STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft Windows 11 Security Technical Implementation Guide

V-253428

CAT II (Medium)

The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.

Rule ID

SV-253428r1210301_rule

STIG

Microsoft Windows 11 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000185

Discussion

To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensure the trust chain is established for server certificates issued from the External CAs. This requirement applies only to unclassified systems.

Check Content

Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities.

Run "PowerShell" as an administrator.

Execute the following command:

Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, NotAfter

If the following certificate "Subject" information is not displayed, this is a finding. 

Note: The Common Name (CN) below is an example. Verify the "CN" displayed (ECA Root CA) is not expired. As of this writing, ECA Root CA 4 and ECA Root 5 are valid (among others).

Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US
Subject: CN=ECA Root CA 5, OU=ECA, O=U.S. Government, C=US

Alternately, use the Certificates MMC snap-in:

Run "MMC".

Select "File" and "Add/Remove Snap-in".

Select "Certificates" and click "Add".

Select "Computer account" and click "Next".

Select "Local computer: (the computer this console is running on)" and click "Finish".

Click "OK".

Expand "Certificates" and navigate to Trusted Root Certification Authorities >> Certificates.

For each of the ECA Root CA certificates noted below:

Right-click on the certificate and select "Open".

Select the "Details" tab.

Verify the Expiration Date is a future date.

Scroll to the bottom and select "Subject".

If the certificates listed do not include "ECA Root CA" in the name or are expired, this is a finding.

Note: This is not a complete list of possible ECA Root CA certificates.

ECA Root CA 4

ECA Root CA 5

Fix Text

Install a valid (unexpired) ECA Root CA certificate on unclassified systems. The list below is not to be treated as exhaustive. They are valid as of this writing, but the STIG should not be used as a definitive resource for the organizationally approved ECA Root CA certificates for your systems.

ECA Root CA 4
ECA Root CA 5

The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. PKI can be found at https://crl.gds.disa.mil/.