20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systems

Information

This policy setting ensures that the US DoD Combined Communications-Electronics Board (CCEB) Interoperability Root CA cross-certificates are installed in the Untrusted Certificate Store on unclassified systems.

The STIG recommended state for this setting is: DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 and DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E

If the Interoperability Root CA cross-certificates are not installed in the Untrusted Certificates Store users may experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs.

Note: This requirement only applies to unclassified systems.

Solution

Install the following DoD Root CA certificates in the

Untrusted Certificates Store

:

DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 and DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E

Note: The InstallRoot tool is available on IASE at

http://iase.disa.mil/pki-pke/Pages/tools.aspx

.

Note #2: The Certificate Store can be loaded by executing the

Microsoft Management Console (MMC)

and loading the

Certificates

snap-in.

Impact:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: 6fbdf60b74de9d47689a5cccc423c6d67e50f025ccf261673eece6b4562d70ae