The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253943	JUEX-NM-000660	SV-253943r843862_rule		Medium

Description
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

STIG	Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57395r843860_chk )
Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. Verify the certificate is signed by an approved CA via the "show security pki local-certificate" or "show security pki local-certificate detail" commands. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Check Text ( C-57395r843860_chk )

Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider.

Verify the certificate is signed by an approved CA via the "show security pki local-certificate" or "show security pki local-certificate detail" commands.

If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix Text (F-57346r843861_fix)
Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates: show security pki (ca-certificate \| local-certificate) Generate a public/private keypair: request security pki generate-key-pair type size certificate-id Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096. Generate a certificate signing request: request security pki generate-certificate-request certificate-id digest domain-name ip-address ipv6-address subject Note: The subject is LDAP formatted. For example, "CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US". Not all key => value pairs are required but those used must match organizational policy. After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate: request security pki local-certificate load filename certificate-id The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the "key" directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the "passphrase" directive and provide the correct value.

Fix Text (F-57346r843861_fix)

Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates:
show security pki (ca-certificate | local-certificate)

Generate a public/private keypair:
request security pki generate-key-pair type size certificate-id
Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096.

Generate a certificate signing request:
request security pki generate-certificate-request certificate-id digest domain-name ip-address ipv6-address subject
Note: The subject is LDAP formatted. For example, "CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US". Not all key => value pairs are required but those used must match organizational policy.

After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate:
request security pki local-certificate load filename certificate-id

The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the "key" directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the "passphrase" directive and provide the correct value.