UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).


Overview

Finding ID Version Rule ID IA Controls Severity
V-26683 DS00.2141_2003 SV-33885r1_rule IAKM-1 IAKM-2 IATS-1 IATS-2 High
Description
A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.
STIG Date
Windows 2008 Domain Controller Security Technical Implementation Guide 2013-07-03

Details

Check Text ( C-14091r1_chk )
This check verifies the proper use of PKI certificates for the user accounts defined in the directory.

Account Certificate Procedures:
- Ask the SA to identify one or more account entries in the directory, that the local SA group is responsible for, for which a PKI certificate has been imported.
- Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”).
- Select the Users container or the OU in which the accounts identified by the SA are defined.
For *each* of the accounts identified:
-- Right-click the entry and select the Properties item.
-- Select the Published Certificates tab.
-- Examine the Issued By field for the certificates to determine the issuing CA.
- If the Issued By field of any PKI certificate being stored with an account definition that the local SA group is responsible for does not indicate that the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding.
Fix Text (F-14336r1_fix)
- Replace the unauthorized certificates with ones issued by the DoD PKI or an approved External Certificate Authority.