AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.

An XCCDF Rule

Description

Situations may arise in which the certificate issued by a certificate authority (CA) may need to be revoked before the lifetime of the certificate expires (for example, when the certificate is known to have been compromised). When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to determine if the certificate is valid. If the certificate is revoked, IKE will fail, and an IPsec security association will not be established for the remote endpoint.

ID: SV-268313r1040899_rule
Version: ARBA-VN-002430
Severity: High
References: CCI-004068
Updated: about 2 months ago

Remediation Templates

Configure AOS using the web interface: 

1. Navigate to Configuration >> System >> Certificates tab. Under "Import Certificates", upload the trust root CA. 
2. Choose the TrustCA Certificate type. Click "Submit". 
3. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". 
4. Click Pending Changes >> Deploy Changes.5. Expand "Revocation Checkpoint". Select the configured trusted root CA. 
6. Select "ocsp" for Revocation method 1. Enter the OCSP server URL in the OCSP URL field (remove "http://"). 
7. Choose the configured certificate under OCSP responder cert. Click "Submit". 
8. Click Pending Changes >> Deploy Changes.

AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.

Description

Remediation Templates

A Manual Procedure