PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26683 | DS00.2141_2003 | SV-33885r1_rule | IAKM-1 IAKM-2 IATS-1 IATS-2 | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Active Directory Service 2008 Security Technical Implementation Guide (STIG) | 2011-05-23 |
Details
| Check Text ( C-14091r2_chk ) |
|---|
| This check verifies the proper use of PKI certificates for the user accounts defined in the directory. Account Certificate Procedures: - Ask the SA to identify one or more account entries in the directory, that the local SA group is responsible for, for which a PKI certificate has been imported. - Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). - Select the Users container or the OU in which the accounts identified by the SA are defined. For *each* of the accounts identified: -- Right-click the entry and select the Properties item. -- Select the Published Certificates tab. -- Examine the Issued By field for the certificates to determine the issuing CA. - If the Issued By field of any PKI certificate being stored with an account definition that the local SA group is responsible for does not indicate that the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding. |
| Fix Text (F-14336r1_fix) |
|---|
| - Replace the unauthorized certificates with ones issued by the DoD PKI or an approved External Certificate Authority. |