How to I find the right certification path and which specific certificates I need?

[idmken]

Description of Issue:

A user needs to build a certificate bundle for trust store management. How do they identify what paths they need?

There are multiple pages in FPKI guide that show a separate process to figure out a path, but nothing on how to build a bundle.

1. PIV CAs and Agencies - This page shows which agencies use which issuer and specifically which issuer certificate. Someone would need to manually connect the issuer's name back to either FCPCA G2 or a certificate under FCPCAG2.
2. FPKI Graph - This page shows a generic path using the subject name. A user could take the issuer subject name and find a complete path. The graph doesn't share the specific certificate they need, just a generic path.
3. FCPCA G2 - This page shows which specific certificates are issued under the Federal Common Policy.

Once they know what certificates they need, they need to figure out how to make a bundle. This is only for PIV. With agencies issuing PIV-I, there is no guidance on how to identify or build a path for PIV-I.

One practical example is if an agency is presented as a PIV or PIV-I their existing configuration builds a path. How can an agency verify that path is correct?

Suggestions

Create a new page on how to identify a path and then build a bundle for both PIV or PIV-I

[idmken]

Additionally, someone can verify if a certificate meets a profile by using the CPCT.

[maxwellfunk]

the actual CA certs can be found in the crawler cert bundle of all certs that validate to common from the following file:
https://github.com/GSA/ficam-playbooks/blob/federalist-pages/_fpki/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b

[id2win]

@rsherwood-gsa is this related to the graph you maintain?

[rsherwood-gsa]

It was opened over a year and half ago, so I'm not sure if it's related to what we've done. This is a more generic question from Ken about constructing a set of certificates for use in a relying party environment. The desired outcome of this appears to be a playbook.

[idmken]

We get a lot of questions of "what is the latest CA for this PIV" or "I want to trust all certs from x vendor". I share the two or three pages I mentioned and it seems like we can make this more efficient somehow.

[rsherwood-gsa]

Let's list out some use cases. Let me know if I'm on the right track:

1. I am a human administrator who has a certificate (either mine or someone else's) and I want a tool that lets me independently generate the latest valid path so I can see whether it's valid, or whether my existing tool is building the correct path. This will generally be a set of one-off requests.
2. I need to trust a subset of issued certificates and I need to be able to get a certificate bundle that will allow my software to trust only the CAs that issue the certificates I want to trust. This may be something I want to do regularly, when a new system is set up or when one of the certs in my old path expires.

Any other use cases?

[maxwellfunk]

I dont know if we can get down to the independent trust path level, but the planned installroot coordination with DoD would at least give us the ability to provide for several categories of trust and the ability to export those bundles.