5.6 Enable OCSP and CRL certificate checking - CRLStyle

Information

A rogue or compromised certificate should not be trsuted

Solution

Run the following commands to enforce the compliant state To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent

See Also

https://workbench.cisecurity.org/files/300

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: bf7ce3728b8a1138145000ec9a832149e93034780f43c1ce51a30e5c08249520