STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 2 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284540

CAT II (Medium)

The Ivanti Policy Secure must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

Rule ID

SV-284540r1244952_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001159

Discussion

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority (CA) will suffice.

Check Content

1. In the Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
2. View the certificate to verify it is signed by a valid DoW CA.
3. Verify the certificate is the only one present and configured for use on interfaces.

If a DoW CA certificate is not used, this is a finding.

Fix Text

1. In the Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
2. Click "New CSR".
3. Add a Common Name in FQDN format.
4. Add a Country code of US.
5. Under "Key type", if using RSA, select "RSA". If using ECC, select "ECC".
6. Under "Key length", if using RSA, select at least 2048. If using ECC, select "P-384".
7. Enter in random data in the text field.
8. Click "Create CSR".
9. Copy the Base 64/PEM encoded certificate request shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr.
10. Complete the local RA process for DoW web server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the host name, cluster names, and all FQDNs.
11. Once the certificate is provided by the CA, go to System >> Configuration >> Certificates >> Device Certificates.
12. Click "Browse" and select the certificate file issued by the CA, then click "Import".
13. Click "Save Changes".
14. Click on the imported certificate.
15. On the internal port, click add for the cluster internal VIP and <Internal Port>.
16. On the external port, click add for the cluster external VIP and <External Port>.
17. Check the box for "Management Port".
18. Under "Certificate Status Checking", click the box for "Use CRLs".
19. Click "Save Changes".