diff --git a/components/sssd.yml b/components/sssd.yml
index 81c6fe79ddb2..29189d9f03ee 100644
--- a/components/sssd.yml
+++ b/components/sssd.yml
@@ -15,6 +15,7 @@ rules:
 - package_sssd_installed
 - service_sssd_enabled
 - sssd_certificate_verification
+- sssd_certification_path_trust_anchor
 - sssd_enable_certmap
 - sssd_enable_pam_services
 - sssd_enable_smartcards
diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
index 8c92594732be..2e4d0f95f3ca 100644
--- a/controls/stig_ubuntu2404.yml
+++ b/controls/stig_ubuntu2404.yml
@@ -846,9 +846,11 @@ controls:
       an accepted trust anchor.
     levels:
       - medium
-    related_rules:
-      - smartcard_configure_ca
-    status: planned
+    rules:
+      - sssd_enable_pam_services
+      - sssd_enable_smartcards
+      - sssd_certification_path_trust_anchor
+    status: automated
 
   - id: UBTU-24-400370
     title: Ubuntu 24.04 LTS must map the authenticated identity to the user or group
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/bash/shared.sh
new file mode 100644
index 000000000000..673dba937b0b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/bash/shared.sh
@@ -0,0 +1,38 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
+
+# find key in section and change value
+found=false
+# find key in section but don't change current value
+if grep -qzosP "[[:space:]]*\[domain/.*\]([^\n\[]*\n+)+?[[:space:]]*ca_cert" "/etc/sssd/sssd.conf"; then
+    found=true
+
+# find section and add key = value to it
+elif grep -qs "[[:space:]]*\[domain/.*\]" "/etc/sssd/sssd.conf"; then
+    sed -i "/[[:space:]]*certificate_verification/a ca_cert = \/etc\/ssl\/certs\/ca-certificates.crt" "/etc/sssd/sssd.conf"
+    found=true
+fi
+
+# if section not in file, append section with key = value
+if ! $found ; then
+    mkdir -p "/etc/sssd"
+    echo -e "\n[domain/example.com]\nca_cert = /etc/ssl/certs/ca-certificates.crt" >> "/etc/sssd/sssd.conf"
+fi
+
+if grep -qzosP "[[:space:]]*\[domain/.*\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "/etc/sssd/sssd.conf"; then
+    sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ca_cert,ocsp/" "/etc/sssd/sssd.conf"
+
+# find section and add key = value to it
+else
+    sed -i "/[[:space:]]*\[domain\/.*\]/a certificate_verification = ca_cert,ocsp" "/etc/sssd/sssd.conf"
+fi
+
+umask $OLD_UMASK
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/oval/shared.xml
new file mode 100644
index 000000000000..1c172ea3f961
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+           {{{ oval_metadata("SSSD should be configured with trust path to an accepted trust anchor.") }}}
+        <criteria>
+            <criterion comment="check value of certificate_verification in sssd configuration"
+                       test_ref="test_{{{rule_id}}}" />
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
+        certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
+        <ind:object object_ref="obj_{{{rule_id}}}" />
+        <ind:state state_ref="state_{{{rule_id}}}" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
+        <ind:filepath operation="pattern match">^/etc/sssd/sssd.conf$</ind:filepath>
+        <ind:pattern operation="pattern match">^[\s]*\[domain\/.*](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*([\w,]+)$</ind:pattern>
+        <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
+        <ind:subexpression operation="equals">ca_cert,ocsp</ind:subexpression>
+    </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/rule.yml b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/rule.yml
new file mode 100644
index 000000000000..a428d14d52e5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+
+title: 'Certificate trust path in SSSD'
+
+description: |-
+    Enable certification trust path for SSSD to an accepted trust anchor.
+
+rationale: |-
+    Without path validation, an informed trust decision by the relying party cannot be made when 
+    presented with any certificate not already explicitly trusted.
+
+severity: medium
+
+
+ocil_clause: 'certificate_verification in sssd is not configured'
+
+ocil: |-
+    Ensure "ca" is enabled in "certificate_verification" with the following command:
+    <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf</pre>.
+    If configured properly, output should look like
+    <pre>
+        certificate_verification = ca_cert,ocsp
+    </pre>
+
+fixtext: |-
+    Configure SSSD for PKI-based authentication. To validate certificates by constructing a certification path
+    to an accepted trust anchor by checking the following configuration of the <pre>/etc/sssd/sssd.conf</pre> file.
+    <pre>
+        [domain/example.com]
+        ldap_user_certificate = usercertificate;binary
+        certificate_verification = ca_cert,ocsp
+        ca_cert = /etc/ssl/certs/ca-certificates.crt
+    </pre>
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/correct_value.pass.sh
new file mode 100644
index 000000000000..a8074b6d96e4
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "$ sudo vi /etc/sssd/sssd.conf
+[sssd]
+services = nss,pam,ssh
+config_file_version = 2
+
+[pam]
+pam_cert_auth = True
+
+[domain/example.com]
+ldap_user_certificate = usercertificate;binary
+certificate_verification = ca_cert,ocsp
+ca_cert = /etc/ssl/certs/ca-certificates.crt
+" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/not_configured.fail.sh
new file mode 100644
index 000000000000..ed011f9d4bcf
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/not_configured.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config.fail.sh
new file mode 100644
index 000000000000..96003507f30b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config.fail.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "$ sudo vi /etc/sssd/sssd.conf
+[sssd]
+services = nss,pam,ssh
+config_file_version = 2
+
+[pam]
+pam_cert_auth = True
+
+[domain/test.com]
+ldap_user_certificate = usercertificate;binary
+certificate_verification = ca_cert
+ca_cert = /etc/ssl/certs/ca-certificates.crt
+
+[domain/test2.com]
+ldap_user_certificate = usercertificate;binary
+certificate_verification = ca_cert
+ca_cert = /etc/ssl/certs/ca-certificates.crt
+" >> /etc/sssd/sssd.conf
+
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config2.fail.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config2.fail.sh
new file mode 100644
index 000000000000..a7c7b16593f5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config2.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "$ sudo vi /etc/sssd/sssd.conf
+[sssd]
+services = nss,pam,ssh
+config_file_version = 2
+
+[pam]
+pam_cert_auth = True
+
+[domain/test.com]
+ldap_user_certificate = usercertificate;binary
+certificate_verification = ca_cert
+ca_cert = /etc/ssl.crt
+" >> /etc/sssd/sssd.conf
+
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config3.fail.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config3.fail.sh
new file mode 100644
index 000000000000..06230b86c5b9
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/partial_config3.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "$ sudo vi /etc/sssd/sssd.conf
+[sssd]
+services = nss,pam,ssh
+config_file_version = 2
+
+[pam]
+pam_cert_auth = True
+
+[domain/test.com]
+ldap_user_certificate = usercertificate;binary
+certificate_verification = ca_cert
+" >> /etc/sssd/sssd.conf
+
diff --git a/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/wrong_section.fail.sh
new file mode 100644
index 000000000000..e2c0b2012f2b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/tests/wrong_section.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ca_cert,ocsp" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
index 69c4c85f00d0..51e6b835d6ac 100644
--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux,multi_platform_ubuntu
 
 
 
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh
index a82d13a109cf..0b3d08ccae84 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_false.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = sssd
-# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4
+# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
 SSSD_FILE="/etc/sssd/sssd.conf"
 echo "[pam]" > $SSSD_FILE
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh
index cacd05850f35..440a5ce07a74 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = sssd
-# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4
+# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
 SSSD_FILE="/etc/sssd/sssd.conf"
 echo "[pam]" > $SSSD_FILE
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh
index 55f51c86d7b7..7b93f6c17f03 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_file.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = sssd
-# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4
+# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
 SSSD_FILE="/etc/sssd/sssd.conf"
 rm -f $SSSD_FILE
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh
index efd43cde538a..825939c31846 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_true.pass.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = sssd
-# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4
+# platform = multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4,multi_platform_ubuntu
 
 SSSD_FILE="/etc/sssd/sssd.conf"
 echo "[pam]" > $SSSD_FILE