2.11 Require Client-Side Certificates (X.509)

Information

Client-side certificates may be used as proof of identity.

Rationale:

Requiring client-side certificates provides additional validation of a user's identity.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create or Alter users using the REQUIRE X509.
For example:

CREATE USER 'newuser2'@'%' IDENTIFIED BY <password> require x509;

For accounts created with a REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. In addition, --ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified.
For example:

mysql --ssl-ca=ca.pem
--ssl-cert=client-cert.pem
--ssl-key=client-key.pem

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 5b8f3804801d457a50236e495d9de28e2df07fa47fe307c6704ad81faf3565c9