Rule ID
SV-284540r1244952_rule
Version
V1R1
CCIs
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority (CA) will suffice.
1. In the Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates. 2. View the certificate to verify it is signed by a valid DoW CA. 3. Verify the certificate is the only one present and configured for use on interfaces. If a DoW CA certificate is not used, this is a finding.
1. In the Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates. 2. Click "New CSR". 3. Add a Common Name in FQDN format. 4. Add a Country code of US. 5. Under "Key type", if using RSA, select "RSA". If using ECC, select "ECC". 6. Under "Key length", if using RSA, select at least 2048. If using ECC, select "P-384". 7. Enter in random data in the text field. 8. Click "Create CSR". 9. Copy the Base 64/PEM encoded certificate request shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr. 10. Complete the local RA process for DoW web server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the host name, cluster names, and all FQDNs. 11. Once the certificate is provided by the CA, go to System >> Configuration >> Certificates >> Device Certificates. 12. Click "Browse" and select the certificate file issued by the CA, then click "Import". 13. Click "Save Changes". 14. Click on the imported certificate. 15. On the internal port, click add for the cluster internal VIP and <Internal Port>. 16. On the external port, click add for the cluster external VIP and <External Port>. 17. Check the box for "Management Port". 18. Under "Certificate Status Checking", click the box for "Use CRLs". 19. Click "Save Changes".