This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.
1. Open the IIS Manager > Right click on the web site being reviewed > Select Properties > Select the Directory Security Tab. 2. Under the Secure communications section > Select View Certificate. 3. Select the Details tab > Select the Issuer field. 4. View the lower window and ensure the certificate contains the following:
CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US
If the credentials listed above are not found, this is a finding.
NOTE: It is also acceptable to open browser window and browse to the appropriate site. Before entry to the site the servers DOD PKI credentials should be presented. Review these credentials for authenticity. NOTE: If the server is running as a public web server this finding should be not applicable. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.
Fix Text (F-32698r1_fix)
Configure the private web site to use a valid DoD certificate.