIV digital signatures (emails or documents)
  • Navigating to intranet pages whose SSL/TLS certificates chain to COMMON

How can I test the impact of the Federal Common Policy CA’s removal?

If interested in learning more about Apple’s public Beta test program, please contact us at fpki@gsa.gov.