Edit this page

Microsoft Removal Solutions

In FY 2019, the U.S. Government is removing the Federal Common Policy Certification Authority (CA) root certificate from the Microsoft certificate store (also called a trust store). This change will affect all federal agencies and may have an impact on the following services:

  • Personal Identity Verification (PIV) credential authentication to the government networks
  • Agency web applications implementing client authentication (e.g., PIV authentication)
  • Authentication to Office 365
  • Validation of digital signatures
  • Other applications leveraging the Microsoft certificate store

To mitigate any impact this change may have on agency networks and applications, you will need to manually retrieve the FCPCA (i.e., COMMON) root certificate (sometimes also called the U.S. Government root CA certificate), import this certificate into agency enterprise certificate stores, and ensure that this change is propagated throughout the networks.

The root certificate is available immediately and will remain unchanged. Please follow one of the options under Solutions to mitigate negative impacts.

All agencies are encouraged to complete this action as soon as possible.


Solutions

To limit the impact to your agency, you will need to redistribute the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate as a trusted root certificate to all government-furnished Windows workstations and devices.

To redistribute COMMON, use these procedures:

  1. Download a Copy of COMMON
  2. Verify Your Copy of COMMON
  3. Redistribute COMMON

Download a Copy of COMMON

To download a copy of COMMON, use one of these recommended options:

  1. Download from http://http.fpki.gov/fcpca/fcpca.crt.
  2. Email fpki@gsa.gov to request an out-of-band copy for download.

You should never install a root certificate without verifying it. Use the procedures below to verify the authenticity of your copy of COMMON.

Verify Your Copy of COMMON

To verify your copy of COMMON, use one of these options:

  1. Use Microsoft command line via Certutil
  2. Use Microsoft command line via OpenSSL
  3. Use Microsoft PowerShell

Your certificate details and hash must match the expected values shown below.

Federal Common Policy CA (FCPCA/COMMON) Certificate Details
Federal Common Policy CA
(sometimes shown as U.S. Government Common Policy)
http://http.fpki.gov/fcpca/fcpca.crt
Distinguished Name cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US
Serial Number 0130
SHA-1 Thumbprint 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1
SHA-256 Thumbprint 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e

Note: For the following procedures, replace [PATH\] with the path to your copy of COMMON.

Use Microsoft command line via Certutil

  1. Click Start, type cmd, and press Enter.
  2. Run command:

        certutil -hashfile [PATH\]fcpca.crt SHA256
    

Use Microsoft command line via OpenSSL

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         openssl sha256 [PATH\]fcpca.crt
    

Use Microsoft PowerShell

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         Get-FileHash [PATH\]fcpca.crt | Format-List
    

Sample steps run on Microsoft Server 2012: Sample Steps

Redistribute COMMON

To redistribute COMMON, use one of these options:

  1. Use Microsoft Certutil
  2. Use Microsoft Group Policy Object (GPO)
  3. Use third-party configuration management tools
  4. Use Microsoft Certificate Manager for unmanaged devices

Use Microsoft Certutil

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         certutil -dspublish -f [PATH\]fcpca.crt RootCA
    
  3. To verify that COMMON was distributed, run commands:

         gpupdate /force
         certutil -viewstore -enterprise
    
  4. Confirm that COMMON is contained in the output details.
  5. Verify the certificate details against the expected values shown above (e.g., serial number, hash, etc.).

Sample steps run on Microsoft Server 2012: Sample Steps

Use Microsoft Group Policy Object (GPO)

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here….
  5. Enter a GPO Name and click OK.
  6. Right-click the newly created Group Policy Object (GPO) and click Edit….
  7. Navigate to Policies -> Windows Settings -> Security Settings -> Public Key Policies.
  8. Right-click Trusted Root Certification Authorities, and select Import. The Certificate Import Wizard will open.
  9. Browse to and select your copy of COMMON.
  10. Verify that the target Certificate Store presents Trusted Root Certification Authorities, and select Next.
  11. Select Finish to complete the import. You’ll see the message, The import was successful.
  12. Close the Group Policy Management window.
  13. Wait for clients to consume the new policy.
  14. [OPTIONAL] You can force client consumption: click Start, type cmd, press Enter, and run command:

           gpupdate /force
    

Sample steps run on Microsoft Server 2012: Sample Steps

Use third-party configuration management tools

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

You can use third-party configuration management tools, such as BigFix.

  1. Using BigFix, schedule a task and push the certificate file. Run command (example):

         certutil -f -addstore root “fcpca.crt”
    

Use Microsoft Certificate Manager for unmanaged devices

To redistribute COMMON to unmanaged devices:

  1. Click Start, type certmgr.msc, and then press Enter.
  2. Right-click Trusted Root Certification Authorities and select All Tasks -> Import. The Certificate Import Wizard will open.
  3. Browse to and select your copy of COMMON.
  4. Verify that the desired Certificate Store presents Trusted Root Certification Authorities, and select Next.
  5. Select Finish to complete the import. You’ll see the message, The import was successful.

Note: If several users share a device, you can run certlm.msc to simultaneously update the certificate stores for the accounts on the device (vs. updating each account separately).


Verify Redistribution of COMMON

To verify the redistribution of the COMMON root CA certificate to your agency’s Windows workstations and devices, use one of the options below:

Automated Solutions (Recommended)

Manual Solutions

Use BigFix

  1. Download the BigFix Enterprise Suite (.bes) analysis file: FPKIRootDetection.bes.

  2. Use Certutil or other tool to verify the .bes file’s SHA-256 hash (required):

           certutil -hashfile [DOWNLOAD_LOCATION]\FPKIRootDetection.bes SHA256
    
  3. The file’s hash must match this one:

           390f8e6d35412b4e2a818897bdddbfeeff5ce4c99301cd6c170bc3d8610ada36
    
  4. Log into BigFix:  Start -> IBM BigFix -> IBM BigFix Console.
  5. Import the FPKIRootDetection.bes file:  File -> Import -> Open. The Create Analysis window opens.
  6. Assign the file:  for Create in site, select site name, and for Create in domain, select domain name. Click Okay.
  7. From the left side panel, click Analyses to see a list of imported analysis files.
  8. Click Federal Common Policy CA Redistribution Detection (i.e., FPKIRootDetection.bes) and click the Results tab to see the redistribution analysis. If the analysis was not activated by default, right-click the file and then click Activate Globally.
  9. For each workstation or device listed, “Has COMMON Been Redistributed?” should say True. If False, you’ll need to investigate the cause of the failure. If you can’t find a cause, please contact us at fpki@gsa.gov.

    Sample Output

Use LANDesk 2016

Note:  If your agency uses a version above LANDesk 2016, please see Ivanti: Install Root Certificates on Windows.

  1. Open LANDesk 2016:  Start -> LANDesk Management -> Desktop Manager.
  2. Create a custom registry data item:  Tools -> Reporting/Monitoring -> Manage software list.
  3. Expand Custom Data and click Registry items.
  4. Click Add to add a new registry item.
  5. Add the data shown below for Windows 32-bit or 64-bit versions, based on GPO or Certutil distribution of COMMON.

       Microsoft Windows 32-bit Versions
    
       - GPO Distribution
    
           Root Key: HKLM
           Key: SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1
           Value: BLOB
           Attribute Name: Custom Data – FCPCAWin32 GPO – Certificate
    
       - Certutil Distribution
          
           Root Key: HKLM
           Key: SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1
           Value: BLOB
           Attribute Name: Custom Data – FCPCAWin32 certutil – Certificate
    
       Microsoft Windows 64-bit Versions
    
       - GPO Distribution
    
           Root Key: HKLM
           Key: SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1
           Value: BLOB
           Attribute Name: Custom Data – FCPCAWin64 GPO - Certificate
    
       - Certutil Distribution
    
           Root Key: HKLM
           Key: SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1
           Value: BLOB
           Attribute Name: Custom Data – FCPCAWin64 certutil - Certificate
    
  6. Create a query for the registry item:  from the left side panel, expand Network View and click Queries.
  7. Right-click My Queries, select New Query, and enter a query name (e.g., COMMON Verification: Win32 Machines).
  8. Under Machine Component, expand Computer, click Custom Data, and select the registry item.
  9. For Boolean, select Exists.
  10. For Displayed Scanned Values, click Insert and add the BLOB value from above.
  11. Double-click the new query name to verify COMMON redistribution. The results will be similar to these:

    Sample Output

Use Microsoft Certificate Manager

  1. Open Microsoft Certificate Manager:  Start; then type certlm.msc and press Enter.
  2. Go to Trusted Root Certification Authorities -> Certificates. To see whether COMMON was successfully redistributed, look for Federal Common Policy CA shown with Intended Purposes of ALL and a Friendly Name of None, as shown here:

    Trusted Root CA Certificates List

Note: You may see more than one copy of COMMON. For example, the screenshot above shows 3 entries for COMMON:

  • The first entry (“dashed” border) is from Microsoft’s Certificate Trust List (CTL) (i.e., certificate store). Microsoft-distributed copies show multiple Intended Purposes values and a Friendly Name of U.S. Government Common Policy.
  • The remaining two entries are examples of enterprise-distributed copies. Enterprise-distributed copies show Intended Purposes of ALL and a Friendly Name of None.

Optional:

  1. Open Microsoft Certificate Manager:  Start; then type certlm.msc and press Enter.
  2. Select Trusted Root Certification Authorities from the left side panel. Then, select View -> Options.
  3. In the View Options box, check the Physical certificate stores checkbox.
  4. At the left side panel, click “>” next to Trusted Root Certification Authorities to see the subdirectories.
  5. Verify the redistribution of COMMON:
    • For Certutil-redistributed copies of COMMON, click Enterprise -> Certificates. COMMON should appear in the certificates list.
    • For GPO-redistributed copies of COMMON, click Group Policy -> Certificates. COMMON should appear in the certificates list.

Use Microsoft Registry Editor

  1. Verify that COMMON has been redistributed to a specific workstation or device:  open the Microsoft Registry Editor:  Start; type regedit.exe and press Enter.
  2. The following registry keys will appear for GPO- or Certutil-redistributed copies of COMMON:

GPO-redistributed COMMON:

  • HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1\
  • HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1\

Certutil-redistributed COMMON:

  • HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1\
  • HKLM:\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\905F942FD9F28F679B378180FD4F846347F645C1\


Frequently Asked Questions


Where can I get the DHS Federal Network Resilience (FNR) Webinar slides?

The FNR Webinar slides (.pdf) can be found here.

I’m still not sure I get it. Can you explain this change to me in a different way?

  • Current State: Microsoft distributes the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate from its certificate store to all Microsoft workstations and devices. This means that Microsoft trusts COMMON as a known root certification authority. Because Microsoft trusts COMMON, it trusts all Federal PKI CA-issued certificates because they validate to COMMON.
  • Future State: When COMMON is removed from Microsoft’s certificate store, Microsoft will not trust COMMON or any Federal PKI CA-issued certificates. If an agency has not redistributed COMMON by this time, users could experience authentication errors and other issues. You can prevent errors and issues by redistributing COMMON as soon as possible.

What happens if I don’t redistribute COMMON?

1. (High Impact) Authentication failures:

  • Workstations
  • Websites
  • Applications (internal and cross-agency)
  • Virtual Private Networks (VPNs)

2. (Medium Impact) Error fatigue:

  • Unexpected application errors and system behavior for legacy and government-off-the-shelf (GOTS) products

3. (Low Impact) Digital-signature validation failures:

  • Email
  • Documents and files (e.g., Microsoft Word)

What kinds of errors could I see?

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

error_navigation

Sample Chrome error when PIV authentication fails because the user’s certificate doesn’t chain
to a trusted root CA:

error_piv_auth

Sample Microsoft Outlook error when a digital signature certificate for an email doesn’t chain
to a trusted root CA:


error_sig_val

Which Microsoft products will be affected?

Personal Computer Server
Windows 10 Windows Server 2016
Windows 8.1 Windows Server 2012/2012 R2
Windows 8 Windows Server 2008/2008 R2
Windows 7  
Windows Vista  

If you use other Windows versions in your environment, please let us know (fpki@gsa.gov)!

When will this change occur?

The Federal PKI’s target date for mitigation actions was December 31, 2018. We anticipate that COMMON will be removed from the Microsoft certificate store in early 2019.

Is COMMON changing?

No. COMMON is not changing. The only change will be the way in which COMMON is distributed to workstations and devices.

How can I verify that COMMON has been successfully redistributed to my workstation or device?

Please review Verify Redistribution of COMMON.

Can multiple copies of COMMON coexist in my workstation’s or device’s certificate store?

Yes! But don’t worry - an enterprise-distributed copy of COMMON won’t conflict with Microsoft’s distributed copy.

My agency gets PIV cards from [Issuer Name]. I won’t be affected by this change, right?

Incorrect. Your PIV credential issuer and how agency credentials are generated or issued will not be impacted by this change. The impact relates to COMMON’s removal from Microsoft’s trust stores and how to mitigate this impact by redistributing COMMON to federal enterprise workstations and devices. (See What happens if I don’t redistribute COMMON?.)

Will my PIV credentials break or need to be updated or replaced when this change occurs?

No. PIV credentials will not be affected by this change.

Do I need to redistribute COMMON to my “Bring Your Own Device” (BYOD) program device?

As a BYOD program device user, you’ll need to redistribute COMMON if you:

  • Use your PIV credential to log into intranet sites or VPNs
  • Validate PIV digital signatures (emails or documents)
  • Navigate to intranet pages whose SSL/TLS certificates chain to COMMON

Can I test the impact of Microsoft’s removal of COMMON?

It is possible to simulate the Microsoft certificate store’s future state. It is not recommended due to the potential for destructive outcomes. If you’re interested in learning more, please contact us at fpki@gsa.gov.