Check: JUEX-NM-000660
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000660
(in versions v2 r2 through v1 r1)
Title
The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. (Cat II impact)
Discussion
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Check Content
Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. Verify the certificate is signed by an approved CA via the "show security pki local-certificate" or "show security pki local-certificate detail" commands. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Fix Text
Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates: show security pki (ca-certificate | local-certificate) Generate a public/private keypair: request security pki generate-key-pair type <ecdsa|rsa> size <bit size> certificate-id <name> Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096. Generate a certificate signing request: request security pki generate-certificate-request certificate-id <key name> digest <sha-1|sha-256|sha-384> domain-name <FQDN> ip-address <IPv4 address> ipv6-address <IPv6 address> subject <LDAP format> Note: The subject is LDAP formatted. For example, "CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US". Not all key => value pairs are required but those used must match organizational policy. After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate: request security pki local-certificate load filename <path/filename of certificate> certificate-id <key name> The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the "key" directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the "passphrase" directive and provide the correct value.
Additional Identifiers
Rule ID: SV-253943r961863_rule
Vulnerability ID: V-253943
Group Title: SRG-APP-000516-NDM-000344
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
CCI-001159 |
Issue public key certificates under an organization-defined certificate policy or obtain public key certificates from an approved service provider. |