The DOD Root CA certificates must be installed in the Trusted Root Store.

STIG ID: WN11-PK-000005  |  SRG: SRG-OS-000066-GPOS-00034 |  Severity: medium (CAT II)  |  CCI: CCI-000185 |  Vulnerability Id: V-253427

Vulnerability Discussion

To ensure secure DOD websites and DOD-signed code are properly validated, the system must trust the DOD Root Certificate Authorities (CAs). The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD CAs.

Check

Verify the DOD Root CA certificates are installed as Trusted Root Certification Authorities.

The certificates referenced below apply to unclassified systems; refer to PKE documentation for other networks.

Run "PowerShell" as an administrator.

Execute the following command:

Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, NotAfter

If valid DOD Root CA certificates (such as those below) are not displayed, this is a finding.

Note: The Common Names (CN) below are examples. Very the "CN" displayed is a DOD Root CA and is not expired.

Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
NotAfter: 12/30/2029

Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US
NotAfter: 6/14/2041

Subject: CN=DoD Root CA 6 OU=PKI, OU=DoD, O=U.S. Government, C=US
NotAfter: 1/24/2053

Alternately, use the Certificates MMC snap-in:

Run "MMC".

Select "File" and "Add/Remove Snap-in".

Select "Certificates" and click "Add".

Select "Computer account" and click "Next".

Select "Local computer: (the computer this console is running on)" and click "Finish".

Click "OK".

Expand "Certificates" and navigate to Trusted Root Certification Authorities >> Certificates.

For each of the DOD Root CA certificates noted below:

Right-click on the certificate and select "Open".

Select the "Details" tab.

Verify the Expiration Date is a future date.

Scroll to the bottom and select "Subject".

If valid (unexpired) DOD Root CA certificates (such as those below) are not listed, this is a finding.

DoD Root CA 3 / OU = PKI / OU = DoD / O = U.S. Government / C = U

DoD Root CA 5 / OU = PKI / OU = DoD / O = U.S. Government / C = U

DoD Root CA 6 / OU = PKI / OU = DoD / O = U.S. Government / C = U

Fix

Install valid (unexpired) DOD Root CA certificates.

The list below is not to be treated as exhaustive. They are valid as of this writing, but the STIG should not be used as a definitive resource for the organizationally approved DOD Root CA certificates for the systems.

DoD Root CA 3
DoD Root CA 5
DoD Root CA 6

The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. PKI can be found at https://crl.gds.disa.mil/.