UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The External CA Root Certificate must be installed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32273 WINPK-000002 SV-42602r2_rule IATS-1 IATS-2 Medium
Description
To ensure secure websites protected with ECA server certificates are properly validated, the system must trust the ECA Root CA 2. The ECA root certificate will ensure that the trust chain is established for server certificate issued from the External CA.
STIG Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide 2012-09-05

Details

Check Text ( C-40781r2_chk )
Verify the ECA Root CA 2 certificate is installed as a Trusted Root Certification Authority using the Certificates MMC snap-in.
Run “MMC”
Select “File”, “Add/Remove Snap-in…”
Select “Certificates”, click “Add”
Select “Computer account”, click “Next”
Select “Local computer: (the computer this console is running on)”, click “Finish”
Click “OK”
Expand “Certificates” and navigate to “Trusted Root Certification Authorities\Certificates”
Search for “ECA Root CA 2” under “Issued To” in the center pane

If there is no entry for “ECA Root CA 2” this is a finding.

Select “ECA Root CA 2”
Right click and select “Open”
Select the “Details” Tab
Scroll to the bottom and select “Thumbprint Algorithm”
Verify the Value is “sha1”,

If the value for Thumbprint Algorithm is not “sha1” this is a finding.

Next select “Thumbprint”

If the value for the “Thumbprint” field is not
“c3:13:f9:19:a6:ed:4e:0e:84:51:af:a9:30:fb:41:9a:20:f1:81:e4” this is a finding.
Fix Text (F-36199r2_fix)
Install the ECA root CA 2 certificate. The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html