4.1.9 Ensure upstream server traffic is authenticated with a client certificate

Information

Client certificate validation allows the upstream server to authenticate the identity of the client connecting to it. This assists in the establishment of mutual authentication between the client and the server.

Rationale:

Using client certificate validation allows you to establish a trusted proxy server.

Solution

In order to implement this recommendation, you must create a client certificate to be authenticated against and have it signed. Once you have a signed certificate, place the certificate in a location of your choice. In the below example, we use /etc/nginx/ssl/cert.pem. Implement the configuration as part of the location block:

proxy_ssl_certificate /etc/nginx/ssl/nginx.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/nginx.key;

Default Value:

This is not authenticated by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 92f44e5b185d4dac04b141da607b4745dc773632f58268e4d49a7a359729747f