The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000164-IDPS-000152	SRG-NET-000164-IDPS-000152	SRG-NET-000164-IDPS-000152_rule		Medium

Description
A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchors" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.

Description

A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchors" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43291_chk )
Inspect the user function of the device to view the PKI configuration. Verify the DoD CA has been configured in the certificate validation setting. If the PKI configuration does not use a valid DoD CA for certificate validation, this is a finding.

Fix Text (F-43291_fix)
Set the PKI certificate validation to point to a valid DoD CA.