AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-268313 | SRG-NET-000345-VPN-002430 | ARBA-VN-002430 | SV-268313r1040899_rule | 2024-10-29 | 1 |
| Description |
|---|
| Situations may arise in which the certificate issued by a certificate authority (CA) may need to be revoked before the lifetime of the certificate expires (for example, when the certificate is known to have been compromised). When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to determine if the certificate is valid. If the certificate is revoked, IKE will fail, and an IPsec security association will not be established for the remote endpoint. |
| ℹ️ Check |
|---|
| Verify the AOS configuration with the following command: show crypto-local pki rcp If any configured trusted root certificate authorities are not configured to use OCSP, this is a finding. |
| ✔️ Fix |
|---|
| Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Certificates tab. Under "Import Certificates", upload the trust root CA. 2. Choose the TrustCA Certificate type. Click "Submit". 3. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". 4. Click Pending Changes >> Deploy Changes. 5. Expand "Revocation Checkpoint". Select the configured trusted root CA. 6. Select "ocsp" for Revocation method 1. Enter the OCSP server URL in the OCSP URL field (remove "http://"). 7. Choose the configured certificate under OCSP responder cert. Click "Submit". 8. Click Pending Changes >> Deploy Changes. |