Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-69225 | ICERT020 | SV-83843r1_rule | Medium |
Description |
---|
The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certificates are periodically refreshed. This is in accordance with DoD requirement. Expired Certificate must not be in use. |
STIG | Date |
---|---|
z/OS TSS STIG | 2019-12-12 |
Check Text ( C-70029r1_chk ) |
---|
NOTE: The procedures in this checklist item presume the domain being reviewed is running all releases of z/OS, and use the ACP as the certificate store. If the domain being review is not a production system and is only used for test and development, this Self-Signed Certificates review can be skipped. Refer to the following report produced by the ACF2 Data Collection Checklist: TSSCMDS.RPT(CERTRPT) If no certificate information is found, there is no finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. Check the expiration for each certificate with a status of TRUST. If the expiration date has passed this is a finding. |
Fix Text (F-75785r1_fix) |
---|
If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it. |