Detections
Analytics

800-53|SC-23(5)

Title

ALLOWED CERTIFICATE AUTHORITIES

Description

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Supplemental

Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

Reference Item Details

Related: SC-13

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.08 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'UnixCIS v1.1.0 Oracle 11g OS L2
20.53 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
APPL-14-003001 - The macOS system must issue or obtain public key certificates from an approved service provider.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-003001 - The macOS system must issue or obtain public key certificates from an approved service provider.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_moduleUnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocolUnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-W1-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).WindowsDISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
EP11-00-009100 - The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.WindowsEDB PostgreSQL Advanced Server v11 Windows OS Audit v2r4
EPAS-00-009100 - The EDB Postgres Advanced Server must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixEnterpriseDB PostgreSQL Advanced Server OS Linux v2r1
MADB-10-008500 - MariaDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MySQLDBDISA MariaDB Enterprise 10.x v2r2 DB
MADB-10-008500 - MariaDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA MariaDB Enterprise 10.x v2r2 OS Linux
MD3X-00-000730 - MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA STIG MongoDB Enterprise Advanced 3.x v2r3 OS
MD4X-00-005800 - MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA STIG MongoDB Enterprise Advanced 4.x v1r4 OS
MD7X-00-008400 MongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA MongoDB Enterprise Advanced 7.x STIG v1r1
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - All Profiles
MYS8-00-011900 - The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixDISA Oracle MySQL 8.0 v2r2 OS Linux
OH12-1X-000299 - OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).UnixDISA STIG Oracle HTTP Server 12.1.3 v2r2
PPS9-00-009100 - The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.UnixEDB PostgreSQL Advanced Server OS Linux Audit v2r3
Prevent ignoring certificate errorsWindowsMSCT Windows 11 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server 2019 MS v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server 2022 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server v20H2 MS v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows 10 v20H2 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows 10 v22H2 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows 11 v23H2 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server 1903 DC v1.19.9
Prevent ignoring certificate errorsWindowsMSCT Windows Server 2019 DC v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server v20H2 DC v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows 10 v21H2 v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server 1903 MS v1.19.9
Prevent ignoring certificate errorsWindowsMSCT Windows Server v1909 MS v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server v2004 MS v1.0.0
Prevent ignoring certificate errorsWindowsMSCT Windows Server 2016 DC v1.0.0