auto fpki graph update (20210112)

[ryancdickson]

@idmken

Please find this week's Federal PKI Crawler/Graph update (January 12, 2021 execution).

Live Preview: https://federalist-2147738e-703c-4833-9101-89d779f09ce1.app.cloud.gov/preview/gsa/fpki-guides/20210112-auto-fpki-graph-update/tools/fpkigraph/

Nodes Added or Removed (compared to January 5, 2021 execution):

• No change.

Edges Added or Removed (compared to December 22, 2020 execution):

• E1 (ADDED): OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US -> OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US

Root Cause Analysis:

• E1: Entrust published the "link certificate" to allow PIV credential certificates issued prior to the most recent Entrust Managed Services Root CA re-key (August 2019) to chain to the new Federal Common Policy CA G2. Certificate details:
  • Subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US
  • Issuer: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US
  • Validity: 7/23/2015 to 7/23/2025
  • Serial: 4481077b
  • SHA1 Hash: 855d98c924b3ee6216b1b8e25b4342f70565c394
  • Key Size: 2048-bit (RSA)
  • Signing Algorithm: SHA-256 with RSA

Other updates:

• Updated Federal Common Policy CA G2 migration content:
  • FAQ: to include discussion on the link certificate ("Why aren’t some Entrust Federal Shared Service Provider issued PIV credential certificates chaining to FCPCA G2?")
  • Migrate: to help better distinguish certificate distrust on macOS compared to Windows (recommended by NASA)
• Added System notifications for #814 and #721