Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35609	SRG-APP-000194-AS-NA	SV-46896r1_rule		Medium

Description
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. This requirement only addresses Class 3 certificates. CCI-001143 addresses both Class3 and Class 4 certificate usage. Class 4 certificates are used for "business to business" certificates which includes web service oriented applications. This requirement is NA, will use CCI-001143 as it covers both classes of certificates and addresses AS functionality and capability better.

Description

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. This requirement only addresses Class 3 certificates. CCI-001143 addresses both Class3 and Class 4 certificate usage. Class 4 certificates are used for "business to business" certificates which includes web service oriented applications. This requirement is NA, will use CCI-001143 as it covers both classes of certificates and addresses AS functionality and capability better.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43952r1_chk )
The requirement is NA for the AS SRG.

Fix Text (F-40150r2_fix)
The requirement is NA. No fix is required.