NGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.)
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-278406 | SRG-APP-000605 | NGNX-APP-002620 | SV-278406r1171970_rule | 2026-01-07 | 1 |
| Description |
|---|
| A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or OCSP responses. Satisfies: SRG-APP-000605, SRG-APP-000875 |
| ℹ️ Check |
|---|
| If using CRL for certificate revocation, this requirement is Not Applicable. Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. # cat <path to config> Check the http { blocks for the following example: http { server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_client_certificate /etc/nginx/ssl/ca.crt; ssl_verify_client on; ssl_crl /etc/nginx/ssl/crl.pem; ssl_ocsp on; ssl_ocsp_responder http://ocsp.disa.mil; ssl_stapling on; ssl_stapling_verify on; ssl_stapling_file /etc/nginx/ssl/ocsp_cache.pem; ssl_stapling_responder_timeout 3s; # Timeout for OCSP responder queries ssl_stapling_responder_error_cache_time 300s; # Cache time for responder errors location / { proxy_pass http://backend; } } } Check for certificate path validation. If "ssl_verify_client on" is not in the configuration, this is a finding. Check if OCSP is enabled. If "ssl_ocsp on" is not in the configuration, this is a finding. Check if OCSP Stapling is configured. If "ssl_stapling on" or "ssl_stapling_verify on" is not in the configuration, this is a finding. If "ssl_stapling_file <file>" is not present in the configuration, this is a finding. |
| ✔️ Fix |
|---|
| Edit the NGINX configuration file. Set "ssl_verify_client on", "ssl_ocsp on", ssl_stapling_verify on", and "ssl_stapling on" as shown in the example below. Create a local cache for OCSP responses: touch /etc/nginx/ssl/ocsp_cache.pem chmod 600 /etc/nginx/ssl/ocsp_cache.pem Set the "ssl_stapling_file" directive with the file created as shown in the example below. http { server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_client_certificate /etc/nginx/ssl/ca.crt; ssl_verify_client on; ssl_crl /etc/nginx/ssl/crl.pem; ssl_ocsp on; ssl_ocsp_responder https://ocsp.disa.mil; ssl_stapling on; ssl_stapling_verify on; ssl_stapling_file /etc/nginx/ssl/ocsp_cache.pem; ssl_stapling_responder_timeout 3s; # Timeout for OCSP responder queries ssl_stapling_responder_error_cache_time 300s; # Cache time for responder errors location / { proxy_pass http://backend; } } } |