STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-17 — Public Key Infrastructure Certificates

CCI-004909

Definition

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Parent Control

SC-17Public Key Infrastructure CertificatesSystem and Communications Protection

Linked STIG Checks (52)

V-263539CAT IIAAA Services must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.AAA Services Security Requirements Guide V-279112CAT IIColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization.Adobe ColdFusion Security Technical Implementation Guide V-274063CAT IIAmazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Amazon Linux 2023 Security Technical Implementation Guide V-268124CAT IINixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Anduril NixOS Security Technical Implementation Guide V-222966CAT IIDOD root CA certificates must be installed in Tomcat trust store.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-268534CAT IIThe macOS system must issue or obtain public key certificates from an approved service provider.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277143CAT IIThe macOS system must issue or obtain public key certificates from an approved service provider.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-263544CAT IIThe ALG must include only approved trust anchors in trust stores or certificate stores managed by the organization.Application Layer Gateway Security Requirements Guide V-263554CAT IIThe application server must include only approved trust anchors in trust stores or certificate stores managed by the organization.Application Server Security Requirements Guide V-276013CAT IAx-OS must protect the authenticity of communications sessions.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-274855CAT IIUbuntu 20.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260577CAT IIUbuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274867CAT IIUbuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270735CAT IIUbuntu 24.04 LTS, for PKI-based authentication, SSSD must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270737CAT IIUbuntu 24.04 LTS, for PKI-based authentication, Privileged Access Management (PAM) must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263582CAT IIThe Central Log Server must include only approved trust anchors in trust stores or certificate stores managed by the organization.Central Log Server Security Requirements Guide V-271927CAT IThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.Cisco ACI NDM Security Technical Implementation Guide V-239942CAT IIThe Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco ASA NDM Security Technical Implementation Guide V-215711CAT IIThe Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco IOS Router NDM Security Technical Implementation Guide V-220619CAT IIThe Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco IOS Switch NDM Security Technical Implementation Guide V-215856CAT IIThe Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220567CAT IIThe Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-220515CAT IIThe Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Cisco NX OS Switch NDM Security Technical Implementation Guide V-269412CAT IIAlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-263599CAT IIThe container platform must include only approved trust anchors in trust stores or certificate stores managed by the organization.Container Platform Security Requirements Guide V-263619CAT IIThe DBMS must include only approved trust anchors in trust stores or certificate stores managed by the organization.Database Security Requirements Guide V-269802CAT IIThe Dell OS10 Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.Dell OS10 Switch NDM Security Technical Implementation Guide V-263643CAT IIThe DNS server implementation must include only approved trust anchors in trust stores or certificate stores managed by the organization.Domain Name System (DNS) Security Requirements Guide V-278403CAT IINGINX must only allow using DOD approved certificate authorities for PKI.F5 NGINX Security Technical Implementation Guide V-263659CAT IIThe operating system must include only approved trust anchors in trust stores or certificate stores managed by the organization.General Purpose Operating System Security Requirements Guide V-283090CAT IIThe HPE Alletra Storage ArcusOS device must utilize trusted and authorized certificates.HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide V-268258CAT IIThe HYCU virtual appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider.HYCU Protege Security Technical Implementation Guide V-223421CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.IBM z/OS ACF2 Security Technical Implementation Guide V-223648CAT IIAll digital certificates in use must have a valid path to a trusted certification authority (CA).IBM z/OS RACF Security Technical Implementation Guide V-223871CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).IBM z/OS TSS Security Technical Implementation Guide V-217352CAT IIThe Juniper router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Juniper Router NDM Security Technical Implementation Guide V-263684CAT IIThe Mainframe Product must include only approved trust anchors in trust stores or certificate stores managed by the organization.Mainframe Product Security Requirements Guide V-278192CAT IIWindows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2025 Security Technical Implementation Guide V-279411CAT IIMongoDB must include only approved trust anchors in trust stores or certificate stores managed by the organization.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-264305CAT IIThe network device must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.Network Device Management Security Requirements Guide V-273207CAT IIOkta must be configured to use only DOD-approved certificate authorities.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-270589CAT IIOracle Database must include only approved trust anchors in trust stores or certificate stores managed by the organization.Oracle Database 19c Security Technical Implementation Guide V-271604CAT IIOL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 9 Security Technical Implementation Guide V-273848CAT IIThe RUCKUS ICX device must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.RUCKUS ICX NDM Security Technical Implementation Guide V-281329CAT IIRHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-221932CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251690CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279273CAT IIThe Edge SWG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.Symantec Edge SWG NDM Security Technical Implementation Guide V-282770CAT IITOSS 5 must include only approved trust anchors in trust stores or certificate stores managed by the organization.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-264324CAT IIThe VMM must include only approved trust anchors in trust stores or certificate stores managed by the organization.Virtual Machine Manager Security Requirements Guide V-264356CAT IIThe web server must include only approved trust anchors in trust stores or certificate stores managed by the organization.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide