The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32273 | WINPK-000002 | SV-42599r4_rule | Medium |
| Description |
|---|
| To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensure the trust chain is established for server certificates issued from the External CAs. This requirement only applies to unclassified systems. |
| STIG | Date |
|---|---|
| Windows Vista Security Technical Implementation Guide | 2017-01-30 |
Details
| Check Text ( C-71115r2_chk ) |
|---|
| Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities. Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". If there are no entries for "ECA Root CA 2", and "ECA Root CA 4", this is a finding. For each of the ECA Root CA certificates noted above: Right click on the certificate and select "Open". Select the "Details" Tab. Scroll to the bottom and select "Thumbprint". If the value for the "Thumbprint" field is not as noted below, this is a finding. ECA Root CA 2 - C313F919A6ED4E0E8451AFA930FB419A20F181E4 ECA Root CA 4 - 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 |
| Fix Text (F-76959r2_fix) |
|---|
| Install the ECA Root CA certificates on unclassified systems. ECA Root CA 2 ECA Root CA 4 The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. |