| layout | title | permalink |
|---|---|---|
default |
Announcements |
/announcements/ |
Microsoft has issued new Public Key Infrastructure (PKI) policy requirements that could impact 14 federal agencies. Under these requirements, the Federal PKI must undergo an annual audit of how we operate, maintain, and issue certificates from our Certification Authorities (CAs). If the FPKI does not comply, the first change will occur in April 2018 — Windows users will get errors when browsing with Microsoft Edge/IE or Chrome to intranet and internet websites that use FPKI CA-issued, SSL (i.e., server authentication) certificates.
{% include alert-info.html heading="Agencies use SSL certificates to secure intranet and internet websites, per HTTPS mandate (BOD 18-01.1)" %}
Please recommend Option 1 or 2 and send any agency impacts or concerns by January 26, 2018 to [email protected].
(Recommended) The FPKI instructs Microsoft to remove the Federal Common Policy Certification Authority (FCPCA) (aka, COMMON) Root certificate trust bit from the Microsoft trust store
- Result 1: Your users will get errors when browsing with Microsoft Edge/IE or Chrome to intranet and internet websites that use FPKI CA-issued, SSL certificates.
How can we limit this impact? Network domain administrators can distribute new group policies to restore the pre-change behavior for Microsoft OS-based, government-managed equipment. (For steps, see Option 1 FAQs and Microsoft Certificate Trust Lists [CTL] recommended reading below.)
- Result 3: Based on agency feedback, Option 1 would have the least impact on mission-critical operations and systems.
Network Admnistrator's FAQs for Option 1
- Do I need to remove the baked-in version of the FCPCA Root certificate?
- No, don't remove this certificate if it's already installed.
- Do I need to add the FCPCA Root certificate to the Trust Root Certification Authorities store via GPO, or should I add it to the enterprise trust store?
- If the FCPCA Root certificate is already installed, you don't need to reinstall or change its root store. However, if it's not installed, follow the PIV Guides steps for Network Authentication{:target= "_blank"}.
- Do I need to change any trust bit for the GPO?
- NOTE: TBD.
- What Windows versions are affected?
- All Windows versions (e.g., Windows 10, Server 2016, legacy client-server OSs).
- Will the GPO distribution affect IPSec certificates if the server authentication bit is enabled and when used with Microsoft OSs?
- Yes, it could affect any certificate asserting server authentication.
(Greatest potential impact on operations and mission-critical systems) Microsoft continues to distribute the FCPCA Root CA certificate with the server authentication trust bit enabled, but with an added Domain Constraint
-
Result 1: With the added domain constraint, your users will get errors from Microsoft Edge/IE or Chrome for any FPKI CA-issued, SSL certificate, if it doesn't include a fully qualified domain name: .gov, .us, .mil, or IP address. The Microsoft Certificate Trust List (CTL) globally enforces this constraint through the Microsoft Certificate Trust List (CTL). Network domain administrators can't modify this constraint.
-
Result 2: Based on agency feedback, Option 2 is detrimental to mission operations in the near-term, because issued certificates use intranet domain name aliases (e.g., intranetapp vs. intranetapp.agency.gov).
Network Admnistrator's FAQs for Option 2
NOTE: TBD.
To prepare for these changes, please review these Microsoft documents:
- Microsoft Trusted Root Certificate...Government CA Requirements{:target= "_blank"}
- Certificate Trust List Overview{:target= "_blank"}
- Configure Trusted Roots and Disallowed Certificates{:target= "_blank"}
1. Binding Operational Directive 18-01,Enhance Email and Web Security, U.S. Department of Homeland Security, October 16, 2017, BOD 18-01{:target="blank"}. Additional information at: [https://cyber.dhs.gov/]{:target="blank"}