Verifying SSL/TLS certificates and establishing effective certificate management in your environment can be challenging. With cnquery's cloud-native asset inventory capabilities, you can retrieve all information about your deployed certificates and their certificate chain across your entire infrastructure. With cnspec’s cloud-native solution to assess the security and compliance, you can enforce that your certificates and their certificate chain are verified as well as not expired all the time.
Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about a SSL/TLS endpoint.
If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about the complete certificate chain, if the certificate is valid, revoked, is it a CA certificate and about the certificate expiration date:
tls.certificates { subject expiresIn isRevoked isVerified isCA }We added a specific SSL/TLS certificate incident response query pack to gather quickly all data about the SSL/TLS endpoint. You can validate the SSL/TLS certificate and the encryption configuration of a domain.
To inspect a SSL/TLS certificate and configuration of a domain, run:
$ cnquery scan host example.com --querypack mondoo-ssl-tls-certificate-incident-responseOnce you've updated all SSL/TLS certificates, you want to make sure that no new systems use the expired SSL/TLS certificate and that you get 90 days before a SSL/TLS certificate expires a message about it.
We added a new TLS Security Policy to cnspec that validates the SSL/TLS certificates and configurations.
If you have not yet installed cnspec, follow our instructions.
cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the certificate is not expired. Likewise, the score worsens as the expiration date approaches:
switch {
case tls.certificates.first.expiresIn.days > 150: score(100);
case tls.certificates.first.expiresIn.days > 120: score(70);
case tls.certificates.first.expiresIn.days > 90: score(50);
case tls.certificates.first.expiresIn.days > 60: score(20);
case tls.certificates.first.expiresIn.days > 30: score(9);
default: score(0);
}
The full policy is available on Github.
cnspec scan host mondoo.com -f cnspec-policies/core/mondoo-tls-security.mql.yamlSuccess, you should be all set to go now! Feel free to begin running this process on your own and ensuring you're as secure as possible.