5.6 Enable OCSP and CRL certificate checking - CRLStyle

Information

A rogue or compromised certificate should not be trsuted

Solution

Run the following commands to enforce the compliant state To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent

See Also

https://workbench.cisecurity.org/files/300

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: 8bad50d337beb3c3875d6849739ff82525b508f567a2bf8fbbd71698ab1180c7