Detections
Analytics
JUEX-NM-000660 - The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Information
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates:show security pki (ca-certificate | local-certificate)
Generate a public/private keypair:
request security pki generate-key-pair type <ecdsa|rsa> size <bit size> certificate-id <name>
Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096.
Generate a certificate signing request:
request security pki generate-certificate-request certificate-id <key name> digest <sha-1|sha-256|sha-384> domain-name <FQDN> ip-address <IPv4 address> ipv6-address <IPv6 address> subject <LDAP format>
Note: The subject is LDAP formatted. For example, 'CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US'. Not all key => value pairs are required but those used must match organizational policy.
After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate:
request security pki local-certificate load filename <path/filename of certificate> certificate-id <key name>
The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the 'key' directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the 'passphrase' directive and provide the correct value.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-6b., 800-53|SC-17, CAT|II, CCI|CCI-000366, CCI|CCI-001159, Rule-ID|SV-253943r961863_rule, STIG-ID|JUEX-NM-000660, Vuln-ID|V-253943
Plugin: Juniper
Control ID: eb2b47bef36ec1c1007fea6a092d7d84b55b55aeb450ade054919703a398c015