The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.

STIG ID: WN11-PK-000010  |  SRG: SRG-OS-000066-GPOS-00034 |  Severity: medium (CAT II)  |  CCI: CCI-000185 |  Vulnerability Id: V-253428

Vulnerability Discussion

To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensure the trust chain is established for server certificates issued from the External CAs. This requirement applies only to unclassified systems.

Check

Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities.

Run "PowerShell" as an administrator.

Execute the following command:

Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, NotAfter

If the following certificate "Subject" information is not displayed, this is a finding.

Note: The Common Name (CN) below is an example. Verify the "CN" displayed (ECA Root CA) is not expired. As of this writing, ECA Root CA 4 and ECA Root 5 are valid (among others).

Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US
Subject: CN=ECA Root CA 5, OU=ECA, O=U.S. Government, C=US

Alternately, use the Certificates MMC snap-in:

Run "MMC".

Select "File" and "Add/Remove Snap-in".

Select "Certificates" and click "Add".

Select "Computer account" and click "Next".

Select "Local computer: (the computer this console is running on)" and click "Finish".

Click "OK".

Expand "Certificates" and navigate to Trusted Root Certification Authorities >> Certificates.

For each of the ECA Root CA certificates noted below:

Right-click on the certificate and select "Open".

Select the "Details" tab.

Verify the Expiration Date is a future date.

Scroll to the bottom and select "Subject".

If the certificates listed do not include "ECA Root CA" in the name or are expired, this is a finding.

Note: This is not a complete list of possible ECA Root CA certificates.

ECA Root CA 4

ECA Root CA 5

Fix

Install a valid (unexpired) ECA Root CA certificate on unclassified systems. The list below is not to be treated as exhaustive. They are valid as of this writing, but the STIG should not be used as a definitive resource for the organizationally approved ECA Root CA certificates for your systems.

ECA Root CA 4
ECA Root CA 5

The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. PKI can be found at https://crl.gds.disa.mil/.