The network device, when utilizing PKI-based authentication, must not accept revoked certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-80967 | SRG-APP-000175-NDM-000350 | SV-95679r1_rule | Medium |
| Description |
|---|
| Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2019-09-27 |
Details
| Check Text ( C-80711r1_chk ) |
|---|
| When PKI-based authentication is used, verify the network device does not accept revoked certificates. Determine if the CA trust point defined on the network device references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate. This requirement may be verified by configuration review or validated test results. If PKI-based authentication is used and the network device accepts revoked certificates, this is a finding. |
| Fix Text (F-87827r1_fix) |
|---|
| Configure the network device to not accept revoked certificates. |