Rule ID
SV-260916r966105_rule
Version
V2R1
CCIs
Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. Using these certificates enhances the trust and authenticity of the communication between clients and the MSR server.
If MSR is not being utilized, this is Not Applicable. Check that MSR has been integrated with a trusted certificate authority (CA). 1. In one terminal window execute the following: kubectl port-forward service/msr 8443:443 2. In a second terminal window execute the following: openssl s_client -connect localhost:8443 -showcerts </dev/null If the certificate chain in the output is not valid and does not match that of the trusted CA, then this is a finding.
If MSR is not being utilized, this is Not Applicable. Ensure the certificates are from a trusted DOD CA. 1. Add the secret to the cluster by executing the following: kubectl create secret tls <secret-name> --key <keyfile>.pem --cert <certfile>.pem 2. Update MSR with the custom certificate by executing the following: helm upgrade msr [REPO_NAME]/msr --version <helm-chart-version> --set-file license=path/to/file/license.lic --set nginx.webtls.create=false --set nginx.webtls.secretName="<secret-name>"