V-278410

Discussion

Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. Satisfies: SRG-APP-000965, SRG-APP-000970

Check Content

Check SSL/TLS certificate and private key file permissions:

# ls -la /home/ubuntu/nginx.com.crt
# ls -la /home/ubuntu/nginx.com.key

Verify:
- Certificate file permissions are 644 or more restrictive.
- Private key file permissions are 600 or more restrictive.
- Files are owned by nginx user or root.
- Files are not world-readable or group-writable.

If these permissions are not set, this is a finding.

Verify certificate validity and strength:

# openssl x509 -in /home/ubuntu/nginx.com.crt -text -noout

Verify:
- Certificate is not expired.
- Uses RSA key length of 2048 bits minimum or ECDSA P-256 minimum.
- Signature algorithm is SHA-256 or stronger (not SHA-1 or MD5).
- Certificate chain is complete and valid.

If these values are not met, this is a finding.

Verify private key strength and protection:

# openssl rsa -in /home/ubuntu/nginx.com.key -text -noout -check

Verify:
- Key length is 2048 bits minimum.
- Key is not encrypted with weak algorithms.
- Key passes integrity check.

If these key values are not set, this is a finding.