Rule ID
SV-284940r1212209_rule
Version
V1R1
CCIs
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses like OCSP. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.
Verify the Cisco SNA appliance is configured to implement certificate revocation checking to support path discovery and validation. Navigate to SNA Dashboard >> Configure >> Central Management >> Inventory >> Actions... >> Network Services >> Audit Log Destination (Syslog Over TLS). Verify "Certificate Revocation" set to "Hard Fail" for servers. Note that other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration. If the Cisco SNA appliance is not configured to implement certificate revocation checking to support path discovery and validation, this is a finding.
Configure the Cisco SNA appliance to implement certificate revocation checking to support path discovery and validation using certificate revocation lists (CRLs), or Online Certificate Status Protocol (OCSP). Navigate to SNA Dashboard >> Configure >> Central Management >> Inventory >> Actions... >> Network Services >> Audit Log Destination (Syslog Over TLS) >> Actions... >> Edit. Select "Hard Fail" for "Certificate Revocation". Note: Other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration.