Ensuring RFC 5280-compliant certification path validation
Rule Title: RiOS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
STIG ID: RICX-AG-000098
Rule ID: SV-77321r1_rule Severity: CAT II
Vuln ID: V-62831 Class: Unclass
A certificate's certification path is the path from the end-entity certificate to a trusted-root certificate authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.
Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided through certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Verifying certificate path validation is configured
Verify that RiOS is configured to validate certificates used for TLS functions by performing certificate path validation.
1. Connect to the Management Console.
2. Choose Optimization > SSL: CRL Management to display the CRL Management page.
3. Verify that the Enable Automatic CRL Polling For CAs and Enable Automatic CRL Polling For Peering CAs check boxes are selected.
4. If the Enable Automatic CRL Polling For CAs and/or Enable Automatic CRL Polling For Peering CAs check boxes are not set, this is a security vulnerability finding.
Configuring certificate path validation
Configure RiOS to validate certificates used for TLS functions by performing certificate path validation.
1. Connect to the Management Console.
2. Choose Optimization > SSL: CRL Management to display the CRL Management page.
3. Select the Enable Automatic CRL Polling For CAs, and the Enable Automatic CRL Polling For Peering CAs check boxes.
4. Click Apply.