20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systems

Information

This policy setting ensures that the DoD Interoperability Root CA cross-certificates are installed in the Untrusted Certificate Store on unclassified systems.

The STIG recommended state for this setting is: DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 and DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341

If the Interoperability Root CA cross-certificates are not installed in the Untrusted Certificates Store users may experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs.

Note: This requirement only applies to unclassified systems.

Solution

Install the following DoD Root CA certificates in the

Untrusted Certificates Store

:

DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 and DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341

Note: The InstallRoot tool is available on IASE at

http://iase.disa.mil/pki-pke/Pages/tools.aspx

.

Note #2: The Certificate Store can be loaded by executing the

Microsoft Management Console (MMC)

and loading the

Certificates

snap-in.

Impact:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: 5b520d8ec14fa7982ad92b4a7505123342aa59ad920070d7350d7b8eca19cce5