UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DoD Interoperability Root CA to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store.


Overview

Finding ID Version Rule ID IA Controls Severity
WN12-PK-000003 WN12-PK-000003 WN12-PK-000003_rule Medium
Description
To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CA 2, the DoD Interoperability Root CA to DoD Root CA 2 cross-certificate must be installed in the Untrusted Certificate Store.
STIG Date
Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide 2013-07-25

Details

Check Text ( C-WN12-PK-000003_chk )
Verify the DoD Root CA 2 certificate issued by DoD Interoperability Root CA 1 is installed as an Untrusted Certificate using the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Untrusted Certificates\Certificates".
Search in the center pane for "DoD Root CA 2" under "Issued To" with "DoD Interoperability Root CA 1" as "Issued By".

If there is no entry for "DoD Root CA 2", this is a finding.

Select "DoD Root CA 2".
Right click and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint Algorithm".
Verify the Value is "sha1".

If the value for "Thumbprint Algorithm" is not "sha1", this is a finding.

Next select "Thumbprint".

If the value for the "Thumbprint" field is not
"b1:10:5c:d1:0f:c3:70:f5:6b:89:dd:1d:49:f6:d8:30:df:35:f2:de", this is a finding.
Fix Text (F-WN12-PK-000003_fix)
Install the DoD Interoperability Root CA to DoD Root CA 2 cross-certificate. Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover tool and user guide is available on IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.