{"description": "The operating system must only allow the use of trusted PKI-established\ncertificate authorities for verification of the establishment of\nprotected sessions.", "rationale": "Untrusted Certificate Authorities (CA) can issue certificates, but they\nmay be issued by organizations or individuals that seek to compromise\nsystems or by organizations with insufficient security controls. If\nthe CA used for verifying the certificate is not a approved CA,\ntrust of this CA has not been established.\nThe Environment shall only accept PKI-certificates obtained from a approved\ninternal or external certificate authority. Reliance on CAs for the\nestablishment of secure sessions includes, for example, the use of\nSSL/TLS certificates.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "non-trusted CA is installed in the system", "ocil": "To check which CAs are trusted in your system, use\n\n<code>$ trust list --filter ca-anchors </code> on the Operating System\n\nand manually compare the supplied list with your internal list of allowed Certificate Authorities", "oval_external_content": null, "fixtext": "\nTo remove CAs use\n<code> $ trust anchor --remove \"pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert\" </code> after\ngetting the id with <code> $ trust list </code>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Only Allow specific PKI-established CAs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml", "template": null}