Certificates
Use certificate pinning
Summary Mobile applications should use certificate pinning to validate the endpoints. If a pinset is used, up to 2 certificates should be allowed. Description Certificate pinning establishes that the mobile application only connects to servers with ...
Provide extended validation (EV) certificates
Summary Public applications with critical content should provide extended validation (EV) certificates. Description The use of Extended Validation (EV) certificates enhances the user experience by providing a clear and recognizable indication of a ...
Use consistent certificates
Summary The system must use digital certificates with a consistent identification of the associated organization (service, server, etc.). Description This requirement indicates the importance of maintaining consistency in the identification ...
Use externally signed certificates
Summary The organization must use certificates signed by valid external certification authorities when these are for external applications. Description Using externally signed certificates refers to obtaining digital certificates for your web ...
Use internally signed certificates
Summary The organization must use certificates signed by valid internal certification authorities when these are for internal applications. Description Internally signed certificates refers to the practice of an organization issuing its own digital ...
Use valid certificates
Summary The system must not use expired digital certificates. Description Certificates are fundamental components used to authenticate the identity of entities in online communication. Valid certificates issued by trusted Certificate Authorities ...
Limit validity of certificates
Summary The organization must not use digital certificates with a validity of more than two years. Description Certificate validity is tied to the lifecycle of cryptographic keys. Limiting the validity period encourages regular key rotation, which is ...
Request client certificates
Summary Systems that manages business-critical information must require digital certificates from the client. This must be done especially during the authentication process. Description This control suggests the implementation of a security measure ...