| 1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab. |
2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit.
3. When prompted by the certificate trust list wizard select Next.
If there are trusted CAs in this list that are not DoD, this is a finding.
NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.
NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.