Navigate

Check: WN12-PK-000001

Microsoft Windows Server 2012/2012 R2 Member Server STIG: WN12-PK-000001 (in version v3 r6)

Title

The DoD Root CA certificates must be installed in the Trusted Root Store. (Cat II impact)

Discussion

To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.

Check Content

Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. The certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to Trusted Root Certification Authorities >> Certificates. For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041

Fix Text

Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. PKI can be found at https://crl.gds.disa.mil/.

Additional Identifiers

Rule ID: SV-225441r890492_rule

Vulnerability ID: V-225441

Group Title: SRG-OS-000066-GPOS-00034

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
CCI-002470	The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication
SC-23 (5)	Allowed Certificate Authorities