CCI|CCI-000185

Title

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Reference Item Details

Reference: CCI - DISA Control Correlation Identifier

Category: 2024

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.	Unix	DISA STIG AIX 7.x v3r1
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 12 v1r9
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r4
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.	Cisco	DISA STIG Cisco ASA VPN v2r2
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
DTBI018-IE11 - Check for publishers certificate revocation must be enforced.	Windows	DISA STIG IE 11 v2r5
DTBI365-IE11 - Checking for server certificate revocation must be enforced.	Windows	DISA STIG IE 11 v2r5
DTOO265 - Outlook - Warning about invalid signatures must be enforced.	Windows	DISA STIG Office 2010 Outlook v1r13
DTOO265 - Warning about invalid signatures must be enforced.	Windows	DISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Missing Root Certificates warning must be enforced.	Windows	DISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Outlook - Missing Root Certificates warning must be enforced.	Windows	DISA STIG Office 2010 Outlook v1r13
EDGE-00-000030 - Online revocation checks must be performed.	Windows	DISA STIG Edge v2r2
F5BI-LT-000083 - The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
FFOX-00-000016 - Firefox must have the DOD root certificates installed.	Unix	DISA STIG Mozilla Firefox MacOS v6r5
FFOX-00-000016 - Firefox must have the DOD root certificates installed.	Unix	DISA STIG Mozilla Firefox Linux v6r5
FFOX-00-000016 - Firefox must have the DOD root certificates installed.	Windows	DISA STIG Mozilla Firefox Windows v6r5
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'	Unix	DISA STIG AIX 5.3 v1r2
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'	Unix	DISA STIG AIX 6.1 v1r14
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'	Unix	DISA STIG AIX 6.1 v1r14
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'	Unix	DISA STIG AIX 5.3 v1r2
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'Not Applicable'	Unix	DISA STIG AIX 5.3 v1r2
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'	Unix	DISA STIG AIX 6.1 v1r14
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'	Unix	DISA STIG AIX 5.3 v1r2
GEN008000 - If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI - 'manual cert check'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN008000 - If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI - 'tls_cert'	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'manual cert check'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'tls_cert'	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN008020 - If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN008020 - If using LDAP for auth or acct info, the LDAP TLS connection must require a cert that has a valid trust path to a trusted CA.	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'	Unix	DISA STIG AIX 5.3 v1r2
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'	Unix	DISA STIG AIX 6.1 v1r14
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'Not Applicable'	Unix	DISA STIG AIX 5.3 v1r2

Detections

Analytics

CCI|CCI-000185

Title

Reference Item Details

Audit Items