Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

From Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide

Part of Directory PKI Certificate Source - Server

Associated with: CCI-000185

SV-39014r2_rule Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

Vulnerability discussion

A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.

Check content

Verify the source of the domain controller's server certificate. Run "mmc". Select "Add/Remove Snap-in" from the File menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account", click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the Issued By field for the certificate to determine the issuing CA. If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. http://iase.disa.mil/pki-pke/function_pages/tools.html

Fix text

Obtain PKI certificates issued by the DoD PKI or an approved External Certificate Authority (ECA).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer