| AIX7-00-003004 - AIX SSH private host key files must have mode 0600 or less permissive. | DISA STIG AIX 7.x v3r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-003002 - The macOS system must enable certificate for smartcards. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. | DISA STIG Apple macOS 12 v1r9 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO. | DISA STIG for Microsoft Dot Net Framework 4.0 v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| APPNET0052 - Encryption keys used for the .NET Strong Name Membership Condition must be protected. | DISA STIG for Microsoft Dot Net Framework 4.0 v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| AS24-W2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce Smartcard Authentication | NIST macOS Big Sur v1.4.0 - 800-171 | Unix | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce Smartcard Authentication | NIST macOS Big Sur v1.4.0 - 800-53r4 Low | Unix | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce Smartcard Authentication | NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate | Unix | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce Smartcard Authentication | NIST macOS Big Sur v1.4.0 - CNSSI 1253 | Unix | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001110 - The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account. | DISA BIND 9.x STIG v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001111 - The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account. | DISA BIND 9.x STIG v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001150 - The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line. | DISA BIND 9.x STIG v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002410 - Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| DTBC-0037 - Online revocation checks must be performed. | DISA STIG Google Chrome v2r9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| EP11-00-004500 - The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation. | EDB PostgreSQL Advanced Server v11 Windows OS Audit v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| F5BI-LT-000083 - The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor. | DISA F5 BIG-IP Local Traffic Manager STIG v2r4 | F5 | IDENTIFICATION AND AUTHENTICATION |
| F5BI-LT-000203 - The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network. | DISA F5 BIG-IP Local Traffic Manager STIG v2r4 | F5 | IDENTIFICATION AND AUTHENTICATION |
| GEN008000 - If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI - 'manual cert check' | DISA STIG for Oracle Linux 5 v2r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| GEN008020 - If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA. | DISA STIG for Oracle Linux 5 v2r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| GEN008040 - If the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked. | DISA STIG for Oracle Linux 5 v2r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| IIST-SV-000129 - The IIS 10.0 web server must perform RFC 5280-compliant certification path validation. | DISA IIS 10.0 Server v2r10 | Windows | IDENTIFICATION AND AUTHENTICATION |
| IISW-SV-000129 - The IIS 8.5 web server must perform RFC 5280-compliant certification path validation. | DISA IIS 8.5 Server v2r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| JBOS-AS-000320 - The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators. | DISA JBoss EAP 6.3 STIG v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| JRE8-WN-000150 - Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation - deployment.security.validation.crl.locked | DISA STIG Oracle JRE 8 Windows v2r1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| JRE8-WN-000160 - Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation - eployment.security.revocation.check.locked | DISA STIG Oracle JRE 8 Windows v2r1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| O112-C2-015300 - The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. | DISA STIG Oracle 11.2g v2r5 Windows | Windows | IDENTIFICATION AND AUTHENTICATION |
| O121-C2-015300 - The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. | DISA STIG Oracle 12c v3r2 Database | OracleDB | IDENTIFICATION AND AUTHENTICATION |
| O121-C2-015501 - Oracle Database must map the PKI-authenticated identity to an associated user account - services, applications, etc. that connect to the DBMS independently of individual users, must use valid, current DoD approved PKI certificates for authentication to the DBMS. | DISA STIG Oracle 12c v3r2 Database | OracleDB | IDENTIFICATION AND AUTHENTICATION |
| OH12-1X-000246 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation - SSLProtocol | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| OH12-1X-000248 - OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| OH12-1X-000249 - OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation - SSLCARevocationFile | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| OH12-1X-000249 - OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation - SSLCRLCheck | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| OH12-1X-000250 - OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation - SSLCARevocationPath | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| PGS9-00-010200 - PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL. | DISA STIG PostgreSQL 9.x on RHEL OS v2r5 | Unix | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010426 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. | DISA STIG Ubuntu 18.04 LTS v2r15 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000172 - Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - Secure Listen Port | Oracle WebLogic Server 12c Linux v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000172 - Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - Unsecure Listen Port | Oracle WebLogic Server 12c Linux v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000172 - Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - Unsecure Listen Port | Oracle WebLogic Server 12c Linux v2r2 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000174 - Oracle WebLogic must map the PKI-based authentication identity to the user account. | Oracle WebLogic Server 12c Windows v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000174 - Oracle WebLogic must map the PKI-based authentication identity to the user account. | Oracle WebLogic Server 12c Linux v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000174 - Oracle WebLogic must map the PKI-based authentication identity to the user account. | Oracle WebLogic Server 12c Linux v2r2 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-001110 - WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| WN10-PK-000010 - The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | DISA Microsoft Windows 10 STIG v3r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN16-DC-000280 - Domain controllers must have a PKI server certificate. | DISA Microsoft Windows Server 2016 STIG v2r10 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN19-SO-000350 - Windows Server 2019 users must be required to enter a password to access private keys stored on the computer. | DISA Microsoft Windows Server 2019 STIG v3r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-PK-000010 - Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | DISA Microsoft Windows Server 2022 STIG v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN22-PK-000020 - Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | DISA Microsoft Windows Server 2022 STIG v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
