1.1.72 Ensure 'Specify if online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'

Information

This policy setting controls whether online certificate revocation checks (OCSP/CRL) are required and if a check online is not possible the certificate will be treated as though it is revoked.

The recommended state for this is Enabled.

Rationale:

Certificates should always be validated, not doing so could potentially allow a revoked certificate being used to give a false sense of a secure connection.

Impact:

If Microsoft Edge is not able to obtain a revocation status, the certificate will be treated as though it is revoked, therefore the website will not be loaded.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Specify if online OCSP/CRL checks are required for local trust anchors

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Windows

Control ID: 245920a6f4a5554dbfed1bdb5cbe885d89f1d8a5dba5834537cc927acd9ca336