WG355 W22 - A private web server's list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

Information

A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically; the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certification Authority (CA).

The use of a trusted certificate validation hierarchy is crucial to the ability to control access to your server and prevent unauthorized access. This hierarchy needs to lead to the DoD PKI Root CA or to an approved External Certificate Authority (ECA) or are required for the server to function.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the web server's trust store to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_WIN_V1R13_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-33084r1_rule, STIG-ID|WG355_W22, Vuln-ID|V-13620

Plugin: Windows

Control ID: bc1108a8e32390953fd37b0b0e8f8caaa697a8db7474f5298e530baa9bcbed5d