800-53|SC-23(5)

Title

ALLOWED CERTIFICATE AUTHORITIES

Description

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Supplemental

Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

Reference Item Details

Related: SC-13

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.17 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'WindowsCIS Google Chrome L2 v2.1.0
5.3.10 Ensure certificate status checking for PKI authentication.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.08 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'UnixCIS v1.1.0 Oracle 11g OS L2
AADC-CL-000990 - Adobe Acrobat Pro DC Classic periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001320 - Adobe Acrobat Pro DC Classic Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000990 - Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001320 - Adobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000990 - Adobe Acrobat Pro XI periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001320 - Adobe Acrobat Pro XI Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions - Certificate IssuerUnixDISA STIG AIX 7.x v2r6
AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions - ldapsslkeyfUnixDISA STIG AIX 7.x v2r6
AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions - useSSLUnixDISA STIG AIX 7.x v2r6
ARDC-CL-000330 - Adobe Reader DC must disable periodical uploading of European certificates.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CL-000335 - Adobe Reader DC must disable periodical uploading of Adobe certificates.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CN-000330 - Adobe Reader DC must disable periodical uploading of European certificates.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
ARDC-CN-000335 - Adobe Reader DC must disable periodical uploading of Adobe certificates.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocolUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocolUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).UnixDISA STIG Apache Server 2.4 Unix Site v2r2
AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).UnixDISA STIG Apache Server 2.4 Unix Site v2r2 Middleware
AS24-W1-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W2-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - All Profiles
DKER-EE-003920 - Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DKER-EE-003930 - Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.UnixDISA STIG Docker Enterprise 2.x Linux/Unix DTR v2r1
DTBI1075-IE11 - Prevent ignoring certificate errors option must be enabled.WindowsDISA STIG IE 11 v2r2
EP11-00-009100 - The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.WindowsEDB PostgreSQL Advanced Server v11 Windows OS Audit v2r1
ESXI-06-300040 - The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-67-000040 - The ESXi host must use multifactor authentication for local DCUI access to privileged accounts.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
F5BI-LT-000213 - The BIG-IP Core implementation must be configured to only allow the use of DoD-approved PKI-established certificate authorities for verification of the establishment of protected sessions.F5DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1
IIST-SI-000220 - A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.WindowsDISA IIS 10.0 Site v2r5
IIST-SI-000241 - The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA IIS 10.0 Site v2r5
IISW-SI-000220 - A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.WindowsDISA IIS 8.5 Site v2r5
IISW-SI-000241 - The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA IIS 8.5 Site v2r5
JBOS-AS-000625 - JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.UnixDISA RedHat JBoss EAP 6.3 STIG v2r3
MD3X-00-000730 - MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA STIG MongoDB Enterprise Advanced 3.x v2r1 OS
MD4X-00-005800 - MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA STIG MongoDB Enterprise Advanced 4.x v1r1 OS
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - All Profiles
MYS8-00-011900 - The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA Oracle MySQL 8.0 v1r2 OS Linux