5.7 Enable OCSP and CRL certificate checking - OCSPStyle

Information

Certificates should only be trusted if they have both a satisfactory trust chain and they have not been revoked. macOS check whether the certificate is still valid based on issued parameters within the certificate.

Rationale:

A rogue or compromised certificate should not be trusted

Impact:

Network or connectivity issues could interfere with certificate checks for valid certificates

Solution

Run the following commands to enforce the compliant state
To set the CRL settings:

defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent

To set the OCSP settings:

defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: 61cd8c6cb094489eb2ce4e1135412b44414e4890edf9fd566db3b6641b188a0c