Benchmark: SSL/TLS Certificate Best Practices
Overview
An SSL certificate (also known as a TLS or SSL/TLS certificate) is a digital document that binds the identity of a website to a cryptographic key pair consisting of a public key and a private key. The certificate includes the public key, which allows a web browser to initiate an encrypted communication session with a web server via the TLS and HTTPS protocols. The private key is kept secure on the server and is used to sign web pages and other documents digitally.
This benchmark performs various standard checks on your domain certificates, for example:
- Is my certificate valid?
- Is my certificate expired (or expiring soon)?
- Is my certificate revoked by the certificate authority (CA)?
- Is my certificate using any insecure key?
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-net-insightsStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select SSL/TLS Certificate Best Practices.
Run this benchmark in your terminal:
powerpipe benchmark run net_insights.benchmark.ssl_certificate_best_practicesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run net_insights.benchmark.ssl_certificate_best_practices --shareControls
- Certificate common names should be listed in subject alternative name (SAN)
- Certificates should be valid
- Certificates should not be expired
- Self-signed certificates should not be used
- Certificates should not be revoked
- Use strong and secure private key (at least a 2048-bit RSA or 256-bit ECDSA key)
- Ensure certificates have sufficient hostname coverage
- Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods
- Certificates should not use insecure certificate algorithm (e.g., MD2, MD5, SHA1)
- Certificates should be visible in Certificate Transparency (CT) logs
- Ensure domains have a CAA record configured to whitelist a CA for issuing certificates