Detections
Analytics

800-53|SC-23(5)

Title

ALLOWED CERTIFICATE AUTHORITIES

Description

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Supplemental

Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

Reference Item Details

Related: SC-13

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.18 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'WindowsCIS Google Chrome L2 v3.0.0
2.18 Ensure 'Whether online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'WindowsCIS Google Chrome L2 v2.0.0
4.1003 - The system must implement certificate status checking for PKI authentication.UnixTenable Fedora Linux Best Practices v2.0.0
5.3 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 9 v1.0.0
5.3.10 Ensure certificate status checking for PKI authentication.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.08 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'UnixCIS v1.1.0 Oracle 11g OS L2
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v2.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.21 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.22 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.23 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.23 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.53 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v2.0.0 STIG DC
20.53 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.68 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.68 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
AADC-CL-000990 - Adobe Acrobat Pro DC Classic periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v1r3
AADC-CL-000990 - Adobe Acrobat Pro DC Classic periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001320 - Adobe Acrobat Pro DC Classic Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001320 - Adobe Acrobat Pro DC Classic Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v1r3
AADC-CN-000990 - Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-000990 - Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v1r2
AADC-CN-001320 - Adobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001320 - Adobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v1r2
ADBP-XI-000990 - Adobe Acrobat Pro XI periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001320 - Adobe Acrobat Pro XI Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyfUnixDISA STIG AIX 7.x v2r3
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyfUnixDISA STIG AIX 7.x v2r1
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSLUnixDISA STIG AIX 7.x v2r3
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSLUnixDISA STIG AIX 7.x v2r1
AIX7-00-001045 - IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.UnixDISA STIG AIX 7.x v2r1
AIX7-00-001045 - IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.UnixDISA STIG AIX 7.x v2r3
AIX7-00-001104 - If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.UnixDISA STIG AIX 7.x v2r1
AIX7-00-001104 - If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.UnixDISA STIG AIX 7.x v2r3
AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions - Certificate IssuerUnixDISA STIG AIX 7.x v2r9