From 87686bc3c51186daed8a6bebca69a3e0fc6684e8 Mon Sep 17 00:00:00 2001
From: Long Lam <31355535+eemperor@users.noreply.github.com>
Date: Fri, 9 Aug 2024 14:28:40 -0400
Subject: [PATCH] Add instructions to update dodcert.sls

---
 ash-windows/stig/Update_DOD_CA_certs.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 ash-windows/stig/Update_DOD_CA_certs.md

diff --git a/ash-windows/stig/Update_DOD_CA_certs.md b/ash-windows/stig/Update_DOD_CA_certs.md
new file mode 100644
index 0000000..db9cf0e
--- /dev/null
+++ b/ash-windows/stig/Update_DOD_CA_certs.md
@@ -0,0 +1,14 @@
+Over time, as old DoD Root CAs expire and new ones are released, it will be necessary to update [dodcerts.sls](https://github.com/plus3it/ash-windows-formula/blob/master/ash-windows/stig/dodcerts.sls) to incorporate the new DoD CA guidance.
+
+Process to update `dodcerts.sls`:
+- Obtain new Windows SCAP content from [DoD Cyber Exchange ](https://public.cyber.mil/stigs/scap/) and incorporate the new content in the `disa` folder of the [scap-formula](https://github.com/plus3it/scap-formula/tree/master/scap/content/guides/disa) project
+
+- Generate a SCAP scan and determine if the report indicates any DoD CA-related findings
+
+- If DoD CA findings exist, there will be a `Fix Text` section providing information on how to resolve the finding.  For Windows, it involves downloading the latest version of the InstallRoot Windows installer.  InstallRoot can be obtained from the public [DoD Cyber Exchange PKI/PKE](https://public.cyber.mil/pki-pke/tools-configuration-files/) website.
+
+- Download the desired Windows installer and apply it to the system
+
+- Re-run the SCAP scan to generate a new report.  The new report should indicate the DoD CA findings have been resolved.  For each DoD CA finding resolved, there will be a `Test` section indicating the results of the check.  The result should indicate `true`.  The `Collected Item/State Result` field should contain the registry information that can now be used to update `dodcert.sls`
+
+