The application server must use DoD or CNS approved PKI Class 3 or Class 4 certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35338	SRG-APP-000195-AS-000137	SV-46625r1_rule		High

Description
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The AS must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business to business transactions.

Description

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The AS must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business to business transactions.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43706r3_chk )
Review the AS configuration to determine if the AS utilizes approved PKI Class 3 or Class 4 certificates. If the AS is not configured to use approved DoD or CNS certificates, this is a finding.

Fix Text (F-39884r2_fix)
Configure the AS to use DoD or CNS approved Class 3 or Class 4 PKI certificates.