STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Virtual Private Network (VPN) Security Requirements Guide

V-264332

CAT II (Medium)

The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.

Rule ID

SV-264332r984332_rule

STIG

Virtual Private Network (VPN) Security Requirements Guide

Version

V3R4

CCIs

CCI-004068

Discussion

Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. One example is if the certificate is known to have been compromised. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.

Check Content

Verify the VPN Gateway rejects user certificates that have been revoked when using DOD PKI for authentication.

If the VPN Gateway does not configure OCSP and/or CRL to reject revoked user credentials that are prohibited from establishing an allowed session, this is a finding.

Fix Text

Configure the VPN Gateway to reject user certificates that have been revoked when using DOD PKI for authentication.