UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30947 NET-VPN-050 SV-40989r1_rule ECSC-1 Medium
Description
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPSec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPSec security association will not be established for the remote end-point.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2013-10-08

Details

Check Text ( C-39608r1_chk )
Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.
Fix Text (F-34758r1_fix)
Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.