20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)

Information

This policy setting ensures that Domain Controller Public Key Infrastructure (PKI) certificates are issued by the DoD PKI or an approved External Certificate Authority (ECA).

The use of multiple CAs from separate PKI implementations results in interoperability issues and if servers and clients do not have a common set of root CA certificates, they will not be able to authenticate each other.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Install DoD PKI or an approved ECA certificates.

Note:

The Global Directory Service (GDS)

website provides an online source for approved certificates.

Note #2: DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE.

Impact:

Only authorized CA certificates are allowed.

See Also

https://workbench.cisecurity.org/benchmarks/15301

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: 5c8408821a71c23ef1fd3420c323bb1b3fef437bd6e91c488372279a536d34a4