Certificates in the trust store must be issued/signed by an approved CA.
An XCCDF Rule
Description
Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model. Certificates used by production systems must be issued/signed by a trusted Root CA and cannot be self-signed. For systems that communicate with industry partners, the DoD ECA program supports the issuance of DoD-approved certificates to industry partners. For information on the DoD ECA program, refer to the DoD PKI office. Links to their site are available on https://public.cyber.mil.
- ID
- SV-222994r961596_rule
- Version
- TCAT-AS-001430
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at https://cyber.mil/pki-pke.
Download the certificate bundles and then use certificate management utilities such as keytool or openssl to import the DoD CA certificates into the trust store.