WG350 IIS6 - A private web server must have a valid server certificate.


This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

NOTE: Nessus Plugin 'SSL Certificate Information' (ID 10863) will output the certificate information if the plugin is enabled in the policy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Configure the private web site to use a valid DoD certificate.

See Also


Item Details

References: CAT|II, Rule-ID|SV-38080r1_rule, STIG-ID|WG350_IIS6, Vuln-ID|V-2263

Plugin: Windows

Control ID: fd55c4ccda8703b5679cb2c62bb41008cfcde911a5797395f737dc624155e21d