The Juniper router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-217352 | JUNI-ND-001430 | SV-217352r991995_rule | CCI-001159 | medium |
| Description | ||||
| For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice. | ||||
| STIG | Date | |||
| Juniper Router NDM Security Technical Implementation Guide | 2024-12-05 | |||
Details
Check Text (C-217352r991995_chk)
Review the router configuration to verify that it is compliant with this requirement. The configuration below is an example of a CA profile defining name of the CA, the location of CRL for revocation check and to refresh the CRL every 24 hours, and the email address to send a certificate request.
security {
pki {
ca-profile DODXX_CA {
ca-identity xxxxx.mil;
revocation-check {
crl {
url http://server1.xxxxx.mil/CertEnroll/example.crl;
refresh-interval 24;
}
}
administrator {
email-address "certadmin@xxxxx.mil";
}
}
}
}
If the router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Fix Text (F-18577r296635_fix)
Step 1. Create a trusted profile and email address to send certificate request to.
[edit security]
set pki ca-profile DODXX_CA ca-identity xxxxx.mil
set pki ca-profile DODXX_CA administrator email-address certadmin@xxxxx.mil
Step 2. Create a revocation check to specify a method for checking certificate revocation.
set pki ca-profile DODXX_CA revocation-check crl url http://server1.example.mil/CertEnroll/example.crl
set pki ca-profile DODXX_CA revocation-check crl refresh-interval 24