The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-220515 | SRG-APP-000516-NDM-000344 | CISC-ND-001440 | SV-220515r991969_rule | 2025-02-27 | 3 |
| Description |
|---|
| For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice. |
| ℹ️ Check |
|---|
| If PKI certificates are not implemented on the switch, this requirement is not applicable. Step 1: Review the switch configuration to determine if a CA trust point has been configured as shown in the example below: crypto ca trustpoint CA_X enrollment terminal Step 2: Verify the CA is a DOD or DOD-approved service provider by entering the following command: show crypto ca certificates The output will list the following information for each certificate: Trustpoint (will map to a configured trustpoint from step 1) Common Name (CN) of the issuer Organization (O) of the issuer Organization Unit (OU) of the issuer Note: Cisco NX-OS software supports only the manual cut-and-paste method for certificate enrollment. If the switch is not configured to obtain its public key certificates from a DOD or DOD-approved service provider, this is a finding. |
| ✔️ Fix |
|---|
| Ensure that certificate requests are only sent to DOD or DOD-approved service providers. |