Rule ID
SV-269802r1052489_rule
Version
V1R1
CCIs
CCI-000366, CCI-001159, CCI-004909
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority (CA) will suffice. Satisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300
Determine if the OS10 Switch obtains public key certificates from an appropriate certificate policy through an approved service provider.
Verify the configured CA certificates with the following commands:
OS10# show crypto ca-certs
--------------------------------------
| Locally installed certificates |
--------------------------------------
DOD_PKE.crt
OS10#
OS10# show crypto ca-certs DOD_PKE.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
...
If the OS10 Switch does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.Configure the OS10 Switch to obtain its public key certificates from an appropriate certificate policy through an approved service provider. Install CA certificates using the crypto ca-cert install command as shown in the example below. OS10# crypto ca-cert install Certificate base file name : DOD_PKE Paste certificate below. Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Enter a blank line to abort this command. Certificate: -----BEGIN CERTIFICATE----- MIID... ... ...= -----END CERTIFICATE----- Install as trusted-host certificate? [yes/no]:n Processing file ... Installed Root CA certificate CommonName = ... IssuerName = ... OS10#