You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
There are several vulnerabilities that exist involving DOD Root certificates. PowerSTIG should have the ability to install the latest version to provide a more complete configuration.
Describe the solution you'd like
Create an org setting for Server and Client OS that will have a blank path variable. Users will specify a location for the dodrootcert.msi to install with PowerSTIG
The text was updated successfully, but these errors were encountered:
Why would you want to do this with PowerSTIG? Im usually using PowerSTIG as the last resource in a DSC configuration, I would use the DSC Package resource prior to PowerSTIG to install the DOD root application from DISA. Or at the very least maybe the Package resource can become part of the resources PowerSTIG uses to do this?
PowerSTIG has rules for each OS that call out specific versions of these certificates with Thumbprints represented.
Example of 2019 - Member Server STGS
V-93487-
If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding.
Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561
NotAfter: 12/5/2029
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB
NotAfter: 12/30/2029
Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026
NotAfter: 7/25/2032
Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B
NotAfter: 6/14/2041
Your method just uses a package resource to install the root cert application, not actually confirm the certificates exist.
How do you use DSC to determine if each certificate exists where it should be?
I am using the CertificateDSC resource that will ensure each certificate, based on thumbprint is in the Localmachine\root or Localmachine\disallowed depending on interoperability or root CA cert.
If you choose not to use these you can always skip them in your config.
This makes sense, I wasnt sure exactly why you were doing this and in my experience after running the DOD root application and then running a SCAP scan the certs have always been reported as being where they were supposed to be. I was just curious, thanks for the quick response.
Is your feature request related to a problem? Please describe.
There are several vulnerabilities that exist involving DOD Root certificates. PowerSTIG should have the ability to install the latest version to provide a more complete configuration.
Describe the solution you'd like
Create an org setting for Server and Client OS that will have a blank path variable. Users will specify a location for the dodrootcert.msi to install with PowerSTIG
The text was updated successfully, but these errors were encountered: