Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Server Certificate Signature Algorithm

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-059

- Ensure that all the SSL/TLS certificates stored within AWS IAM are not using the MD5/SHA-1 signature algorithm in order to adhere to AWS security best practices and protect from Collision attacks (i.e. cryptographic hash collisions). Cloud Conformity strongly recommends to upgrade your insecure server certificates to use signature algorithms with hash functions that are stronger than SHA-1/MD5, such as SHA-256, SHA-384 or SHA-512. For example, with the Amazon Certificate Manager (ACM) service you can provision server certificates using SHA-256 hashing algorithms.

Security

Using server certificates (SSL/TLS certificates) with insecure and deprecated cryptographic hash functions such as MD5 or SHA-1, could make the connection between the client and the AWS resource that implements the certificates vulnerable to Collision attacks. A Collision attack utilizes the methodology that the hash generated by MD5 and SHA-1 functions is not unique and the same hash value can be generated for different contents of the certificate, therefore the encryption is not efficient.

Note: The SSL/TLS certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve, manage or delete these certificates programmatically using the AWS API. Because of this, Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.

Audit

To determine if there are any server certificates that are using MD5/SHA-1 signature algorithm, currently available within AWS IAM, perform the following:

Note: Getting the certificates signature algorithm information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM, use the Command Line Interface (CLI).

Using AWS CLI

01 Run list-server-certificates command (OSX/Linux/UNIX) to list the names of all IAM-managed server certificates: 

aws iam list-server-certificates
	--query 'ServerCertificateMetadataList[*].ServerCertificateName'

02 The command output should return an array that contains the names of all the SSL/TLS certificates currently stored within AWS IAM: 

[
    "MyWebServerSSLCertificate",
    "CloudConformitySSLCertificate"
]

03 Run get-server-certificate command (OSX/Linux/UNIX) using the name of the certificate returned at the previous step as identifier and custom query filters to retrieve the public key of the selected SSL/TLS certificate: 

aws iam get-server-certificate
	--server-certificate-name MyWebServerSSLCertificate
	--query 'ServerCertificate.CertificateBody'

04 The command output should return the contents (certificate body) of the requested public key: 

"-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----"

05 Now create a new file with the .crt extension, name it certificate.crt, and copy the certificate body (without the quotes) returned at the previous step to the newly created file: 

echo "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" > certificate.crt

06 Run openssl command (Linux/UNIX) using the file created at the previous step as input parameter to expose the name of the signature algorithm used for the selected SSL/TLS certificate: 

openssl x509 -noout -text -in certificate.crt | grep 'Signature Algorithm'

07 The command output should return the requested cryptographic hash function name: 

Signature Algorithm: sha1WithRSAEncryption

If the command output returns md5WithRSAEncryption or sha1WithRSAEncryption (as shown in the example above) as value for the Signature Algorithm attribute, the selected AWS IAM server certificate is using insecure and deprecated signature algorithms.

08 Repeat steps no. 3 – 7 to check the signature algorithm for other SSL/TLS certificates managed by AWS IAM within your AWS account.

Remediation / Resolution

To replace any insecure/deprecated SSL/TLS certificates managed by AWS IAM service, perform the following:

Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).

Using AWS CLI

01 Run delete-server-certificate command (OSX/Linux/UNIX) using the name of the deprecated server certificate as identifier (see Audit section part I to identify the right resource), to remove it from AWS IAM (the command does not produce an output): 

aws iam delete-server-certificate
	--server-certificate-name MyWebServerSSLCertificate

02 Once your SSL/TLS certificate has been reissued by its provider, run upload-server-certificate command (OSX/Linux/UNIX) to upload the new server certificate entity to AWS IAM. The new server certificate entity includes a public key (certificate body, e.g. SSLCertificate.pem file), a private key (e.g. SSLPrivateKey.pem), and an optional certificate chain (e.g SSLCertificateChain.pem), which should all be PEM-encoded. Make sure you use the same name (e.g. MyWebServerSSLCertificate) for your new SSL/TLS certificate so you don’t have to update the reference to it: 

aws iam upload-server-certificate
	--server-certificate-name MyWebServerSSLCertificate
	--certificate-body file://SSLCertificate.pem
	--certificate-chain file://SSLCertificateChain.pem
	--private-key file://SSLPrivateKey.pem

03 The command output should return the new AWS IAM server certificate metadata 

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ADYU4X2W6SUR5UB9DT",
        "ServerCertificateName": "MyWebServerSSLCertificate",
        "Expiration": "2018-02-17T23:59:59Z",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:server-certificate/MyWebServerSSLCertificate",
        "UploadDate": "2017-06-09T08:55:23.995Z"
    }
}

Cloud Conformity recommends using the AWS Certificate Manager (ACM) service to provision, manage, and deploy your new server certificates. With AWS ACM you can request a certificate, deploy it to your AWS resources and let Amazon handle certificate renewals for you.

04 Repeat steps no. 1 – 3 to replace other insecure/deprecated SSL/TLS certificates managed by AWS IAM within your AWS account.

References

Publication date Jun 12, 2017

Related IAM rules