Rule ID
SV-273848r1111027_rule
Version
V1R1
CCIs
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.
Verify the network device is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.
Verify Device Certificate:
device# show ip ssl device-certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 238779085 (0xe3b7acd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=fe044db7a0ec05cf9736bfbcc2e186a76da5a13e49b1f12c8717e5c5bf5c32f2, L=10.176.156.30, O=cc:4e:24:8c:67:e8, OU=JLSAWZOIFZMD, CN=ICX
Validity
Not Before: Dec 3 22:40:24 2019 GMT
Not After : Nov 19 22:40:24 2079 GMT
Subject: C=US, ST=fe044db7a0ec05cf9736bfbcc2e186a76da5a13e49b1f12c8717e5c5bf5c32f2, L=10.176.156.30, O=cc:4e:24:8c:67:e8, OU=JLSAWZOIFZMD, CN=ICX
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:87:35:01:dd:c3:63:52:7b:9d:aa:13:b7:39:
a9:0a:12:51:84:6e:57:ed:62:65:b7:79:31:72:35:
08:9a:d8:36:8b:f3:c8:76:47:90:5f:88:37:bc:6b:
1d:1f:5c:fd:0e:94:2d:7b:3a:54:d0:17:3c:96:d7:
be:a5:d8:0a:9c:54:08:08:30:06:84:a3:cb:1c:9f:
e0:ab:25:ac:59:02:7e:7b:cd:c2:bf:58:8d:63:09:
Verify SSL Certificate:
device(config)# show ip ssl certificate
Trusted Certificates:
Dynamic:
Index 0:
Signature Algorithm: sha256WithRSAEncryption
Issuer:
CN: 10.25.105.201
Validity:
Not Before: 2014 Aug 22 05:12:45
Not After : 2079 Aug 21 05:12:45
Subject:
CN: 10.25.105.201
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address: 10.25.105.201
Signature:
12:ec:41:d8:01:45:61:ce:cf:7e:80:de:a6:7c:a7:2e:01:7f:
42:27:22:1d:ac:a2:47:c5:0d:4f:e3:68:24:de:bf:50:40:65:
25:8c:30:bd:ff:a7:d0:21:73:d2:ba:5e:67:42:1f:bb:97:4a:
d9:1d:c3:ca:31:c4:59:10:79:d1:42:f4:b6:1a:b0:98:4e:a8:
ef:e2:a2:98:c3:14:16:63:50:02:a0:18:9c:7a:e3:17:39:0d:
b7:30:ab:23:9f:63:bd:0f:9e:d8:67:b0:fe:ec:3b:fa:4c:f4:
3d:34:e2:99:0e:99:24:ec:93:fb:8a:e5:4a:bf:74:d6:ff:91:
0a:dc:fb:b9:4f:91:5d:d4:f6:77:23:eb:ec:eb:3a:62:08:e1:
a6:ea:a8:52:b6:39:62:db:29:fa:61:1d:fd:d5:02:31:04:73:
50:ad:de:41:54:a5:e2:96:2d:9c:f4:68:b2:68:05:bb:39:47:
ee:74:89:a2:8c:30:f0:f9:d7:d5:4b:3b:e2:95:6f:82:61:a3:
c2:79:4c:f2:11:56:f8:2f:cc:fc:2b:4b:cb:3b:54:59:f0:8b:
5b:70:e1:27:c3:57:25:eb:35:c6:07:ea:6d:0b:34:04:95:81:
35:e6:64:c6:b8:72:e8:24:18:bd:ca:90:99:74:45:44:85:71:
9e:7f:13:96:
If the network device is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.To allow a client to communicate with another RUCKUS ICX device using an SSL connection, a set of digital certificates and RSA public-private key pairs must be configured on the device. A digital certificate is used to identify the connecting client to the server. The certificate contains information about the issuing Certificate Authority as well as a public key. Digital certificates and private keys can be imported from a server. Copy the certificates from the server to flash memory and save the configuration. Router# copy scp flash 10.1.1.1 client_cert.pem ssl-client-cert Router# copy scp flash 10.1.1.1 client_cert.key.pem ssl-client-private-key Router# copy scp flash 10.1.1.1 root_cert.pem ssl-trust-cert Router# write memory