UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device, when utilizing PKI-based authentication, must accept only certificates issued by a DoD-approved Certificate Authority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-55141 SRG-APP-000175-NDM-000262 SV-69387r2_rule High
Description
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.
STIG Date
Network Device Management Security Requirements Guide 2019-09-27

Details

Check Text ( C-55761r2_chk )
When PKI-based authentication is used, verify the network device accepts only certificates issued by a DoD-approved Certificate Authority. Determine if a CA trust point has been configured. The CA trust point will contain the URL for the CA governing the network device. Verify this is a DoD or DoD-approved CA. This requirement may be verified by configuration review or validated test results.

If PKI-based authentication is used and the network device accepts certificates issued by other Certificate Authorities other than a DoD-approved Certificate Authority, this is a finding.
Fix Text (F-60005r2_fix)
Configure the network device to accept only certificates issued by a DoD-approved Certificate Authority.