MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.

An XCCDF Rule

Description

<VulnDiscussion>Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. MKE uses TLS to protect sessions. Using trusted certificates ensures that only trusted sources can access the MKE cluster.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260927r966138_rule
Severity: Medium
References: CCI-000185 CCI-000381
Updated: 19 days ago

If Kubernetes ingress is being used, this is Not Applicable.

Integrate MKE and MSR (if used) with a trusted certificate authority CA.

Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates.
Either fill in the "CA Certificate" field with the contents of the external public CA certificate or upload a file.

Either fill in the "Server Certificate" and "Private Key" fields with the contents of the public/private certificates or upload a file.

The "Server Certificate" field must include both the MKE server certificate and any intermediate certificates.

Click "Save".

MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.

Description

Remediation - Manual Procedure