Question DoD Interoperability - Issues with Bad CERT Errors on Enterprise Level

Mind Games

Distinguished
Apr 3, 2013
246
0
18,760
Hello all,


I am reaching out to several tech communities to hive mind the troubleshooting of this issue.
Basically, my organization is facing several issues with a website known as DCPDS, the DoD Interoperability certificates and a few others are the cause of this, we remove them using the DISA Approved Cross-cert removal tool, along with trying to export the certificates, removing them, and then installing them as "Untrusted" that way they wouldn't be installed again. Unfortunately it seems that no matter what avenue we take with removing these certificates they are reacquired and continue to cause issues to the users affected. I suspect that a GPO setting or the website in question is the cause of these issues possibly. I'm basically looking for another method of attack from our end that will permanently remove the certificates.


Regards.
 

Mind Games

Distinguished
Apr 3, 2013
246
0
18,760
Org is DoD. And I understand it's an unusual question that's even more difficult to grasp if people here haven't worked with certificates before. I'm just seeing if by some minuscule chance someone out there just happens to have fixed it in their organization or now. Thanks for your reply!
 

Mind Games

Distinguished
Apr 3, 2013
246
0
18,760
It's highly likely that we wouldn't be able to solve the issue on user end, but man is it a pain getting any guidance from these external teams. I'll mark this resolved since I realize now this isn't a very relevant topic to this sub-forum.

Regards.
 

Mind Games

Distinguished
Apr 3, 2013
246
0
18,760
Have you spoken to DISA about this?
GPO settings, erroneous or not, don't 'just happen'. Someone in your org or up has to cause those to be pushed.

While that would be an interesting conversation to have with their service desk, I'm localized to the org we are a part of and supporting. DISA is the next echelon to our organization but I'm not entirely sure we fall under their forest in AD. We operate on a network that is hosted by them, but the AD is entirely separated from eachother, they "host" us I guess. I've contacted DCPDs on the matter and all I've received from them is "We are aware and are investigating a resolution." and that came from a supervisor of their service desk. I've also discovered through militarycac.com a list of "Bad Certs" that the DoD does not like very much and naturally the Interop certs are listed there. In regards to the GPO, I gather that if DISA or my organization's GPO is somehow applying their GPO onto our machines in the Corps of Engineers then this would likely be the root of the issue with the certs being pushed again, regardless of them being untrusted/removed. They don't necessarily have to be pushed, if updates are done or changes are made to the GPO then they would do the push to update machines to the current policy if they are online or connected, they can trigger based on certain call events like if a machine were to turn on and connect to the network or be logged into, or in this case access a website hosted on their servers under that domain controller.

ACTUALLY that HAS to be what it is, whether its DISA or ACOE GPO or not it may be that they are getting downloaded again because the DC sees that it no longer has them or sees they aren't where they are supposed to be stored (like when we list them as untrusted) users wouldn't immediately experience the issue again, it would take a few days for them to end up having to call us back and have the certificates removed again.

I'll investigate tomorrow on the group policy management tool if its DISA or ACOE that's applying these certificates. I have seen the certificate store that's applied but I never have checked into what certs are named under Trusted Root Certification Authorities or any of the public keys for that matter.

I will have to test the above theory tomorrow, our machines under out tree don't seem to get the certificates pushed to us, and if they are pushed to us, since we have no use for portals like DCPDS its hard to troubleshoot in-house or replicate so I'll have to coordinate with a team or a few users who have the error tomorrow and log what OU they fall under. I appreciate your reply, had you not I wouldn't have ever considered that. Who knows though, I could be entirely wrong in my understanding of this and how GPOs are applied, I've only recently picked up these types of issues and have never interfaced with issues of this scale before, so any help I get is very appreciated, and I'm also learning more which is great.