Detections
Analytics

CCI|CCI-000185

Title

The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Reference Item Details

Category: 2009

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate IssuerUnixDISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyfUnixDISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSLUnixDISA STIG AIX 7.x v2r9
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 12 v1r8
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 13 v1r3
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies - Wow6432NodeWindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r2
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validationUnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validationUnixDISA STIG Apache Server 2.4 Unix Site v2r4
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClientWindowsDISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepthWindowsDISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.CiscoDISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ipsec-clientCiscoDISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ssl-clientCiscoDISA STIG Cisco ASA VPN v1r3
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
DKER-EE-006190 - Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DTBC-0037 - Online revocation checks must be performed.WindowsDISA STIG Google Chrome v2r9
DTBI018-IE11 - Check for publishers certificate revocation must be enforced.WindowsDISA STIG IE 11 v2r4
DTBI365-IE11 - Checking for server certificate revocation must be enforced.WindowsDISA STIG IE 11 v2r4
DTOO265 - Outlook - Warning about invalid signatures must be enforced.WindowsDISA STIG Office 2010 Outlook v1r13
DTOO265 - Warning about invalid signatures must be enforced.WindowsDISA STIG Microsoft Outlook 2013 v1r13
DTOO267 - Outlook - Retrieving of CRL data must be set for online action.WindowsDISA STIG Office 2010 Outlook v1r13
DTOO267 - Retrieving of CRL data must be set for online action.WindowsDISA STIG Microsoft Outlook 2013 v1r13
DTOO267 - Retrieving of CRL data must be set for online action.WindowsDISA STIG Microsoft Outlook 2016 v2r3
DTOO268 - Missing Root Certificates warning must be enforced.WindowsDISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Outlook - Missing Root Certificates warning must be enforced.WindowsDISA STIG Office 2010 Outlook v1r13
EDGE-00-000030 - Online revocation checks must be performed.WindowsDISA STIG Edge v1r7
EP11-00-004500 - The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.WindowsEDB PostgreSQL Advanced Server v11 Windows OS Audit v2r2
F5BI-AP-000232 - The F5 BIG-IP appliance must configure OCSP to ensure revoked user credentials are prohibited from establishing an allowed session.F5DISA F5 BIG-IP Access Policy Manager STIG v2r3
F5BI-AP-000233 - The F5 BIG-IP appliance must configure OCSP to ensure revoked machine credentials are prohibited from establishing an allowed session.F5DISA F5 BIG-IP Access Policy Manager STIG v2r3