NGINX must accept Personal Identity Verification (PIV) credentials.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278400	SRG-APP-000391	NGNX-APP-001650	SV-278400r1172752_rule	2026-01-07	1

Description
Using PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated using the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403

ℹ️ Check
Determine path to NGINX config file: # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file has the SSL Certificate/Key installed, the SSL Client Certificate is present, and SSL Verify is configured. server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } } If the certificates are not configured and ssl_verify is not enabled, this is a finding.

ℹ️ Check

Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file has the SSL Certificate/Key installed, the SSL Client Certificate is present, and SSL Verify is configured. server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } } If the certificates are not configured and ssl_verify is not enabled, this is a finding.

✔️ Fix
NGINX installs OpenSSL by default. If not installed, follow the OS documentation. Include the following lines in the server {} block of nginx.conf: ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } Save and exit. Restart NGINX after modifying the configuration: # nginx -s reload

✔️ Fix

NGINX installs OpenSSL by default. If not installed, follow the OS documentation. Include the following lines in the server {} block of nginx.conf: ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } Save and exit. Restart NGINX after modifying the configuration: # nginx -s reload