← Back to Application Server Security Requirements Guide

V-204832

CAT II (Medium)

The application server must use DOD- or CNSS-approved PKI Class 3 or Class 4 certificates.

Rule ID

SV-204832r1137585_rule

STIG

Application Server Security Requirements Guide

Version

V4R4

CCIs

CCI-002450

Discussion

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DOD or CNS creates an integrity risk. The application server must utilize approved DOD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. This requirement also applies to Zero Trust initiatives.

Check Content

Review the application server configuration to determine if the application server utilizes approved PKI Class 3 or Class 4 certificates.

If the application server is not configured to use approved DOD or CNS certificates, this is a finding.

Fix Text

Configure the application server to use DOD- or CNSS-approved Class 3 or Class 4 PKI certificates.