Rule ID
SV-278192r1212173_rule
Version
V1R2
To ensure secure DOD websites and DOD-signed code are properly validated, the system must trust the DOD Root CAs. The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD CAs. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230
The certificates and thumbprints referenced below apply to unclassified systems. Refer to the PKE documentation for other networks. Open PowerShell as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DOD*" | FL Subject, NotAfter If valid (unexpired) DOD Root CA certificates (such as those below) are not listed, this is a finding. Note: The Common Names (CN) below are examples. Verify that the "CN" displayed is a DOD Root CA and is not expired. Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US NotAfter: 12/30/2029 Subject: CN=DOD Root CA 5, OU=PKI, OU=DOD, O=U.S. Government, C=US NotAfter: 6/14/2041 Subject: CN=DOD Root CA 6, OU=PKI, OU=DOD, O=U.S. Government, C=US NotAfter: 1/24/2053 Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DOD Root CA certificates noted below: Right-click the certificate and select "Open". Select the "Details" tab. Verify that expiration date is in the future. If valid (unexpired) DOD Root CA certificates (such as those below) are not listed, this is a finding. DOD Root CA 3 DOD Root CA 5 DOD Root CA 6
Install the DOD Root CA certificates: DOD Root CA 3 DOD Root CA 5 DOD Root CA 6 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.