PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14820	DS00.2140_2008_R2	SV-39014r1_rule	IAKM-1 IAKM-2 IATS-1 IATS-2	High

Description
A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.

Description

A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.

STIG	Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide	2012-09-05

Details

Check Text ( C-38010r1_chk )
Server Certificate Procedures: 1. With the assistance of the application SA, display the PKI certificate(s) being used by the domain controller itself. a. Start a Certificates management console for the local computer. If one does not exist, use the notes below to create one. 2. Select and expand the Certificates (Local Computer) entry in the left pane. 3. Select and expand the Personal entry in the left pane. 4. Select the Certificates entry in the left pane. 5. Examine the Issued By field for the certificate to determine the issuing CA. 6. If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding. Supplemental Notes: There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: -- The Global Directory Service (GDS) web site provides an online source. The address for this site is https://crl.gds.disa.mil. -- DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers. The utility package can be downloaded from https://powhatan.iiie.disa.mil/pki-pke/landing_pages/admins.html and it includes a list of authorized CAs.

Check Text ( C-38010r1_chk )

Server Certificate Procedures:

1. With the assistance of the application SA, display the PKI certificate(s) being used by the domain controller itself.
a. Start a Certificates management console for the local computer. If one does not exist, use the notes below to create one.

2. Select and expand the Certificates (Local Computer) entry in the left pane.

3. Select and expand the Personal entry in the left pane.

4. Select the Certificates entry in the left pane.

5. Examine the Issued By field for the certificate to determine the issuing CA.

6. If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding.

Supplemental Notes:

There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained:
-- The Global Directory Service (GDS) web site provides an online source. The address for this site is https://crl.gds.disa.mil.
-- DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers. The utility package can be downloaded from https://powhatan.iiie.disa.mil/pki-pke/landing_pages/admins.html and it includes a list of authorized CAs.

Fix Text (F-33247r1_fix)
Use PKI certificates issued by the DoD PKI or an approved External Certificate Authority (ECA).