The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-214679 | JUSX-VN-000012 | SV-214679r385561_rule | CCI-000366 | high |
| Description | ||||
| Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPsec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint. | ||||
| STIG | Date | |||
| Juniper SRX Services Gateway VPN Security Technical Implementation Guide | 2024-12-20 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V3R2 · disa_xccdf · related
Details
Check Text (C-214679r385561_chk)
Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.
If revoked certificates are accepted for PKI authentication, this is a finding.
Fix Text (F-15878r297625_fix)
Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.