Microsoft Windows Server 2019
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store
Description
To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182
Check
Certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks.Open "Windows PowerShell" as an administrator.Execute the following command:Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfterIf the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=USThumbprint: D73CA91102A2204A36459ED32213B467D7CE97FBNotAfter: 12/30/2029Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=USThumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026NotAfter: 7/25/2032Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=USThumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564BNotAfter: 6/14/2041Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFNotAfter: 1/24/2053 11:36:17 AMAlternately, use the Certificates MMC snap-in:Run "MMC".Select "File", "Add/Remove Snap-in".Select "Certificates" and click "Add".Select "Computer account" and click "Next".Select "Local computer: (the computer this console is running on)" and click "Finish".Click "OK".Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates".Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates".For each of the DoD Root CA certificates noted below:Right-click on the certificate and select "Open".Select the "Details" tab.Scroll to the bottom and select "Thumbprint".If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.DoD Root CA 3Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FBValid to: Sunday, December 30, 2029DoD Root CA 4Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026Valid to: Sunday, July 25, 2032DoD Root CA 5Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564BValid to: Friday, June 14, 2041DoD Root CA 6Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFBValid to: Friday, January 24, 2053
Fix
Install the DoD Root CA certificates:DoD Root CA 3DoD Root CA 4DoD Root CA 5DoD Root CA 6The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.