A web server that utilizes PKI as an authentication mechanism must utilize subscriber certificates issued from a DoD-authorized Certificate Authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6531 | WG140 | SV-6627r1_rule | Medium |
| Description |
|---|
| A DoD private web server, existing within and available across the NIPRNet, must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-03-22 |
Details
| Check Text ( C-29008r1_chk ) |
|---|
| To view the SSLVerifyClient value enter the following command: grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf If the value of SSLVerifyClient is not set to “require”, then this is a finding. |
| Fix Text (F-26020r1_fix) |
|---|
| Edit the httpd.conf file and set the value of SSLVerifyClient to "require". |