{"description": "The operating system must only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of\nprotected sessions.", "rationale": "Untrusted Certificate Authorities (CA) can issue certificates, but they\nmay be issued by organizations or individuals that seek to compromise\nDoD systems or by organizations with insufficient security controls. If\nthe CA used for verifying the certificate is not a DoD-approved CA,\ntrust of this CA has not been established.\nThe DoD will only accept PKI-certificates obtained from a DoD-approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of\nSSL/TLS certificates.", "severity": "medium", "references": {"srg": ["SRG-OS-000403-GPOS-00182"], "stigid": ["UBTU-22-631010"], "stigref": ["SV-260580r958868_rule"]}, "control_references": {"stigid": ["UBTU-22-631010"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Only Allow DoD PKI-established CAs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_ssl/only_allow_dod_certs/rule.yml", "template": null}