← Back to HPE Aruba Networking AOS VPN Security Technical Implementation Guide

V-268313

CAT I (High)

AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.

Rule ID

SV-268313r1040899_rule

STIG

HPE Aruba Networking AOS VPN Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004068

Discussion

Situations may arise in which the certificate issued by a certificate authority (CA) may need to be revoked before the lifetime of the certificate expires (for example, when the certificate is known to have been compromised). When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to determine if the certificate is valid. If the certificate is revoked, IKE will fail, and an IPsec security association will not be established for the remote endpoint.

Check Content

Verify the AOS configuration with the following command:
show crypto-local pki rcp

If any configured trusted root certificate authorities are not configured to use OCSP, this is a finding.

Fix Text

Configure AOS using the web interface: 

1. Navigate to Configuration >> System >> Certificates tab. Under "Import Certificates", upload the trust root CA. 
2. Choose the TrustCA Certificate type. Click "Submit". 
3. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". 
4. Click Pending Changes >> Deploy Changes.
5. Expand "Revocation Checkpoint". Select the configured trusted root CA. 
6. Select "ocsp" for Revocation method 1. Enter the OCSP server URL in the OCSP URL field (remove "http://"). 
7. Choose the configured certificate under OCSP responder cert. Click "Submit". 
8. Click Pending Changes >> Deploy Changes.