Expired Digital Certificates must not be used.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-69225 | ICERR020 | SV-83841r1_rule | Medium |
| Description |
|---|
| The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certificates are periodically refreshed. This is in accordance with DoD requirement. Expired Certificate must not be in use. |
| STIG | Date |
|---|---|
| z/OS RACF STIG | 2019-12-12 |
Details
| Check Text ( C-70023r1_chk ) |
|---|
| NOTE: The procedures in this checklist item presume the domain being reviewed is running all releases of z/OS, and use the ACP as the certificate store. If the domain being review is not a production system and is only used for test and development, this expired Certificates review can be skipped. Refer to the following report produced by the ACF2 Data Collection Checklist: RACFCMDS.RPT(CERTRPT) If no certificate information is found, there is no finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. Check the expiration for each certificate with a status of TRUST. If the expiration date has passed this is a finding. |
| Fix Text (F-75779r1_fix) |
|---|
| If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it. |