UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6531 WG140 A22 SV-33019r1_rule Medium
Description
Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.
STIG Date
APACHE 2.2 Site for UNIX Security Technical Implementation Guide 2019-01-07

Details

Check Text ( C-33701r1_chk )
To view the SSLVerifyClient value enter the following command:

grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf.

If the value of SSLVerifyClient is not set to “require”, this is a finding.
Fix Text (F-29335r1_fix)
Edit the httpd.conf file and set the value of SSLVerifyClient to "require".