STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

V-235850

CAT II (Medium)

Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).

Rule ID

SV-235850r961863_rule

STIG

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000366

Discussion

Rotate swarm node certificates as appropriate. Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Certificate rotation ensures that in an event such as compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days. The user should rotate it more often or as appropriate in their environment. By default, node certificates are rotated automatically every 90 days.

Check Content

Ensure node certificates are rotated as appropriate.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command and ensure that the node certificate Expiry Duration is set according to the System Security Plan (SSP).

docker info | grep "Expiry Duration"

If the expiry duration is not set according to the SSP, this is a finding.

Fix Text

Run the below command to set the desired expiry time.

Example:
docker swarm update --cert-expiry 48h