Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-000185
CCI
CCI|CCI-000185
Title
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2024
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.
Unix
DISA STIG AIX 7.x v3r1
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 12 v1r9
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Unix
DISA STIG Apple macOS 13 v1r4
APPL-14-001060 - The macOS system must set smart card certificate trust to moderate.
Unix
DISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-001060 - The macOS system must set smart card certificate trust to moderate.
Unix
DISA Apple macOS 15 (Sequoia) STIG v1r1
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.
Windows
DISA STIG for Microsoft Dot Net Framework 4.0 v2r4
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.
Unix
DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.
Unix
DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.
Windows
DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.
Windows
DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient
Windows
DISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth
Windows
DISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Big Sur v1.4.0 - All Profiles
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.
Cisco
DISA STIG Cisco ASA VPN v2r2
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
Cisco
DISA STIG Cisco ASA VPN v2r2
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider
Unix
NIST macOS Catalina v1.5.0 - 800-53r4 High
CD12-00-007000 - PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
Unix
DISA STIG Crunchy Data PostgreSQL OS v3r1
CNTR-R2-000010 Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
Unix
DISA Rancher Government Solutions RKE2 STIG v2r2
DKER-EE-006190 - Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
Unix
DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
DTBC-0037 - Online revocation checks must be performed.
Windows
DISA STIG Google Chrome v2r9
DTBI018-IE11 - Check for publishers certificate revocation must be enforced.
Windows
DISA STIG IE 11 v2r5
DTBI365-IE11 - Checking for server certificate revocation must be enforced.
Windows
DISA STIG IE 11 v2r5
DTOO265 - Outlook - Warning about invalid signatures must be enforced.
Windows
DISA STIG Office 2010 Outlook v1r13
DTOO265 - Warning about invalid signatures must be enforced.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO267 - Outlook - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Office 2010 Outlook v1r13
DTOO267 - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Microsoft Outlook 2016 v2r3
DTOO267 - Retrieving of CRL data must be set for online action.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Missing Root Certificates warning must be enforced.
Windows
DISA STIG Microsoft Outlook 2013 v1r13
DTOO268 - Outlook - Missing Root Certificates warning must be enforced.
Windows
DISA STIG Office 2010 Outlook v1r13
EDGE-00-000030 - Online revocation checks must be performed.
Windows
DISA STIG Edge v2r2
EP11-00-004500 - The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
Windows
EDB PostgreSQL Advanced Server v11 Windows OS Audit v2r4
EPAS-00-004500 - The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
Unix
EnterpriseDB PostgreSQL Advanced Server OS Linux v2r1