The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-30947 | NET-VPN-050 | SV-40989r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPSec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPSec security association will not be established for the remote end-point. |
| STIG | Date |
|---|---|
| IPSec VPN Gateway Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-39608r1_chk ) |
|---|
| Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate. |
| Fix Text (F-34758r1_fix) |
|---|
| Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP. |