Federal Common Policy CA Removal from Apple Trust Stores Impact
This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained.
Upcoming changes regarding Apple devices and operating systems could impact your agency. The Federal PKI Policy Authority has elected to remove our U.S. Government Root CA certificate (Federal Common Policy CA [COMMON]) from Apple’s pre-installed Operating System Trust Stores.
Starting in the release of macOS Mojave, iOS 12, and tvOS 12, government users of Apple devices will receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and the government-furnished Apple devices.
Apple Operating System Release Dates
- iOS 12: September 17, 2018
- tvOS 12: September 17, 2018
- macOS Mojave: September 24, 2018
The FPKIPA has also elected to remove the Federal Common Policy CA root certificate from Microsoft’s Trust Store.
How Does This Work?
Apple currently distributes the Federal Common Policy CA (COMMON) through its pre-installed operating system Trust Stores for iOS, macOS, and tvOS.
Three root CA certificate types reside in Apple’s Trust Stores:
- Trusted Certificates — Trusted certificates that establish a chain of trust.
- Always Ask — Untrusted certificates that are not blocked. If a resource (e.g., website or signed email) chains to one of these certificates, the Apple operating system will ask you to choose whether or not to trust it.
- Blocked — Potentially compromised certificates that will never be trusted.
These certificate types are stored within Apple Keychains:
- Login Keychain — Certificates associated with a user account logged into a device.
- System Keychain — Certificates associated with all user accounts on a device (similar to the Microsoft Windows’ Local Machine certificate store).
- System Roots Keychain — Includes Apple’s pre-installed, trusted root CA certificates. COMMON will be removed from this Keychain.
What Will Be Impacted?
These Apple operating system versions (and all subsequent versions) will be impacted:
|Mojave (10.14), Release 9/24/18||iOS 12, Release 9/17/18||tvOS 12, Release 9/17/18|
Government users will receive errors on government-furnished Apple devices if any of these are true:
- Logging into a government network with a PIV credential
- Authenticating to a government Virtual Private Network (VPN) endpoint with a PIV credential
- Authenticating to an internet-facing, government collaboration portal with a PIV credential
- Browsing with Safari, Chrome, or Edge (iOS) to a government intranet website that uses a Federal PKI CA-issued TLS/SSL certificate
- Opening an Apple Mail or Microsoft Outlook email that was digitally signed using a Federal PKI CA-issued certificate
- Opening a Microsoft Office document that was digitally signed with a Federal PKI CA-issued certificate
This change will also impact Federal Government partners that rely on COMMON—for example, a Department of Defense employee sending a digitally signed email to a business partner.
You can mitigate the risk to government missions, intranets, applications, and government-furnished equipment.
If you are unsure whether your applications will be affected, email us at email@example.com.
Frequently Asked Questions
1. Is PIV network login impacted?
2. What versions are affected?
Please see What Will Be Impacted?.