[Feature Request] Compliance Setting: "OS must validate certificates for PKI-based authentication by constructing a certification path to an accepted trust anchor"

[ferricoxide]

Is your feature request related to a problem? Please describe.

STIG scans calling out RHEL-09-631010/OL09-00-000900/ALMA-09-039070

Describe the solution you'd like

Per the STIG guidance:

Configure the OS for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Obtain a valid copy of the DOD root CA file from the PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into the following file:

/etc/sssd/pki/sssd_auth_ca_db.pem

Describe alternatives you've considered

Additional context

[ferricoxide]

The fix-text for this finding is as follows:

Fix Text: Configure RHEL 9, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Obtain a valid copy of the DOD root CA file from the PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into the following file:

/etc/sssd/pki/sssd_auth_ca_db.pem

This isn't directly automatable. spel AMIs already have the certificates baked in:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Root CA 1
        Validity
            Not Before: Nov  9 19:47:33 2015 GMT
            Not After : Dec 30 19:47:33 2030 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Root CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 346 (0x15a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Root CA 1
        Validity
            Not Before: Feb  5 14:21:34 2019 GMT
            Not After : Feb  2 14:21:34 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1990 (0x7c6)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 18:00:57 2024 GMT
            Not After : Feb  6 18:00:57 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 9
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1989 (0x7c5)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:59:34 2024 GMT
            Not After : Feb  6 17:59:34 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 8
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1988 (0x7c4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:58:07 2024 GMT
            Not After : Feb  6 17:58:07 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 7
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1987 (0x7c3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:56:38 2024 GMT
            Not After : Feb  6 17:56:38 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 6
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1986 (0x7c2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:54:34 2024 GMT
            Not After : Feb  6 17:54:34 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1985 (0x7c1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:53:02 2024 GMT
            Not After : Feb  6 17:53:02 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1984 (0x7c0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:51:04 2024 GMT
            Not After : Feb  6 17:51:04 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1983 (0x7bf)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:49:06 2024 GMT
            Not After : Feb  6 17:49:06 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1991 (0x7c7)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 18:02:18 2024 GMT
            Not After : Feb  6 18:02:18 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1982 (0x7be)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Intermediate CA 1
        Validity
            Not Before: Jan  8 17:45:30 2024 GMT
            Not After : Feb  6 17:45:30 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=WCF PKI, CN=DoD WCF Signing CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 148 (0x94)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: Sep 26 15:40:52 2023 GMT
            Not After : Sep 25 15:40:52 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD DERILITY CA-4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 147 (0x93)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: Sep 26 15:37:49 2023 GMT
            Not After : Sep 25 15:37:49 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD DERILITY CA-3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1336 (0x538)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: May 16 15:48:18 2023 GMT
            Not After : May 14 15:48:18 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-77
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1335 (0x537)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: May 16 15:44:56 2023 GMT
            Not After : May 14 15:44:56 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-76
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1805 (0x70d)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Dec  6 17:13:49 2022 GMT
            Not After : Dec  6 17:13:49 2028 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-75
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 74 (0x4a)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 16:05:29 2023 GMT
            Not After : May 15 16:05:29 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-74
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 820 (0x334)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: Jul 20 13:59:26 2021 GMT
            Not After : Jul 19 13:59:26 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-69
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 819 (0x333)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: Jul 20 13:56:48 2021 GMT
            Not After : Jul 19 13:56:48 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-68
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1376 (0x560)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  8 13:58:25 2021 GMT
            Not After : Jun  9 13:58:25 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-67
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1375 (0x55f)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  8 13:57:18 2021 GMT
            Not After : Jun  9 13:57:18 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-66
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 194 (0xc2)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: Apr  2 13:41:24 2019 GMT
            Not After : Mar 31 13:41:24 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-61
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 771 (0x303)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Apr  2 13:34:49 2019 GMT
            Not After : Apr  2 13:34:49 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-60
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: Jan 24 16:36:17 2023 GMT
            Not After : Jan 24 16:36:17 2053 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Validity
            Not Before: Jun 14 17:17:27 2016 GMT
            Not After : Jun 14 17:17:27 2041 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 5
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 4
        Validity
            Not Before: Jul 30 19:48:23 2012 GMT
            Not After : Jul 25 19:48:23 2032 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 4
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Mar 20 18:46:41 2012 GMT
            Not After : Dec 30 18:46:41 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 73 (0x49)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 16:03:49 2023 GMT
            Not After : May 15 16:03:49 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-73
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 72 (0x48)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 16:02:26 2023 GMT
            Not After : May 15 16:02:26 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-72
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1804 (0x70c)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Dec  6 17:12:15 2022 GMT
            Not After : Dec  6 17:12:15 2028 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-71
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 71 (0x47)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 16:00:08 2023 GMT
            Not After : May 15 16:00:08 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-70
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1356 (0x54c)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  1 14:11:23 2021 GMT
            Not After : Jun  2 14:11:23 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-65
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1355 (0x54b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  1 14:09:37 2021 GMT
            Not After : Jun  2 14:09:37 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-64
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1295 (0x50f)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Apr  6 13:55:54 2021 GMT
            Not After : Apr  7 13:55:54 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-63
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1354 (0x54a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  1 14:07:31 2021 GMT
            Not After : Jun  2 14:07:31 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-62
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 773 (0x305)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Apr  2 13:38:32 2019 GMT
            Not After : Apr  2 13:38:32 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD ID CA-59
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 70 (0x46)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 15:58:04 2023 GMT
            Not After : May 15 15:58:04 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-73
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 69 (0x45)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 15:54:35 2023 GMT
            Not After : May 15 15:54:35 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-72
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1803 (0x70b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Dec  6 17:10:24 2022 GMT
            Not After : Dec  6 17:10:24 2028 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-71
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 68 (0x44)
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 6
        Validity
            Not Before: May 16 15:51:56 2023 GMT
            Not After : May 15 15:51:56 2029 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-70
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1374 (0x55e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  8 13:55:26 2021 GMT
            Not After : Jun  9 13:55:26 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-65
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1353 (0x549)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  1 14:05:19 2021 GMT
            Not After : Jun  2 14:05:19 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-64
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1352 (0x548)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  1 14:02:21 2021 GMT
            Not After : Jun  2 14:02:21 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-63
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1373 (0x55d)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jun  8 13:51:38 2021 GMT
            Not After : Jun  9 13:51:38 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-62
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 772 (0x304)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Apr  2 13:37:25 2019 GMT
            Not After : Apr  2 13:37:25 2025 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-59
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
=====


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1218 (0x4c2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
        Validity
            Not Before: Jan 19 14:55:37 2021 GMT
            Not After : Jan 20 14:55:37 2027 GMT
        Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD DERILITY CA-1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

However, the scanner used to uncover this finding (Tenable) flagged a non-compliance, any way. Looking at the wording of both the check-text and the previously cited fix-text, I might assume that the scanner is only checking for them in /etc/sssd/pki/sssd_auth_ca_db.pem. However, it seems a bit odd that SSSD would need its own CA-bundle: the OS-wide CA-bundle is supposed to obviate such needs. Still researching whether SSSD is an odd duck, or not, and requires its own CA-bundle.

Regardless, for now, going to handle this as a "known issue" and update the relevant watchmaker documentation.