How to determine if my certificate is valid or expired?
Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about a SSL/TLS endpoint.
If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about the complete certificate chain, if the certificate is valid, revoked, is it a CA certificate and about the certificate expiration date:
tls.certificates { subject expiresIn isRevoked isVerified isCA }
We added a specific SSL/TLS certificate incident response query pack to gather quickly all data about the SSL/TLS endpoint. You can validate the SSL/TLS certificate and the encryption configuration of a domain.
To inspect a SSL/TLS certificate and configuration of a domain, run:
$ cnquery scan host example.com --querypack mondoo-ssl-tls-certificate-incident-response
Find and fix the security risks that pose the biggest threat to your business.
How can I ensure that no unverified or expired SSL/TLS certificates are in use?
Once you've updated all SSL/TLS certificates, you want to make sure that no new systems use the expired SSL/TLS certificate and that you get 90 days before a SSL/TLS certificate expires a message about it.
We added a new TLS Security Policy to cnspec that validates the SSL/TLS certificates and configurations.
If you have not yet installed cnspec, follow our instructions.
cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the certificate is not expired. Likewise, the score worsens as the expiration date approaches:
switch {
case tls.certificates.first.expiresIn.days > 150: score(100);
case tls.certificates.first.expiresIn.days > 120: score(70);
case tls.certificates.first.expiresIn.days > 90: score(50);
case tls.certificates.first.expiresIn.days > 60: score(20);
case tls.certificates.first.expiresIn.days > 30: score(9);
default: score(0);
}
The full policy is available on Github.
cnspec scan host mondoo.com -f cnspec-policies/core/mondoo-tls-security.mql.yaml
Success, you should be all set to go now! Feel free to begin running this process on your own and ensuring you're as secure as possible.