← Rules Catalog
mediumaccess-controlunverified

Ensure a DoD PKI trust anchor is configured for certificate validation

pki-ca-trust-anchor · RHEL ≥ 8 · 1 impl

Description

When PKI-based authentication is used, certificates must be validated to a DoD root CA trust anchor (e.g. /etc/sssd/pki/sssd_auth_ca_db.pem for SSSD smart card auth).

Rationale

Without a trusted CA anchor, certificate validation cannot establish that a presented certificate was issued by an authorized authority.

Check → Remediate

Checkcommand
# Applies only where SSSD PKI/smart-card auth is configured.
if ! grep -rhqsE '^\s*(pam_cert_auth|certificate_verification)\s*=' \
     /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null; then
  echo "NOT APPLICABLE: SSSD PKI/smart-card authentication not configured"
  exit 0
fi
ca=$(grep -rhsE '^\s*(pam_cert_db_path|ca_db)\s*=' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null | sed -E 's/.*=\s*//' | head -1)
ca=${ca:-/etc/sssd/pki/sssd_auth_ca_db.pem}
if [ -s "$ca" ]; then
  echo "OK: PKI trust anchor present at $ca"
  exit 0
fi
echo "FAIL: PKI trust anchor $ca missing or empty"
exit 1
expected_exit:
0
Remediatemanual
note:
Install the DoD root CA bundle at the SSSD ca_db path (default /etc/sssd/pki/sssd_auth_ca_db.pem) and restart sssd.

Framework references

STIG

V-258131 / RHEL-09-631010V-230229 / RHEL-08-010090

NIST 800-53

IA-5(2)
#pki#ca#trust-anchor#sssd#stig