Control: Avoid implementing too much security for certificates
Description
Using RSA keys stronger than 2048 bits or ECDSA keys stronger than 256 bits is a waste of CPU power and might impair user experience.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.ssl_certificate_avoid_too_much_security
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.ssl_certificate_avoid_too_much_security --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | domain_names |
| DNS domain names. |
SQL
select common_name as resource, case when (public_key_algorithm = 'RSA' and public_key_length > 2048) then 'alarm' when (public_key_algorithm = 'ECDSA' and public_key_length > 256) then 'alarm' else 'ok' end as status, case when ( (public_key_algorithm = 'RSA' and public_key_length > 2048) or (public_key_algorithm = 'ECDSA' and public_key_length > 256) ) then common_name || ' is using larger keys.' else common_name || ' is not using larger keys.' end as reasonfrom net_certificatewhere domain in (select jsonb_array_elements_text(to_jsonb($1::text[])))order by common_name;