← Rules Catalog
mediumaccess-controlunverified

Ensure PKI-based authentication validates certificates to a trust anchor

pki-certificate-validation · RHEL ≥ 10 · 1 impl

Description

For PKI-based authentication, RHEL 10 must validate certificates by constructing a certification path (with status information) to an accepted trust anchor (e.g. the DOD root CA). This requires manual verification of the installed CA and trust path, and is not applicable when an approved alternate multifactor authentication method is used.

Rationale

Without a validated certification path to a trusted root, a forged or revoked certificate could be accepted, defeating PKI-based authentication.

Check → Remediate

Checkcommand
CA=/etc/sssd/pki/sssd_auth_ca_db.pem
if [ -f "$CA" ]; then
  echo "MANUAL REVIEW REQUIRED: an SSSD PKI CA database is present ($CA). Verify it contains a valid DOD root CA and that a complete certification path to an accepted trust anchor can be constructed (openssl x509 -text -in $CA). Not applicable if an approved alternate MFA method is in use."
else
  echo "MANUAL REVIEW REQUIRED: no SSSD PKI CA database was found ($CA). For PKI/CAC-based authentication, install the DOD root CA and configure a certification path to an accepted trust anchor. Not applicable if an approved alternate MFA method is in use."
fi
exit 0
expected_exit:
0
Remediatemanual
note:
Install the DOD root CA into the SSSD CA database (/etc/sssd/pki/sssd_auth_ca_db.pem) and configure certificate verification (including OCSP/CRL status checking) so a full path to the trust anchor is validated.

Framework references

STIG

V-281329 / RHEL-10-701270

NIST 800-53

IA-5(2)
#authentication#pki#certificate#trust-anchor#stig#manual