STIGQter: STIG Summary: Web Server Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 26 Apr 2019:

The web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

DISA Rule

SV-70281r2_rule

Vulnerability Number

V-56027

Group Title

SRG-APP-000427-WSR-000186

Rule Version

SRG-APP-000427-WSR-000186

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Configure the web server to only accept DoD and DoD-approved PKI client certificates.

Check Contents

Review the web server deployed configuration to determine if the web server will accept client certificates issued by unapproved PKIs. The authoritative list of DoD-approved PKIs is published at http://iase.disa.mil/pki-pke/interoperability.

If the web server will accept non-DoD approved PKI client certificates, this is a finding.

Vulnerability Number

V-56027

Documentable

False

Rule Version

SRG-APP-000427-WSR-000186

Severity Override Guidance

Review the web server deployed configuration to determine if the web server will accept client certificates issued by unapproved PKIs. The authoritative list of DoD-approved PKIs is published at http://iase.disa.mil/pki-pke/interoperability.

If the web server will accept non-DoD approved PKI client certificates, this is a finding.

Check Content Reference

M

Target Key

2557

Comments