Title

The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes. (Cat II impact)

Discussion

Failure to verify a certificate's revocation status can result in the system accepting a revoked, and therefore unauthorized, certificate. This could result in the installation of unauthorized software or a connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.

Check Content

Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.

Fix Text

Install software that provides certificate validation and revocation checking.

Additional Identifiers

Rule ID: SV-226256r877395_rule

Vulnerability ID: V-226256

Group Title: SRG-OS-000125-GPOS-00065

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.