The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-220515 | CISC-ND-001440 | SV-220515r991969_rule | CCI-001159 | medium |
| Description | ||||
| For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice. | ||||
| STIG | Date | |||
| Cisco NX OS Switch NDM Security Technical Implementation Guide | 2025-05-19 | |||
Details
Check Text (C-220515r991969_chk)
If PKI certificates are not implemented on the switch, this requirement is not applicable.
Step 1: Review the switch configuration to determine if a CA trust point has been configured as shown in the example below:
crypto ca trustpoint CA_X
enrollment terminal
Step 2: Verify the CA is a DOD or DOD-approved service provider by entering the following command: show crypto ca certificates
The output will list the following information for each certificate:
Trustpoint (will map to a configured trustpoint from step 1)
Common Name (CN) of the issuer
Organization (O) of the issuer
Organization Unit (OU) of the issuer
Note: Cisco NX-OS software supports only the manual cut-and-paste method for certificate enrollment.
If the switch is not configured to obtain its public key certificates from a DOD or DOD-approved service provider, this is a finding.
Fix Text (F-22219r991968_fix)
Ensure that certificate requests are only sent to DOD or DOD-approved service providers.