Merge pull request #648 from GSA/staging

Production Update 1030

_data/fips201announcements.yml

@@ -3,6 +3,16 @@
 # If announcement content is full summary, leave 'url' blank, set soure to 'IDManagement.gov' and doctype = 'Announcement'
 # HTML tags can be included inline with summary information.
 
+- name: "Removed Product List (RPL) Update: Identiv Velocity (APL #10013) with HID Global Validation System for Hirsch-Identiv Velocity (APL #10014) moved to the RPL." 
+  summary: "<p>As requested by the vendor, the Identiv Velocity (APL #10013) with HID Global Validation System for Hirsch-Identiv Velocity (APL #10014) will be moved to the RPL, effective October 16, 2023</p>"
+  pubdate: October 16, 2023
+  url: 
+  source: IDManagement.gov
+  target: _blank
+  expanded: false
+  doctype: Announcement
+  status: Active
+
 - name: GSA FIPS 201 EP initial version of the FRTC for PACS Alternative Authenticators, version 1.0 
   summary: <p>The initial version of the FRTC for PACS Alternative Authenticators, version 1.0 has been published for public review and comments under the Physical Access Control System section.</p><p>This document will be continuously updated as emerging technology and standards supporting FICAM compliance become available. Please review the document and provide your comments to <a href="mailto&#58;[email protected]">[email protected]</a> by November 30, 2023.</p>
   pubdate: September 26, 2023
@@ -238,4 +248,4 @@
   target: _blank
   expanded: false
   doctype: Announcement
-  status: Archive
+  status: Archive

_data/fips201pacs1301.yml

@@ -299,39 +299,40 @@
   reader8: pivCLASS R40 Contactless Reader
   reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
   reader8apl: 10006
-
-- category: 13.01
-  fipsstatus: Approved
-  infrastructure: Identiv Velocity
-  infraurl: /docs/apl-10013-hirsch.pdf
-  infraapl: 10013
-  validation: HID Global Validation System for Hirsch-Identiv Velocity
-  valurl: /docs/apl-10014-hirsch-validation.pdf
-  valapl: 10014
-  reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO
-  reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader1apl: 10052
-  reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN
-  reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader2apl: 10007
-  reader3: pivCLASS RK40 Contactless Reader + PIN
-  reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader3apl: 10004
-  reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO
-  reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader4apl: 10026
-  reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN
-  reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader5apl: 10008
-  reader6: 	pivCLASS RPK40 Contactless Reader + PIN
-  reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader6apl: 10005
-  reader7: pivCLASS RP40 Contactless Reader
-  reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader7apl: 10003
-  reader8: pivCLASS R40 Contactless Reader
-  reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
-  reader8apl: 10006
+
+# Requested to removed on 10-17-2023 - CB (pause deleting data, clean up later, if no return to listing)  
+# - category: 13.01
+#   fipsstatus: Approved
+#   infrastructure: Identiv Velocity
+#   infraurl: /docs/apl-10013-hirsch.pdf
+#   infraapl: 10013
+#   validation: HID Global Validation System for Hirsch-Identiv Velocity
+#   valurl: /docs/apl-10014-hirsch-validation.pdf
+#   valapl: 10014
+#   reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO
+#   reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader1apl: 10052
+#   reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN
+#   reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader2apl: 10007
+#   reader3: pivCLASS RK40 Contactless Reader + PIN
+#   reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader3apl: 10004
+#   reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO
+#   reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader4apl: 10026
+#   reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN
+#   reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader5apl: 10008 
+#   reader6: 	pivCLASS RPK40 Contactless Reader + PIN
+#   reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader6apl: 10005
+#   reader7: pivCLASS RP40 Contactless Reader
+#   reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader7apl: 10003
+#   reader8: pivCLASS R40 Contactless Reader
+#   reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf
+#   reader8apl: 10006
 
 - category: 13.01
   fipsstatus: Approved

_data/fips201rpl.yml

@@ -1,5 +1,23 @@
 # FIPS 201 Removed Product List
 
+-   category: 'PACS Validation System'
+    supplier: 'HID Global'
+    nameProduct: 'pivCLASS validation system 5.20 for Hirsch-Identiv Velocity 3.8.4'
+    numberProduct: 'PVCP-D/S-08-00, PVC-CM, PVC-FXRDR, PVC-IDPubULN, 91000BNNN'
+    dateRemoval: 'Monday, October 16, 2023'
+    numberApl: '10014'
+    reason: 'Per vendor request'
+    status: post
+
+-   category: 'PACS Infrastructure'
+    supplier: 'Identiv'
+    nameProduct: 'Identiv Velocity 3.8.4 w/pivCLASS validation 5.20'
+    numberProduct: 'VELFED, MX1/ MX2/ MX4/ MX8, SNIB3'
+    dateRemoval: 'Monday, October 16, 2023'
+    numberApl: '10013'
+    reason: 'Per vendor request'
+    status: post
+
 -   category: 'PACS Infrastructure'
     supplier: 'American Direct Procurement, Inc.'
     nameProduct: 'Quintron AccessNsite'

_data/fpkiannouncements.yml

@@ -1,5 +1,11 @@
 ## FPKI announcements
 
+- title: CPCT Tool Update:<br>New Certificate Profiles
+  pubDate: October 18, 2023
+  url: /implement/announcements/cpct-profile-update/
+  description: The Certificate Profiles used by the CPCT Tool have updated to Common SSP (v2.5) and FBCA (v3.2). CPCT Tool update required.
+  status: Active
+
 - title: Public Trust PKI Certificate Policy
   pubDate: February 10, 2023
   url: /implement/announcements/PT-TLS-CP/

_data/fpkinotifications.yml

@@ -26,27 +26,42 @@
 # ee_cdp_uri:
 # ee_ocsp_uri:
 
-- notice_date: 10/6/2023
-  change_type: Intent to Issue CA Certificate
+- notice_date: October 26, 2023
+  change_type: CA Certificate Issuance
   system: FPKI Trust Infrastructure - Federal Bridge CA G4
-  change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DirectTrust Identity Bridge CA between 10/23/2023 and 10/30/2023
+  change_description: The Federal Bridge CA G4 issued a new cross certificate to the DirectTrust Identity Bridge CA
   contact: fpki dash help at gsa dot gov
-  ca_certificate_hash: N/A
+  ca_certificate_hash: ddd7246c86b2e0a3ac2fc7a7dbb7430b935eba2f
   ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
   ca_certificate_subject: CN=DirectTrust Identity Bridge CA, OU=Certification Authorities, O=DirectTrust.org, inc., C=US
   cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl
   aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c
-  sia_uri: http://aia.makeidentitysafe.com/issuedby-sibca.p7c
+  sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c
   ocsp_uri: N/A
   ee_cdp_uri: N/A
   ee_ocsp_uri: N/A
 
-- notice_date: 10/6/2023
-  change_type: Intent to Issue CA Certificate
-  system: FPKI Trust Infrastructure - Federal Bridge CA G4
-  change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the USPTO_INTR_CA1 between 10/19/2023 and 10/26/2023
+- notice_date: October 25, 2023
+  change_type: Intent to Issue a CA Certificate
+  system: FPKI Trust Infrastructure - Federal Common Policy CA G2
+  change_description: The Federal Common Policy CA G2 intends to issue a new cross certificate to the U.S. Department of State AD Root CA between 11/08/2023 and 11/15/2023
   contact: fpki dash help at gsa dot gov
   ca_certificate_hash: N/A
+  ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US
+  ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu
+  cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl
+  aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c
+  sia_uri: http://crls.pki.state.gov/SIA/CertsIssuedByADRootCA.p7c
+  ocsp_uri: N/A
+  ee_cdp_uri: N/A
+  ee_ocsp_uri: N/A
+
+- notice_date: October 20, 2023
+  change_type: CA Certificate Issuance
+  system: FPKI Trust Infrastructure - Federal Bridge CA G4
+  change_description: The Federal Bridge CA G4 issued a new cross certificate to the USPTO_INTR_CA1 with validity from 10/19/2023 to 10/19/2026
+  contact: fpki dash help at gsa dot gov
+  ca_certificate_hash: 02ecec9eb7229055c57caeaade6f1ae056fb4327
   ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
   ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov
   cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl
@@ -55,13 +70,13 @@
   ocsp_uri: N/A
   ee_cdp_uri: http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL4.crl
   ee_ocsp_uri: N/A
-  
-- notice_date: 9/13/2023
+
+- notice_date: October 20, 2023
   change_type: CA Certificate Issuance
   system: IdenTrust Global Common Root CA 1
-  change_description: Issued new CA certificate to Advanced Health Systems Inc, valid from 9/6/2023, valid through 9/2/2033
+  change_description: Issued new CA certificate to Advanced Health Systems Inc, valid from 10/12/2023 to 10/8/2033
   contact: product at IdenTrust dot com
-  ca_certificate_hash: 6e5b4ce0f68333d86456c85faaeeee6cdebc3124
+  ca_certificate_hash: c6fa3d4cdf28e118b9bc2790734e9cf257279c1f
   ca_certificate_issuer: CN = IdenTrust Global Common Root CA 1, O = IdenTrust, C = US
   ca_certificate_subject: CN = Advanced Health Systems Inc Direct CA 2, OU = IdenTrust Global Common, O = IdenTrust, S = Mississippi, C = US
   cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl
@@ -70,7 +85,37 @@
   ocsp_uri: http://igc.ocsp.identrust.com
   ee_cdp_uri: N/A
   ee_ocsp_uri: N/A
-
+
+- notice_date: October 6, 2023
+  change_type: Intent to Issue CA Certificate
+  system: FPKI Trust Infrastructure - Federal Bridge CA G4
+  change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DirectTrust Identity Bridge CA between 10/23/2023 and 10/30/2023
+  contact: fpki dash help at gsa dot gov
+  ca_certificate_hash: N/A
+  ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
+  ca_certificate_subject: CN=DirectTrust Identity Bridge CA, OU=Certification Authorities, O=DirectTrust.org, inc., C=US
+  cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl
+  aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c
+  sia_uri: http://aia.makeidentitysafe.com/issuedby-sibca.p7c
+  ocsp_uri: N/A
+  ee_cdp_uri: N/A
+  ee_ocsp_uri: N/A
+
+- notice_date: October 6, 2023
+  change_type: Intent to Issue CA Certificate
+  system: FPKI Trust Infrastructure - Federal Bridge CA G4
+  change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the USPTO_INTR_CA1 between 10/19/2023 and 10/26/2023
+  contact: fpki dash help at gsa dot gov
+  ca_certificate_hash: N/A
+  ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
+  ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov
+  cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl
+  aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c
+  sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c
+  ocsp_uri: N/A
+  ee_cdp_uri: http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL4.crl
+  ee_ocsp_uri: N/A
+
 - notice_date: August 29, 2023
   change_type: CA Certificate Issuance
   system: TSCP SHA256 Bridge CA
@@ -101,7 +146,6 @@
   ee_cdp_uri: http://pub.carillonfedserv.com/CRL/CFSCA2.crl
   ee_ocsp_uri: http://pub.carillonfedserv.com/ocsp
 
-
 - notice_date: August 18, 2023
   change_type: CA Certificate Issuance
   system: FPKI Trust Infrastructure - Federal Common Policy CA G2

_data/navigation.yml

@@ -103,10 +103,11 @@ playbooks:
   - text: Windows Hello for Business Playbook
     href: /playbooks/whfb/
 
-# Announcements moved to internal page see: /fpki/notifications/#fpki-announcements  
-# fpkiannouncements:
-#   - text: Back to FPKI Page
-#     href: /fpki/notifications
+# Announcements moved to internal page see: /fpki/notifications/#fpki-announcements
+# Added 'Back to FPKI Notifications' to help users return to notifications 
+fpkiannouncements:
+  - text: Back to FPKI Announcements
+    href: /fpki/notifications 
 #   - text: Public Trust TLS PKI CP
 #     href: /fpki/announcements/PT-TLS-CP/
 #   - text: CPCT Tool Update

_implement/announcements/14_cpct_profile_update.md

@@ -0,0 +1,53 @@
+---
+
+layout: page
+title: CPCT Tool Update:<br>New Certificate Profiles
+pubDate: 10/18/2023
+removeDate: 10/18/2026
+collection: implement
+permalink: /implement/announcements/cpct-profile-update/
+description: The Certificate Profiles used by the CPCT Tool have updated to Common SSP (v2.5) and FBCA (v3.2). CPCT Tool update required.
+category: Active
+sticky_sidenav: true
+sidenav: fpkiannouncements
+
+---
+
+In order to keep this tool up-to-date and using the latest Certificate Profiles, users are required to update any local copies of the CPCT Tool they have previously installed to the latest release of the CPCT Tool (CPCT). First, by removing the old version, then downloading and installing the latest release version: see the download link below.
+
+- [Download the latest CPCT Tool release](https://github.com/GSA/cpct-tool/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+
+New Certificate Profile updates include:
+
+- (NEW) Common SSP (v2.5) Profiles
+- (NEW) FBCA (v3.2) Profiles
+- (NEW) Merging of the PIV-I Profiles into the FBCA (v3.2) Profiles.
+- PIV-I Profiles v1.2 and v1.3 remain unchanged for legacy and backwards compatibility.
+
+For more information about Profile changes, see: [changelog](https://github.com/GSA/fpkilint/blob/dev/changelog.md){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}.
+
+## CPCT Update Instructions
+
+In order to update the CPCT tool you will need to remove any existing instances of the Docker image, and subsequently download the latest release and run the installer. Please find the following links with more detailed instructions on this update process:
+
+1. [Remove the current Docker image](https://github.com/GSA/cpct-tool/wiki/Removing-Docker-Images){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+2. [Update the CPCT Tool](https://github.com/GSA/cpct-tool/wiki/Updating-the-CPCT-Tool){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+3. [Installing the CPCT Tool](https://github.com/GSA/cpct-tool/wiki/Installing-the-CPCT-Tool){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+
+## Additional Resources
+
+- [CPCT Tool release page](https://github.com/GSA/cpct-tool/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+- [CPCT Tool Wiki](https://github.com/GSA/cpct-tool/wiki){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+- [Submit a CPCT Tool issue](https://github.com/GSA/cpct-tool/issues){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+- [Certificate Profile Conformance Tool (CPCT) GitHub repo](https://github.com/GSA/fpkilint){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+- [Submit a Certificate Profile Conformance Tool (CPCT) issue](https://github.com/GSA/fpkilint/issues){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+
+**What's the difference between the CPCT Tool (CPCT) and the Certificate Profile Conformance Tool (CPCT)?**
+
+- The CPCT Tool (CPCT) is a Dockerized version of the Certificate Profile Conformance Tool (CPCT) you install on your computer via Docker Desktop. This is GSA's recommended way to install and use the CPCT Tool
+- The Certificate Profile Conformance Tool (CPCT) is the original code of the web hosted version of the tool, which was removed from service on October 10, 2022.
+
+For more information see: [CPCT Tool transition from Cloud.gov]({{site.url}}/implement/announcements/cpct-transition/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
+
+If you have any questions regarding this action please contact:
+fpki dash help at gsa dot gov

_implement/fpki_notifications.md

@@ -74,7 +74,7 @@ These announcements and hot topics concern Federal Public Key Infrastructure cha
 <script type="text/javascript" src="{{ site.baseurl }}/assets/js/gexfjs.js"></script>
 <script type="text/javascript" src="{{ site.baseurl }}/assets/js/config.js"></script>
 
-**Last Update**: October 17, 2023
+**Last Update**: October 27, 2023
 
 {% include graph.html %}
 
@@ -137,7 +137,7 @@ The page lists the certification authorities *currently* used for Personal Ident
         {% if piv.branch == branch %}
           <tr class="piv-table-row" data-branch="{{ piv.branch }}">
             <td headers="piv-table-heading-{{ branch | slugify }} piv-table-heading-agency">{{ piv.agency }}</td>
-            <td headers="piv-table-heading-{{ branch | slugify }} piv-table-heading-ca"><a href="{{ piv.url | prepend: site.baseurl }}">{{ piv.ca }}</a></td>
+            <td headers="piv-table-heading-{{ branch | slugify }} piv-table-heading-ca">{{ piv.ca }}</td>
           </tr>
         {% endif %}
       {% endfor %} <!--piv-->
@@ -400,10 +400,10 @@ These CA certificates are actively issuing PIV , PIV-I and/or Derived PIV authen
 #### USPTO INTR CA1
 - Subject: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov
 - Issuer: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov
-- Serial #: 4c296f47
-- Validity: April 7, 2018 to December 7, 2029
-- SHA-1 Hash: bc67b9e65ee05c3742c27187259ded3e6112a587
-- CRL DP: [http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl](http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl){:target="_blank"}{:rel="noopener noreferrer"}
+- Serial #: 162a8a8ddfb79fa3460a7a92765926fb108fd6aa
+- Validity: October 19, 2023 to October 19, 2026
+- SHA-1 Hash: 02ecec9eb7229055c57caeaade6f1ae056fb4327
+- CRL DP: [http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL4.crl](http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL4.crl){:target="_blank"}{:rel="noopener noreferrer"}
 
 #### Veterans Affairs User CA B1
 - Subject: CN = Veterans Affairs User CA B1, OU = PKI, OU = Services, DC = va, DC = gov
@@ -642,6 +642,14 @@ These CA certificates have issued PIV, PIV-I and/or Derived PIV authentication c
 - SHA-1 Hash: dc5b590800765864587902af983c21a7209be320
 - CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"}
 
+#### USPTO INTR CA1
+- Subject: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov
+- Issuer: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov
+- Serial #: 4c296f47
+- Validity: April 7, 2018 to December 7, 2029
+- SHA-1 Hash: bc67b9e65ee05c3742c27187259ded3e6112a587
+- CRL DP: [http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl](http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl){:target="_blank"}{:rel="noopener noreferrer"}
+
 ## FPKI System Changes and Notifications
 
 This page lists the changes to certification authorities and supporting systems operating within the Federal PKI community.