Information
This policy setting ensures that the DoD Interoperability Root CA cross-certificates are installed in the Untrusted Certificate Store on unclassified systems.
The STIG recommended state for this setting is: DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 and DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341
If the Interoperability Root CA cross-certificates are not installed in the Untrusted Certificates Store users may experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs.
Note: This requirement only applies to unclassified systems.
Solution
Install the following DoD Root CA certificates in the
Untrusted Certificates Store
:
DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 and DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341
Note: The InstallRoot tool is available on IASE at
http://iase.disa.mil/pki-pke/Pages/tools.aspx
.
Note #2: The Certificate Store can be loaded by executing the
Microsoft Management Console (MMC)
and loading the
Certificates
snap-in.
Impact:
N/A