The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

An XCCDF Rule

Description

The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.

ID: SV-218767r965407_rule
Version: IIST-SI-000241
Severity: Medium
References: CCI-002470
Updated: 15 days ago

Remediation Templates

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the Server name.
Double-click "Server Certificates".

Click "Import" under the "Actions" pane.

Browse to the DoD certificate location, select it, and click "OK".

Remove any non-DoD certificates if present.

Click on the site needing the certificate.

Select "Bindings" under the "Actions" pane.

Click on the binding needing a certificate and select "Edit", or add a site binding for HTTPS.

Assign the certificate to the website by choosing it under the "SSL Certificate" drop-down and clicking "OK".

The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

Description

Remediation Templates

A Manual Procedure