mediumaccess-controlunverified
Ensure PKI-based authentication validates certificates to a trust anchor
pki-certificate-validation · RHEL ≥ 10 · 1 impl
Description
For PKI-based authentication, RHEL 10 must validate certificates by constructing a certification path (with status information) to an accepted trust anchor (e.g. the DOD root CA). This requires manual verification of the installed CA and trust path, and is not applicable when an approved alternate multifactor authentication method is used.
Rationale
Without a validated certification path to a trusted root, a forged or revoked certificate could be accepted, defeating PKI-based authentication.
Check → Remediate
Checkcommand
CA=/etc/sssd/pki/sssd_auth_ca_db.pem if [ -f "$CA" ]; then echo "MANUAL REVIEW REQUIRED: an SSSD PKI CA database is present ($CA). Verify it contains a valid DOD root CA and that a complete certification path to an accepted trust anchor can be constructed (openssl x509 -text -in $CA). Not applicable if an approved alternate MFA method is in use." else echo "MANUAL REVIEW REQUIRED: no SSSD PKI CA database was found ($CA). For PKI/CAC-based authentication, install the DOD root CA and configure a certification path to an accepted trust anchor. Not applicable if an approved alternate MFA method is in use." fi exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Install the DOD root CA into the SSSD CA database (/etc/sssd/pki/sssd_auth_ca_db.pem) and configure certificate verification (including OCSP/CRL status checking) so a full path to the trust anchor is validated.
Framework references
STIG
V-281329 / RHEL-10-701270
NIST 800-53
IA-5(2)
#authentication#pki#certificate#trust-anchor#stig#manual