The network device, when utilizing PKI-based authentication, must not accept revoked certificates.

From Network Device Management Security Requirements Guide

Associated with: CCI-000185

SV-95679r1_rule The network device, when utilizing PKI-based authentication, must not accept revoked certificates.

Vulnerability discussion

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.

Check content

When PKI-based authentication is used, verify the network device does not accept revoked certificates. Determine if the CA trust point defined on the network device references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate. This requirement may be verified by configuration review or validated test results. If PKI-based authentication is used and the network device accepts revoked certificates, this is a finding.

Fix text

Configure the network device to not accept revoked certificates.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.