Skip to content
Untitled design-Aug-24-2022-05-35-46-93-PM
Patrick Münch January 12, 2023 2 min read

SSL/TLS Certificate Verification: How to Identify Expired Certificates


Verifying SSL/TLS certificates and establishing effective certificate management in your environment can be challenging. With cnquery's cloud-native asset inventory capabilities, you can retrieve all information about your deployed certificates and their certificate chain across your entire infrastructure. With cnspec’s cloud-native solution to assess the security and compliance, you can enforce that your certificates and their certificate chain are verified as well as not expired all the time.

Use cnquery to identify expired certificates.

How to determine if my certificate is valid or expired?

Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about a SSL/TLS endpoint.

If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about the complete certificate chain, if the certificate is valid, revoked, is it a CA certificate and about the certificate expiration date:

tls.certificates { subject expiresIn isRevoked isVerified isCA }

cnquery shell host

We added a specific SSL/TLS certificate incident response query pack to gather quickly all data about the SSL/TLS endpoint. You can validate the SSL/TLS certificate and the encryption configuration of a domain.

To inspect a SSL/TLS certificate and configuration of a domain, run:

$ cnquery scan host --querypack mondoo-ssl-tls-certificate-incident-response

ssltls configuration domain check

How can I ensure that no unverified or expired SSL/TLS certificates are in use?

Once you've updated all SSL/TLS certificates, you want to make sure that no new systems use the expired SSL/TLS certificate and that you get 90 days before a SSL/TLS certificate expires a message about it.

We added a new TLS Security Policy to cnspec that validates the SSL/TLS certificates and configurations.

If you have not yet installed cnspec, follow our instructions.

cnspec enforces the correct settings through controls that use MQL queries.  This query allows you to verify that the certificate is not expired. Likewise, the score worsens as the expiration date approaches:

switch {
       case tls.certificates.first.expiresIn.days > 150: score(100);
       case tls.certificates.first.expiresIn.days > 120: score(70);
       case tls.certificates.first.expiresIn.days > 90: score(50);
       case tls.certificates.first.expiresIn.days > 60: score(20);
       case tls.certificates.first.expiresIn.days > 30: score(9);
       default: score(0);

The full policy is available on Github.

cnspec scan host -f cnspec-policies/core/mondoo-tls-security.mql.yaml

ssltls scan results

Success, you should be all set to go now! Feel free to begin running this process on your own and ensuring you're as secure as possible.

Use cnspec to identify expired certificates.


Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.
view raw