STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to APACHE 2.2 Site for UNIX Security Technical Implementation Guide

V-6531

CAT II (Medium)

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

Rule ID

SV-33019r1_rule

STIG

APACHE 2.2 Site for UNIX Security Technical Implementation Guide

Version

V1R11

CCIs

None

Discussion

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Check Content

To view the SSLVerifyClient value enter the following command:

grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf.

If the value of SSLVerifyClient is not set to “require”, this is a finding.

Fix Text

Edit the httpd.conf file and set the value of SSLVerifyClient to "require".