- Contact Us
-
choose your language
Knowledge Base
Federal Common Policy CA Update
Description
On April 22, 2021, the US government revoked the DigiCert Federal SSP Intermediate CA - G5 which is the intermediate certificate bridging trust between Digicert and the Federal Common Policy CA. This was replaced by the Federal Common Policy CA G2 certificate. Systems relying on FBCA certificates need to remove the old certificate and import the new one.
Impact
This revocation only affects FBCA certificates. Customers who do not participate in the Federal Bridge CA program are not affected.
Solution
Delete the old Federal Common Policy CA certificate and import the Federal Common Policy CA G2 certificate.
GUI Option
You can remove the certificate via mmc.exe on your computer.
- Open your start menu and type certlm.msc and run the application.
- Expand Trusted Root Certification Authorities > Certificates.
- Delete the “Federal Common Policy CA” certificate.
- Expand Intermediate Certification Authorities > Certificates.
- Delete the “Federal Common Policy CA” if it shows here as well.
- Do not close the certlm.msc window, you will need to import the new certificate next.
Once you have deleted the old certificate, you can import it:
- Download the new Federal Common Policy CA G2 certificate from here.
- Certificate’s SHA1 thumbprint:
99B4251E2EEE05D8292E8397A90165293D116028 - Certificate’s SHA2 thumbprint:
5F9AECC24616B2191372600DD80F6DD320C8CA5A0CEB7F09C985EBF0696934FC
- Certificate’s SHA1 thumbprint:
- Under Trusted Root Certification Authorities, right click on Certificates and go to All Tasks > Import.
- Browse to and select the Federal Common Policy CA G2 certificate and import it. Accept all of the defaults when importing.
CLI Option (Recommended)
You can find all instances of the Federal Common Policy CA G2 and save the information to a txt file with this command. This is a recommended backup in case you need to revert to previous settings. The txt file is saved to your Desktop.
| Get-ChildItem "Cert:\LocalMachine" -recurse | Where-Object {$_.Subject -match "CN=Federal Common Policy CA"} > “$env:USERPROFILE\Desktop\trust_store_backup.txt” |
Use this “one-liner” in PowerShell to remove all instances of the Federal Common Policy CA from your computer.
| Get-ChildItem "Cert:\ LocalMachine" -recurse | Where-Object {$_.Subject -match "CN=Federal Common Policy CA"} | Remove-Item |
Once you have removed the old certificate, you can import the new one.
Download the new Federal Common Policy CA G2 certificate.
| Invoke-WebRequest -Uri http://repo.fpki.gov/fcpca/fcpcag2.crt -OutFile “$env:USERPROFILE\Downloads\fcpcag2.crt” |
Certificate’s SHA1 thumbprint:
99B4251E2EEE05D8292E8397A90165293D116028
Certificate’s SHA2 thumbprint:
5F9AECC24616B2191372600DD80F6DD320C8CA5A0CEB7F09C985EBF0696934FC
Import the new certificate to the Root and Intermediate trust stores by running these two commands.
1. Import-Certificate –filepath “$env:USERPROFILE\Downloads\fcpcag2.crt” –certStorelocation cert:\LocalMachine\Root 2. Import-Certificate –filepath “$env:USERPROFILE\Downloads\fcpcag2.crt” –certStorelocation cert:\LocalMachine\CA |
More Info:
- The Revocation Announcement
- Federal Common Policy CA G2 Migration Guide
- Introduction to the Federal Public Key Infrastructure (FPKI) program
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2022-2024, DigiCert, Inc. All rights reserved.
Cookie Settings
