TCAT-AS-000700 - DoD root CA certificates must be installed in Tomcat trust store.


Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default Tomcat uses the 'cacerts' file as the CA trust store. The file is located in the /etc/ssl/certs/java/ folder with a link to the file in $JAVA_HOME/lib/security/cacerts. However, this location can be modified by setting the value of the system property. Setting this property within an OS environment variable will change the location to point to a different trust store.

The Java OS environment variables in the systemd Tomcat startup file must be checked in order to identify the location of the trust store on the file system. (The STIG uses the name tomcat.service as a reference, but technically this file can be called anything).

If the property is not set, then the default location is used for the truststore.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at

Import the DoD CA certificates.

See Also

Item Details


References: 800-53|IA-5(2)(a), CAT|II, CCI|CCI-000185, Rule-ID|SV-222966r879612_rule, STIG-ID|TCAT-AS-000700, STIG-Legacy|SV-111457, STIG-Legacy|V-102515, Vuln-ID|V-222966

Plugin: Unix

Control ID: 13e4facc5a49672d510cc9359567e1931cec58237ac930007336735cd944f0cc