Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26683 | DS00.2141_2008_R2 | SV-39016r1_rule | IAKM-1 IAKM-2 IATS-1 IATS-2 | High |
| Description |
|---|
| A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Details
| Check Text ( C-38013r1_chk ) |
|---|
| This check verifies the proper use of PKI certificates for the user accounts defined in the directory. Account Certificate Procedures: - Ask the SA to identify one or more account entries in the directory, the local SA group is responsible for, for which a PKI certificate has been imported. - Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). - Select the Users container or the OU in which the accounts identified by the SA are defined. For each of the accounts identified: -- Right-click the entry and select the Properties item. -- Select the Published Certificates tab. -- Examine the Issued By field for the certificates to determine the issuing CA. - If the Issued By field of any PKI certificate being stored with an account definition the local SA group is responsible for does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding. |
| Fix Text (F-33252r1_fix) |
|---|
| Replace the unauthorized certificates with ones issued by the DoD PKI or an approved External Certificate Authority. |