Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-206389	SRG-APP-000176-WSR-000096	SV-206389r961041_rule		Medium

Description

The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server.

STIG	Date
Web Server Security Requirements Guide	2025-02-12

Details

Check Text (C-6650r377759_chk)

If the web server does not have a private key, this is N/A.

Review the web server documentation and deployed configuration to determine whether only authenticated system administrators and the designated PKI Sponsor for the web server can access the web server private key.

If the private key is accessible by unauthenticated or unauthorized users, this is a finding.

Fix Text (F-6650r377760_fix)

Configure the web server to ensure only authenticated and authorized users can access the web server's private key.