Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Certificate Minimum Key Size

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-011

Ensure that your Microsoft Azure Key Vault RSA certificates are generated with the minimum key size allowed within your organization, for security and compliance purposes.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

For most cryptographic functions, the key size (key length) is an important security parameter. Having the right key size set for your Azure Key Vault RSA certificates will enforce security best practices as specified in the compliance regulations implemented within your organization. For example, if your RSA certificates are used for applications that process and transfer highly sensible and confidential data, you can enforce a key size of 4096 bits.

Audit

To determine if your Azure Key Vault RSA certificates are using the minimum key size allowed by your organization, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the certificate's issuance policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab and check the certificate key type available in the Key Type section. If the type of the key is RSA, check the key size set for the Key Size configuration setting. If the verified key size value is lower than the minimum key size allowed within your organization, the selected Microsoft Azure Key Vault RSA certificate does not have the appropriate key size.

10 Repeat steps no. 7 – 9 for each certificate available in the selected vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault created within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names: 

[
  "cc-project5-app-vault",
  "cc-internal-app-vault"
]

03 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL certificates available within the selected vault: 

az keyvault certificate list
	--vault-name "cc-project5-app-vault"
	--query '[?(attributes.enabled==`true`)].id'

04 The command output should return an array with the requested certificate identifiers: 

[
	"https://cc-project5-app-vault.vault.azure.net/certificates/cloudconformity",
	"https://cc-project5-app-vault.vault.azure.net/certificates/cloudrealisation"
]

05 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to examine as identifier parameter and custom query filters to describe the key type used by the selected Key Vault certificate: 

az keyvault certificate show
	--id https://cc-internal-app-vault.vault.azure.net/certificates/cloudconformity
	--query 'policy.keyProperties.keyType'

06 The command output should return the requested information for the selected certificate: 

"RSA"

07 If the key type verified at the previous step is RSA, execute again keyvault certificate show command (Windows/macOS/Linux) to describe the key size used by the selected Key Vault certificate: 

az keyvault certificate show
	--id https://cc-project5-app-vault.vault.azure.net/certificates/cloudconformity
	--query 'policy.keyProperties.keySize'

08 The command output should return the key size configured for the selected certificate: 

2048

If the value returned by the keyvault certificate show command output is lower than the minimum key size allowed within your organization, the selected Microsoft Azure Key Vault RSA certificate does not have the compliant (allowed) key size.

09 Repeat step no. 5 – 8 for each SSL certificate available in the selected vault.

10 Repeat steps no. 3 – 9 for each Key Vault created within the current subscription.

11 Repeat steps no. 1 – 10 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update the issuance policy attached to your Azure Key Vault certificates in order to increase their key size, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the issuance policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab, select the minimum key size allowed by your organization for the Key Size configuration setting, then choose OK to close the panel. Click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL certificate issued within the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Replace the existing key size, available as value of the "keySize" property, with the minimum key size allowed by your organization, and save the "keyProperties" object to a JSON file named minimum-key-size.json: 

{
    "keyProperties": {
          "keySize": 4096
    }
}

02 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy assigned to the selected certificate with the key size configured at the previous step (i.e. minimum-key-size.json) in order to enhance the certificate key strength and comply with the organization standards: 

az keyvault certificate set-attributes
	--id https://cc-project5-app-vault.vault.azure.net/certificates/cloudconformity
	--policy @minimum-key-size.json

03 The command output should return the metadata available for the reconfigured certificate: 

{
  "attributes": {
    "created": "2020-03-21T08:23:11+00:00",
    "enabled": true,
    "expires": "2021-03-21T08:23:11+00:00",
    "notBefore": "2020-03-21T08:13:11+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-03-21T12:35:39+00:00"
  },

    ...

    "keyProperties": {
      "curve": null,
      "exportable": true,
      "keySize": 4096,
      "keyType": "RSA",
      "reuseKey": false
    },

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

04 Repeat step no. 2 and 3 for each SSL certificate available in the selected vault.

05 Repeat steps no. 2 – 4 for each Azure Key Vault created within the current subscription.

06 Repeat steps no. 2 – 5 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020

Related KeyVault rules