Navigate

Check: SRG-APP-000427-WSR-000186

Web Server SRG: SRG-APP-000427-WSR-000186 (in versions v3 r2 through v2 r2)

Title

The web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). (Cat II impact)

Discussion

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Check Content

Review the web server deployed configuration to determine if the web server will accept client certificates issued by unapproved PKIs. The authoritative list of DoD-approved PKIs is published at http://iase.disa.mil/pki-pke/interoperability. If the web server will accept non-DoD approved PKI client certificates, this is a finding.

Fix Text

Configure the web server to only accept DoD and DoD-approved PKI client certificates.

Additional Identifiers

Rule ID: SV-206430r879798_rule

Vulnerability ID: V-206430

Group Title: SRG-APP-000427

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002470	Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
SC-23(5)	Allowed Certificate Authorities