The network device, when utilizing PKI-based authentication, must accept only certificates issued by a DoD-approved Certificate Authority.

From Network Device Management Security Requirements Guide

Associated with: CCI-000185

SV-69387r2_rule The network device, when utilizing PKI-based authentication, must accept only certificates issued by a DoD-approved Certificate Authority.

Vulnerability discussion

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.

Check content

When PKI-based authentication is used, verify the network device accepts only certificates issued by a DoD-approved Certificate Authority. Determine if a CA trust point has been configured. The CA trust point will contain the URL for the CA governing the network device. Verify this is a DoD or DoD-approved CA. This requirement may be verified by configuration review or validated test results. If PKI-based authentication is used and the network device accepts certificates issued by other Certificate Authorities other than a DoD-approved Certificate Authority, this is a finding.

Fix text

Configure the network device to accept only certificates issued by a DoD-approved Certificate Authority.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.