Title

Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key. (Cat II impact)

Discussion

The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server.

Check Content

If the web server does not have a private key, this is N/A. Review the web server documentation and deployed configuration to determine whether only authenticated system administrators and the designated PKI Sponsor for the web server can access the web server private key. If the private key is accessible by unauthenticated or unauthorized users, this is a finding.

Fix Text

Configure the web server to ensure only authenticated and authorized users can access the web server's private key.

Additional Identifiers

Rule ID: SV-206389r961041_rule

Vulnerability ID: V-206389

Group Title: SRG-APP-000176

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.