A private web server’s list of CAs in a trust hierarchy will lead to the DoD PKI Root CA, to a DoD-approved external certificate authority (ECA), or to a DoD-approved external partner.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13620	WG355	SV-14204r3_rule	IATS-1 IATS-2	Medium

Description
A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically and the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certificate Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to a site’s server and to prevent unauthorized access. Only DoD-approved PKIs will be utilized.

Description

A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically and the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certificate Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to a site’s server and to prevent unauthorized access. Only DoD-approved PKIs will be utilized.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-30028r1_chk )
The reviewer will need to have the SA or the web administrator show the list of CA’s the server is trusting to authenticate users. The procedure to do this could vary by the web server product and operating system that is being used. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 July 2008, contains a complete list of DoD ECA and IECA CAs. NOTE: There are non-DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. If the trust store is not configured to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners), this is a finding.

Check Text ( C-30028r1_chk )

The reviewer will need to have the SA or the web administrator show the list of CA’s the server is trusting to authenticate users. The procedure to do this could vary by the web server product and operating system that is being used.

The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 July 2008, contains a complete list of DoD ECA and IECA CAs.

NOTE: There are non-DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function.

If the trust store is not configured to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners), this is a finding.

Fix Text (F-26868r1_fix)
Configure the web server’s trust store to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).