Edit this page

Microsoft Removal Solutions

In FY 2019, the U.S. Government is removing the Federal Public Key Infrastructure (FPKI) root certificate from the Microsoft certificate store. This change will affect all federal agencies and may have an impact on the following services:

  • Personal Identity Verification (PIV) credential authentication to the government networks
  • Agency web applications implementing client authentication (e.g., PIV authentication)
  • Authentication to Office 365
  • Validation of digital signatures
  • Other applications leveraging the Microsoft certificate store

To mitigate any impact this change may have on agency networks and applications, you will need to manually retrieve the U.S. Government root CA certificate, import this certificate into agency enterprise certificate stores, and ensure that this change is propagated throughout the networks.

The root certificate is available immediately and will remain unchanged. Please follow one of the options under Solutions to mitigate negative impacts.

All agencies are encouraged to complete this action by December 31, 2018.


Solutions

To limit the impact to your agency, you’ll need to redistribute the COMMON root CA certificate as a trusted root certificate to all government-furnished Windows workstations and devices.

To redistribute COMMON, follow these procedures:

  1. Download a Copy of COMMON
  2. Verify Your Copy of COMMON
  3. Redistribute COMMON

Download a Copy of COMMON

To download a copy of COMMON, use one of the recommended options:

  1. Download from http://http.fpki.gov/fcpca/fcpca.crt.
  2. Email fpki@gsa.gov to request an out-of-band copy for download.

You should never install a root certificate without verifying it. Follow the procedures below to verify the authenticity of your copy of COMMON.

Verify Your Copy of COMMON

Use one of these options to verify your copy of COMMON. Your certificate details and hash must match the expected values shown below.

  1. Use Microsoft command line via certutil
  2. Use Microsoft command line via OpenSSL
  3. Use Microsoft PowerShell
Federal Common Policy CA (FCPCA/COMMON) Certificate Details
Federal Common Policy CA
(sometimes shown as U.S. Government Common Policy)
http://http.fpki.gov/fcpca/fcpca.crt
Distinguished Name cn=Federal Common Policy CA, ou=FPKI, o=U.S. Government, c=US
Serial Number 0130
SHA-1 Thumbprint 90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1
SHA-256 Thumbprint 89 4e bc 0b 23 da 2a 50 c0 18 6b 7f 8f 25 ef 1f 6b 29 35 af 32 a9 45 84 ef 80 aa f8 77 a3 a0 6e

Note: For the following procedures, replace [PATH\] with the path to your copy of COMMON.

Use Microsoft command line via certutil

  1. Click Start, type cmd, and press Enter.
  2. Run command:

        certutil -hashfile [PATH\]fcpca.crt SHA256
    

Use Microsoft command line via OpenSSL

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         openssl sha256 [PATH\]fcpca.crt
    

Use Microsoft PowerShell

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         Get-FileHash [PATH\]fcpca.crt | Format-List
    

Sample steps run on Microsoft Server 2012: Sample Steps

Redistribute COMMON

Use one of these options to redistribute COMMON:

  1. Use Microsoft certutil
  2. Use Microsoft Group Policy Object
  3. Use third-party configuration management tools
  4. Manually use Microsoft Certificate Manager

Use Microsoft certutil

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Click Start, type cmd, and press Enter.
  2. Run command:

         certutil -dspublish -f [PATH\]fcpca.crt RootCA
    
  3. Verify that COMMON was distributed. Run commands:

         gpupdate /force
         certutil -viewstore -enterprise
    
  4. Confirm that COMMON is contained in the output details.
  5. [OPTIONAL] Verify the certificate details against the expected values shown above (e.g., Serial Number).

Sample steps run on Microsoft Server 2012: Sample Steps

Use Microsoft Group Policy Object

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

  1. Navigate to Server Manager.
  2. Select Tools.
  3. Select Group Policy Management from the drop-down list.
  4. Right-click your desired domain(s), and select Create a GPO in this domain, and Link it here….
  5. Enter a GPO Name and click OK.
  6. Right-click the newly created GPO and click Edit….
  7. Navigate to Policies -> Windows Settings -> Security Settings -> Public Key Policies.
  8. Right-click Trusted Root Certification Authorities, and select Import. The Certificate Import Wizard will open.
  9. Browse to and select your copy of COMMON.
  10. Verify that the target Certificate Store presents Trusted Root Certification Authorities, and select Next.
  11. Select Finish to complete the import. You’ll see the message, The import was successful.
  12. Close the Group Policy Management window.
  13. [OPTIONAL] Wait for clients to consume the new policy or you can force consumption:
    • Click Start, type cmd, and then press Enter.
    • Run command:
           gpupdate /force
    

Sample steps run on Microsoft Server 2012: Sample Steps

Use third-party configuration management tools

You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller.

You can use third-party configuration management tools, such as BigFix.

  1. Using BigFix, schedule a task and push the certificate file:
    • Run command (example):
         certutil -f -addstore root “fcpca.crt”
    

Manually use Microsoft Certificate Manager

For unmanaged devices, use the following manual procedures:

  1. Click Start, type certmgr.msc, and then press Enter.
  2. Right-click Trusted Root Certification Authorities and select All Tasks -> Import. The Certificate Import Wizard will open.
  3. Browse to and select your copy of COMMON.
  4. Verify that the desired Certificate Store presents Trusted Root Certification Authorities, and select Next.
  5. Select Finish to complete the import. You’ll see the message, the import was successful.

Note: If multiple users share a device, administrators should run certlm.msc to concurrently update the certificate stores of those accounts vs. updating each account separately.


Frequently Asked Questions


Where can I get the DHS Federal Network Resilience (FNR) Webinar slides?

The FNR Webinar slides (.pdf) can be found here.

I’m still not sure I get it. Can you explain this change to me in a different way?

  • Current State: Microsoft distributes COMMON from its certificate store to all Microsoft workstations and devices. This means that Microsoft trusts COMMON as a known root certification authority. Because Microsoft trusts COMMON, it trusts all Federal PKI CA-issued certificates because they validate to COMMON.
  • Future State: When COMMON is removed from Microsoft’s certificate store, Microsoft will not trust COMMON or any Federal PKI CA-issued certificates. If an agency has not redistributed COMMON by this time, users could experience authentication errors and other issues. We can prevent errors and issues by redistributing COMMON.

What happens if I don’t redistribute COMMON?

1. (High Impact) Authentication failures

  • Workstations
  • Websites
  • Applications (internal or cross-agency)
  • Virtual Private Networks (VPNs)

2. (Medium Impact) Error fatigue

  • Removal of COMMON could result in unexpected application errors and system behavior for legacy and Government, off-the-Shelf (GOTS) products

3. (Low Impact) Digital-signature validation failures

  • Email
  • Documents and files (e.g., Microsoft Word)

What kinds of errors or messages would I see?

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chain
to a trusted root CA:

error_navigation

Sample Chrome error when PIV authentication fails because the user’s certificate doesn’t chain
to a trusted root CA:

error_piv_auth

Sample Microsoft Outlook error when a digital signature certificate for an email doesn’t chain
to a trusted root CA:


error_sig_val

Which Microsoft products will be affected?

These Windows versions will be affected:

Personal Computer Server
Windows 10 Windows Server 2016
Windows 8.1 Windows Server 2012 R2
Windows 8 Windows Server 2008 R2
Windows 7  
Windows Vista  

If you use other Windows versions in your environment, please let us know (fpki@gsa.gov)!

When will this change occur?

The Federal PKI community’s target date for mitigation actions is December 31, 2018. We anticipate that COMMON will be removed from the Microsoft certificate store in early 2019.

Is COMMON changing?

No. COMMON will not change. The only change will be in how COMMON is distributed to workstations and devices.

How can I verify that COMMON has been redistributed to my workstation or device?

  1. Open Microsoft Certificate Manager: Start, type certmgr.msc, and then press Enter.

  2. Navigate to Trusted Root Certification Authorities -> Certificates.

  3. You may see 2 (or more) copies of COMMON, depending on how they were distributed. The screenshot below lists 3 entries for COMMON:

    • The first entry (“dashed” border) is from the Microsoft Certificate Trust List (CTL) (i.e., certificate store). Microsoft-distributed copies show multiple Intended Purposes values and a Friendly Name of U.S. Government Common Policy.
    • The remaining two entries (examples of enterprise-distributed copies) result from following the procedures in this Playbook. Enterprise-distributed copies show an Intended Purposes value of ALL and a Friendly Name of None.

Sample Steps

Optionally, you can use this method:

  1. From the Trusted Root Certification Authorities screen, select View -> Options.
  2. In the View Options box, check the Physical certificate stores checkbox.
  3. At the main screen’s side panel, click the > next to Trusted Root Certification Authorities to see a list of sub-directories: Registry, Third Party, Group Policy, Enterprise, and Smart Card

If you redistributed COMMON via certutil (for example), COMMON will be listed in the Enterprise sub-directory.

Can multiple copies of COMMON coexist in my workstation’s or device’s certificate store?

Yes! But don’t worry - an enterprise-distributed copy of COMMON won’t conflict with Microsoft’s distributed copy.

My agency gets PIV cards from [Issuer Name]. I won’t be affected by this change, right?

Incorrect. Your PIV credential issuer and how credentials are generated or issued will not be impacted by this change. COMMON removal from the Microsoft certificate store will impact federal agencies’ workstations, devices, etc. (See What happens if I don’t redistribute COMMON?)

Will my PIV credentials break or need to be updated or replaced when this change occurs?

No. Our PIV credentials will not be affected by this change.

Do I need to redistribute COMMON to my “Bring Your Own Device” (BYOD) program device?

As a BYOD program device user, if you perform one of these activities, you’ll need to redistribute COMMON:

  • PIV credential login (to intranet sites or VPNs)
  • Validating PIV digital signatures (emails or documents)
  • Navigating to intranet pages whose SSL/TLS certificates chain to COMMON

Can I test the impact of Microsoft’s removal of COMMON?

It is possible to simulate the Microsoft certificate store’s future state. It is not recommended due to the potential for destructive outcomes. If interested in learning more, please contact us at fpki@gsa.gov.