STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft Windows Server 2025 Security Technical Implementation Guide

V-278192

CAT II (Medium)

Windows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.

Rule ID

SV-278192r1212173_rule

STIG

Microsoft Windows Server 2025 Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000185CCI-002470CCI-004909

Discussion

To ensure secure DOD websites and DOD-signed code are properly validated, the system must trust the DOD Root CAs. The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD CAs. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230

Check Content

The certificates and thumbprints referenced below apply to unclassified systems. Refer to the PKE documentation for other networks.

Open PowerShell as an administrator.

Execute the following command:

Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DOD*" | FL Subject, NotAfter

If valid (unexpired) DOD Root CA certificates (such as those below) are not listed, this is a finding.

Note: The Common Names (CN) below are examples. Verify that the "CN" displayed is a DOD Root CA and is not expired. 

Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US
NotAfter: 12/30/2029

Subject: CN=DOD Root CA 5, OU=PKI, OU=DOD, O=U.S. Government, C=US
NotAfter: 6/14/2041

Subject: CN=DOD Root CA 6, OU=PKI, OU=DOD, O=U.S. Government, C=US
NotAfter: 1/24/2053

Alternately, use the Certificates MMC snap-in:

Run "MMC".

Select "File", "Add/Remove Snap-in".

Select "Certificates" and click "Add".

Select "Computer account" and click "Next".

Select "Local computer: (the computer this console is running on)" and click "Finish".

Click "OK".

Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates".

For each of the DOD Root CA certificates noted below:

Right-click the certificate and select "Open".

Select the "Details" tab.

Verify that expiration date is in the future.

If valid (unexpired) DOD Root CA certificates (such as those below) are not listed, this is a finding.

DOD Root CA 3

DOD Root CA 5

DOD Root CA 6

Fix Text

Install the DOD Root CA certificates:

DOD Root CA 3

DOD Root CA 5

DOD Root CA 6

The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.