The Edge SWG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279273	SRG-APP-000516-NDM-000344	SYME-ND-000800	SV-279273r1170704_rule	2025-12-18	1

Description
Before continuing, the site must follow the configuration steps in SYME-ND-000100. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice. Satisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300

Description

Before continuing, the site must follow the configuration steps in SYME-ND-000100. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice. Satisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300

ℹ️ Check
1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "ssl", then issue the command "view keyring". 4. Find the keyrings that state: "FIPS compliant: yes". 1. Log in to the Edge SWG Web UI. 2. Navigate to the Configuration tab. 3. Click the SSL, and then keyrings section. If the keyring in use was not FIPS compliant from step #3 above, this is a finding. Click the keyring in use. If the certificate in the keyring was not issued by a DOD certificate authority this is a finding.

ℹ️ Check

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "ssl", then issue the command "view keyring". 4. Find the keyrings that state: "FIPS compliant: yes". 1. Log in to the Edge SWG Web UI. 2. Navigate to the Configuration tab. 3. Click the SSL, and then keyrings section. If the keyring in use was not FIPS compliant from step #3 above, this is a finding. Click the keyring in use. If the certificate in the keyring was not issued by a DOD certificate authority this is a finding.

✔️ Fix
1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssl". 4. Enter "create fips keyring show fips-keyring 2048". The "fips-keyring" name can be changed to whatever the site wants to use. 5. Enter "create signing-request fips-keyring". 6. Enter "view signing-request fips-keyring". Copy the signing request PEM data and provide it to the CA for certificate issuance. 7. Once the DOD CA issues/signs the certificate for the keyring type "inline certificate fips-keyring ~", paste the raw certificate data into a text editor, then press enter. Ensure the "~" is present at the end of the inserted text. 8. For each LDAP server, CA certificate, and CAC authentication CA certificate, issue the following command: "inline fips ca-certificate DODCA1 ~". Ensure the ~ is entered at the end of the certificate data paste. Note: DODCA1 is used as an example. 9. Repeat the "inline fips ca-certificate" command for all CA certificates in use for LDAPS and CAC authentication. 10. Create a new FIPS-enabled CCL by entering: "create fips ccl fips-ccl". The fips-ccl name can be changed to whatever the site wants to use. 11. Enter "edit ccl fips-ccl". 12. Enter "add", then enter all the CAs added in all previous steps. 13. Create an SSL device profile by entering: "create fips ssl-device-profile fips-profile fips-keyring". The "fips-profile" name can be changed to whatever the site wants to use.

✔️ Fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssl". 4. Enter "create fips keyring show fips-keyring 2048". The "fips-keyring" name can be changed to whatever the site wants to use. 5. Enter "create signing-request fips-keyring". 6. Enter "view signing-request fips-keyring". Copy the signing request PEM data and provide it to the CA for certificate issuance. 7. Once the DOD CA issues/signs the certificate for the keyring type "inline certificate fips-keyring ~", paste the raw certificate data into a text editor, then press enter. Ensure the "~" is present at the end of the inserted text. 8. For each LDAP server, CA certificate, and CAC authentication CA certificate, issue the following command: "inline fips ca-certificate DODCA1 ~". Ensure the ~ is entered at the end of the certificate data paste. Note: DODCA1 is used as an example. 9. Repeat the "inline fips ca-certificate" command for all CA certificates in use for LDAPS and CAC authentication. 10. Create a new FIPS-enabled CCL by entering: "create fips ccl fips-ccl". The fips-ccl name can be changed to whatever the site wants to use. 11. Enter "edit ccl fips-ccl". 12. Enter "add", then enter all the CAs added in all previous steps. 13. Create an SSL device profile by entering: "create fips ssl-device-profile fips-profile fips-keyring". The "fips-profile" name can be changed to whatever the site wants to use.