Rule ID
SV-284543r1244956_rule
Version
V1R1
Once issued by a DoW certificate authority (CA), PKI certificates are typically valid for three years or fewer within the DoW. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources. PKI user certificates presented as part of the identification and authentication criteria (e.g., DoW PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DoW CA. Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DoW CA. Satisfies: SRG-APP-000175-NDM-000262, SRG-APP-000875-NDM-000280
1. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs. 2. Click each DoW client CA. 3. Verify that under "Client certificate status checking", "OCSP", "CRL", or both are checked. Example: "Use OCSP with CRL fallback" is selected under the "Client certificate status checking" setting. If the ICS is not configured to use DoW approved OCSP responders and/or CRLs to validate certificates used for PKI-based authentication, this is a finding.
1. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs. 2. Click the first DoW client CA. 3. If OCSP only is used, under "Client certificate status checking", select "Use OCSP". 4. If CRL is used, under "Client certificate status checking", select "Use CRL" option. Note: The recommended option is "Use OCSP with CRL fallback" option under "Client certificate status checking". 5. Repeat these steps for every other client certificate CA.