The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.

From Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide

Associated with: CCI-000366

SV-51584r1_rule The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.

Vulnerability discussion

Failure to verify a certificate's revocation status can result in the system accepting a revoked, and therefore unauthorized, certificate. This could result in the installation of unauthorized software or a connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.

Check content

Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.

Fix text

Install software that provides certificate validation and revocation checking.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.