Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-000185
CCI
CCI|CCI-000185
Title
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2009
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate Issuer
Unix
DISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyf
Unix
DISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSL
Unix
DISA STIG AIX 7.x v2r9
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 12 v1r8
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 13 v1r3
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies - Wow6432Node
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation
Unix
DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation
Unix
DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.
Windows
DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient
Windows
DISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth
Windows
DISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.
Cisco
DISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ipsec-client
Cisco
DISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ssl-client
Cisco
DISA STIG Cisco ASA VPN v1r3
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r4 High
DKER-EE-006190 - Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
Unix
DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DTBC-0037 - Online revocation checks must be performed.
Windows
DISA STIG Google Chrome v2r9
DTBI018-IE11 - Check for publishers certificate revocation must be enforced.
Windows
DISA STIG IE 11 v2r4
DTBI365-IE11 - Checking for server certificate revocation must be enforced.
Windows
DISA STIG IE 11 v2r4
DTOO265 - Outlook - Warning about invalid signatures must be enforced.
Windows
DISA STIG Office 2010 Outlook v1r13
DTOO265 - Warning about invalid signatures must be enforced.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO267 - Outlook - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Office 2010 Outlook v1r13
DTOO267 - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO267 - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Microsoft Outlook 2016 v2r3
DTOO268 - Missing Root Certificates warning must be enforced.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Outlook - Missing Root Certificates warning must be enforced.
Windows
DISA STIG Office 2010 Outlook v1r13
EDGE-00-000030 - Online revocation checks must be performed.
Windows
DISA STIG Edge v1r7
EP11-00-004500 - The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
Windows
EDB PostgreSQL Advanced Server v11 Windows OS Audit v2r2
F5BI-AP-000232 - The F5 BIG-IP appliance must configure OCSP to ensure revoked user credentials are prohibited from establishing an allowed session.
F5
DISA F5 BIG-IP Access Policy Manager STIG v2r3
F5BI-AP-000233 - The F5 BIG-IP appliance must configure OCSP to ensure revoked machine credentials are prohibited from establishing an allowed session.
F5
DISA F5 BIG-IP Access Policy Manager STIG v2r3