The Cisco ACI must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271922 | CACI-ND-000007 | SV-271922r1114181_rule | Medium |
| Description |
| After the Cisco ACI is initialized, it uses the self-signed certificate as the SSL certificate for HTTPS. This self-signed certificate is neither appropriate nor approved for use in DOD. |
| STIG | Date |
| Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-75972r1063955_chk) |
| From the GUI menu bar: 1. Navigate to Admin >> AAA >> Security >> Public Key Management >> Certificate Authorities. 2. Verify the Issuer is an approved CA. If the Cisco ACI does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding. |
| Fix Text (F-75879r1063162_fix) |
| From the GUI menu bar: 1. Navigate to Admin >> AAA >> Security >> Public Key Management >> Certificate Authorities. 2. Fill in the form, including the trusted CA root certificate and CA intermediate certificate. Click "Submit". 3. Navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings. Fill out the form and click "Submit". 4. Navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings. Fill out the form and click "Submit". 5. Get the CSR and send it to the CA Organization. 6. On the menu bar, navigate to Admin >> AAA >> Security >> Public Key Management >> Key Rings. 7. Double-click the create Key Ring name and find the Request option. The content in the Request is the CSR. Click "Submit". 8. Update the Signing Certificate on the Web. On the menu bar, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access >> Default. 9. In the Admin KeyRing drop-down list, choose the desired KeyRing. Click "Submit". After clicking submit, an error occurs due to certificate reasons. Refresh with the new certificate. |