5.6 Enable OCSP and CRL certificate checking - OCSPStyle

Information

A rogue or compromised certificate should not be trsuted

Solution

Run the following commands to enforce the compliant state To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent

See Also

https://workbench.cisecurity.org/files/301

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: 9bec56deb3acba7af34039d267d0d6c5a86ba21a8d746416e70bd81910e653ab