UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DoD root certificate must be installed into the Trusted Root Store.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32272 WN12-PK-000001 SV-52961r2_rule IATS-1 IATS-2 Medium
Description
To ensure secure DoD websites and DoD signed code are properly validated, the system must trust the DoD Root CA 2. The DoD root certificate will ensure that the trust chain is established for server certificates issued from the DoD CA.
STIG Date
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide 2014-06-30

Details

Check Text ( C-49221r1_chk )
Verify the DoD Root CA 2 certificate is installed as a Trusted Root Certification Authority using the Certificates MMC snap-in:
Run "MMC".
Select "File", "Add/Remove Snap-in".
Select "Certificates", click "Add".
Select "Computer account", click "Next".
Select "Local computer: (the computer this console is running on)", click "Finish".
Click "OK".
Expand "Certificates" and navigate to "Trusted Root Certification Authorities\Certificates".
Search for "DoD Root CA 2" under "Issued To" in the center pane.

If there is no entry for "DoD Root CA 2", this is a finding.

Select DoD Root CA 2.
Right click and select "Open".
Select the "Details" Tab.
Scroll to the bottom and select "Thumbprint Algorithm".
Verify the Value is "sha1".

If the value for "Thumbprint Algorithm" is not "sha1", this is a finding.

Next select "Thumbprint".

If the value for the "Thumbprint" field is not
"8C:94:1B:34:EA:1E:A6:ED:9A:E2:BC:54:CF:68:72:52:B4:C9:B5:61", this is a finding.
The thumbprint referenced applies to NIPRNet, see PKE documentation for other networks.
Fix Text (F-45887r1_fix)
Install the DoD Root CA 2 certificate. The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.