5.6 Enable OCSP and CRL certificate checking - OCSPStyle

Information

A rogue or compromised certificate should not be trsuted

Solution

Run the following commands to enforce the compliant state To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string RequireIfPresent
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string RequireIfPresent

See Also

https://workbench.cisecurity.org/files/301

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: 0aff901cc62499533d3daf342a689f5b95abd5f087ce43f4f44bdea9042afd7c