Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Allowed Certificate Key Types

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-014

Ensure that your Microsoft Azure Key Vault SSL certificates are using the allowed key type(s) for security and compliance purposes. Prior to running this rule by the Cloud Conformity engine, the allowed certificate key type(s) must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Having the right key type set for your Azure Key Vault SSL certificates will enforce the best practices as specified in the security and compliance regulations implemented within your organization.

Audit

To determine if your Azure Key Vault SSL certificates are using the key type(s) allowed by your organization, perform the following operations:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Allowed Certificate Key Types conformity rule settings and identify the certificates key type(s) allowed within your organization.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Key vaults to list all Key Vault instances available in the selected subscription.

06 Click on the name of the Azure Key Vault that you want to examine.

07 In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

08 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

09 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the certificate's issuance policy.

10 On the Issuance Policy page, click on the Advanced Policy Configuration tab and check the certificate key type available in the Key Type section. If the verified key type is different than the one(s) identified at step no. 1, the selected Microsoft Azure Key Vault SSL certificate does not have the appropriate key type.

11 Repeat steps no. 8 – 10 for each certificate deployed within the selected vault.

12 Repeat steps no. 6 – 11 for each Azure Key Vault available in the selected subscription.

13 Repeat steps no. 4 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Allowed Certificate Key Types conformity rule settings and identify the certificates key type(s) allowed within your organization.

02 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription: 

az keyvault list
	--query '[*].name'

03 The command output should return the requested Azure Key Vault names: 

[
  "cc-internal-app-vault",
  "cc-development-vault"
]

04 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL certificates available within the selected vault: 

az keyvault certificate list
	--vault-name "cc-internal-app-vault"
	--query '[?(attributes.enabled==`true`)].id'

05 The command output should return an array with the requested certificate identifiers: 

[
  "https://cc-internal-app-vault.vault.azure.net/certificates/cloudconformity",
  "https://cc-internal-app-vault.vault.azure.net/certificates/cloudrealisation"
]

06 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to examine as identifier parameter and custom query filters to describe the key type used by the selected Key Vault certificate: 

az keyvault certificate show
	--id https://cc-internal-app-vault.vault.azure.net/certificates/cloudconformity
	--query 'policy.keyProperties.keyType'

07 The command output should return the requested information for the selected certificate: 

"EC"

If the key type returned by the keyvault certificate show command output is different than the one(s) identified at step no. 1, the selected Microsoft Azure Key Vault SSL certificate does not use the compliant key type.

08 Repeat step no. 6 and 7 for each SSL certificate deployed in the selected vault.

09 Repeat steps no. 4 – 8 for each Key Vault available within the current subscription.

10 Repeat steps no. 2 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure the issuance policy associated with your Azure Key Vault certificates in order to change their key type, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vaults to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab, select the key type allowed by your organization for the Key Type configuration setting, then choose OK to close the panel. Click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL certificate issued in the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Replace the existing key type, available as value of the "keyType" property, with the compliant key type allowed by your organization, and save the "keyProperties" object to a JSON file named allowed-key-type.json. In this case the certificate key type allowed is RSA: 

{
    "keyProperties": {
          "curve": "",
          "keySize": 4096,
          "keyType": "RSA"
    }
}

02 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy assigned to the selected certificate with the key type defined at the previous step (i.e. allowed-key-type.json) in order to follow security best practices and comply with the organization standards: 

az keyvault certificate set-attributes
	--id https://cc-internal-app-vault.vault.azure.net/certificates/cloudconformity
	--policy @allowed-key-type.json

03 The command output should return the metadata available for the reconfigured certificate: 

{
  "attributes": {
    "created": "2020-03-20T18:36:54+00:00",
    "enabled": true,
    "expires": "2021-03-20T18:36:54+00:00",
    "notBefore": "2020-03-20T18:26:54+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-03-20T18:48:39+00:00"
  },

    ...

    "keyProperties": {
      "exportable": true,
      "keySize": 4096,
      "keyType": "RSA",
      "reuseKey": false
    },

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

04 Repeat step no. 2 and 3 for each SSL certificate issued within the current vault.

05 Repeat steps no. 2 – 4 for each Azure Key Vault available in the current subscription.

06 Repeat steps no. 2 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020

Related KeyVault rules