NGINX must generate, manage, and protect from disclosure and misuse the cryptographic keys that protect access tokens.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278410	SRG-APP-000965	NGNX-APP-003220	SV-278410r1172694_rule	2026-01-07	1

Description
Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. Satisfies: SRG-APP-000965, SRG-APP-000970

ℹ️ Check
Check SSL/TLS certificate and private key file permissions: # ls -la /home/ubuntu/nginx.com.crt # ls -la /home/ubuntu/nginx.com.key Verify: - Certificate file permissions are 644 or more restrictive. - Private key file permissions are 600 or more restrictive. - Files are owned by nginx user or root. - Files are not world-readable or group-writable. If these permissions are not set, this is a finding. Verify certificate validity and strength: # openssl x509 -in /home/ubuntu/nginx.com.crt -text -noout Verify: - Certificate is not expired. - Uses RSA key length of 2048 bits minimum or ECDSA P-256 minimum. - Signature algorithm is SHA-256 or stronger (not SHA-1 or MD5). - Certificate chain is complete and valid. If these values are not met, this is a finding. Verify private key strength and protection: # openssl rsa -in /home/ubuntu/nginx.com.key -text -noout -check Verify: - Key length is 2048 bits minimum. - Key is not encrypted with weak algorithms. - Key passes integrity check. If these key values are not set, this is a finding.

ℹ️ Check

Check SSL/TLS certificate and private key file permissions: # ls -la /home/ubuntu/nginx.com.crt # ls -la /home/ubuntu/nginx.com.key Verify: - Certificate file permissions are 644 or more restrictive. - Private key file permissions are 600 or more restrictive. - Files are owned by nginx user or root. - Files are not world-readable or group-writable. If these permissions are not set, this is a finding. Verify certificate validity and strength: # openssl x509 -in /home/ubuntu/nginx.com.crt -text -noout Verify: - Certificate is not expired. - Uses RSA key length of 2048 bits minimum or ECDSA P-256 minimum. - Signature algorithm is SHA-256 or stronger (not SHA-1 or MD5). - Certificate chain is complete and valid. If these values are not met, this is a finding. Verify private key strength and protection: # openssl rsa -in /home/ubuntu/nginx.com.key -text -noout -check Verify: - Key length is 2048 bits minimum. - Key is not encrypted with weak algorithms. - Key passes integrity check. If these key values are not set, this is a finding.

✔️ Fix
Set proper file permissions for SSL certificate and private key: # chmod 644 /home/ubuntu/nginx.com.crt # chmod 600 /home/ubuntu/nginx.com.key # chown nginx:nginx /home/ubuntu/nginx.com.crt # chown nginx:nginx /home/ubuntu/nginx.com.key Move certificates to secure location: # mkdir -p /etc/nginx/ssl # mv /home/ubuntu/dev.sports.com.* /etc/nginx/ssl/ # chmod 700 /etc/nginx/ssl Update NGINX configuration to use secure certificate location: server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.com.crt; ssl_certificate_key /etc/nginx/ssl/nginx.com.key; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; } Generate strong DH parameters if not present: # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # chmod 644 /etc/nginx/ssl/dhparam.pem

✔️ Fix

Set proper file permissions for SSL certificate and private key: # chmod 644 /home/ubuntu/nginx.com.crt # chmod 600 /home/ubuntu/nginx.com.key # chown nginx:nginx /home/ubuntu/nginx.com.crt # chown nginx:nginx /home/ubuntu/nginx.com.key Move certificates to secure location: # mkdir -p /etc/nginx/ssl # mv /home/ubuntu/dev.sports.com.* /etc/nginx/ssl/ # chmod 700 /etc/nginx/ssl Update NGINX configuration to use secure certificate location: server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.com.crt; ssl_certificate_key /etc/nginx/ssl/nginx.com.key; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; } Generate strong DH parameters if not present: # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # chmod 644 /etc/nginx/ssl/dhparam.pem