Rule ID
SV-234379r1213015_rule
Version
V2R5
CCIs
When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoW information systems, leading to compromise of DoW sensitive information and other attacks. Satisfies: FIA_X509_EXT.2.2/FP for X.509 Reference:PP-MDM-505200
Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate. If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.
Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.