TCAT-AS-001430 - Certificates in the trust store must be issued/signed by an approved CA.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model. Certificates used by production systems must be issued/signed by a trusted Root CA and cannot be self-signed. For systems that communicate with industry partners, the DoD ECA program supports the issuance of DoD-approved certificates to industry partners. For information on the DoD ECA program, refer to the DoD PKI office. Links to their site are available on https://public.cyber.mil.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at https://cyber.mil/pki-pke.

Download the certificate bundles and then use certificate management utilities such as keytool or openssl to import the DoD CA certificates into the trust store.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R4_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002470, Rule-ID|SV-222994r615938_rule, STIG-ID|TCAT-AS-001430, STIG-Legacy|SV-111511, STIG-Legacy|V-102571, Vuln-ID|V-222994

Plugin: Unix

Control ID: 58a98f6fb08ff06dd3c7f444ee219b9e3734eff9c6d24b06246813dae311f143