Check: CSCO-NM-000340
Cisco ISE NDM STIG:
CSCO-NM-000340
(in versions v1 r6 through v1 r1)
Title
The Cisco ISE must use DoD-approved PKI rather than proprietary or self-signed device certificates. (Cat II impact)
Discussion
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs. The Cisco ISE generates a key-pair and a CSR. The CSR is sent to the approved CA, who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.
Check Content
Choose Administration >> System >> Certificates >> System Certificates. 1. The System Certificates page appears and provides information for the local certificates. 2. Select a certificate and choose "View" to display the certificate details. If the Cisco ISE does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Fix Text
Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate: A. Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. 2. Enter the values for generating a CSR. Examples: RSA: Request security pki generate-key-pair certificate-id <cert name>> type rsa size <512 | 1024 | 2048 | 4096>> ECDSA: Request security pki generate-key-pair certificate-id <cert_name>> type ecdsa size <256 | 384>> 3. Click "Generate" to generate the CSR. 4. Click "Export" to open the CSR in a Notepad. 5. Copy all the text from "-----BEGIN CERTIFICATE REQUEST-----" through "-----END CERTIFICATE REQUEST-----." 6. Paste the contents of the CSR into the certificate request. Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet. 7. Download the signed certificate. B. Import the Root Certificates to the Trusted Certificate Store: Administration >> System >> Certificates >> Trusted Certificates C. Bind the CA-Signed Certificate to the CSR. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. Check the check box next to the node for which you are binding the CSR with the CA-signed certificate. 2. Click "Bind". 3. Click "Browse" to choose the CA-signed certificate. 4. Specify a Friendly Name for the certificate. 5. Check the "Validate Certificate Extensions" check box if you want Cisco ISE to validate certificate extensions. 6. Check the service for which this certificate will be used in the Usage area. This information is auto populated if you have enabled the Usage option while generating the CSR. If you do not want to specify the usage at the time of binding the certificate, uncheck the Usage option. You can edit the certificate later and specify the usage. 7. Click "Submit". If you have chosen to use this certificate for Cisco ISE internode communication, the application server on the Cisco ISE node is restarted.
Additional Identifiers
Rule ID: SV-242639r879887_rule
Vulnerability ID: V-242639
Group Title: SRG-APP-000516-NDM-000344
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001159 |
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider. |