mediumaccess-controlunverified
Ensure a DoD PKI trust anchor is configured for certificate validation
pki-ca-trust-anchor · RHEL ≥ 8 · 1 impl
Description
When PKI-based authentication is used, certificates must be validated to a DoD root CA trust anchor (e.g. /etc/sssd/pki/sssd_auth_ca_db.pem for SSSD smart card auth).
Rationale
Without a trusted CA anchor, certificate validation cannot establish that a presented certificate was issued by an authorized authority.
Check → Remediate
Checkcommand
# Applies only where SSSD PKI/smart-card auth is configured.
if ! grep -rhqsE '^\s*(pam_cert_auth|certificate_verification)\s*=' \
/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null; then
echo "NOT APPLICABLE: SSSD PKI/smart-card authentication not configured"
exit 0
fi
ca=$(grep -rhsE '^\s*(pam_cert_db_path|ca_db)\s*=' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null | sed -E 's/.*=\s*//' | head -1)
ca=${ca:-/etc/sssd/pki/sssd_auth_ca_db.pem}
if [ -s "$ca" ]; then
echo "OK: PKI trust anchor present at $ca"
exit 0
fi
echo "FAIL: PKI trust anchor $ca missing or empty"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Install the DoD root CA bundle at the SSSD ca_db path (default /etc/sssd/pki/sssd_auth_ca_db.pem) and restart sssd.
Framework references
STIG
V-258131 / RHEL-09-631010V-230229 / RHEL-08-010090
NIST 800-53
IA-5(2)
#pki#ca#trust-anchor#sssd#stig