Enable Shared System Certificates

An XCCDF Rule

Details
Profiles
Prose

Description

The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command:

$ sudo update-ca-trust enable

Rationale

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

ID: xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust
Severity: Medium
References: CCI-000054

AC-10

CCE-82057-1
Updated: about 1 year ago

P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"

if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
   /usr/bin/update-ca-trust enablefi

Enable Shared System Certificates

Description

Rationale

Remediation - Shell Script