Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Certificate Validity Period

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the SSL certificates stored in Azure Key Vault have a validity period of no more than 12 months to minimize the opportunity for attackers to exploit a compromised certificate, align with industry best practices (the current maximum is about 13 months), and encourage automated certificate rotation.

Security
Operational
excellence

A longer duration for SSL certificates prolongs the period between security validation checks, which increases the risk of security vulnerabilities. Utilizing shorter validity periods is an effective solution because algorithm changes and up-to-date security standards can be automatically incorporated during the more frequent renewal process, thus minimizing the waiting time for adoption.

Audit

To determine the validity period configured for your Azure Key Vault certificates, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Key vault for Value, and select Apply to list all the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Azure Key Vault that you want to examine.

06 In the left navigation panel, under Objects, select Certificates to access the SSL certificates stored in the selected Key Vault.

07 Click on the name of the active SSL certificate that you want to examine, listed in the Completed section. An active SSL certificate has the Status set to Enabled.

08 On the selected certificate page, choose Issuance Policy from the console top menu to access the certificate's issuance policy.

09 On the Issuance Policy page, check the configuration value available in the Validity Period (in months) box to determine the certificate validity period. If Validity Period (in months) is greater than 12, the certificate configuration is non-compliant with industry standards, increasing the risk of using long-lived, potentially compromised, or misissued certificates.

10 Repeat steps no. 7 – 9 for each certificate deployed within the selected vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the names of all Key Vaults created within the current Azure subscription: 

az keyvault list
	--query '[*].name'

05 The command output should return the requested Azure Key Vault names: 

[
	"cc-internal-app-vault",
	"cc-development-vault"
]

06 Run keyvault certificate list command (Windows/macOS/Linux) with the name of the Azure Key Vault that you want to examine as the identifier parameter to list the IDs of all the active SSL certificates stored within the selected Key Vault: 

az keyvault certificate list
	--vault-name "cc-internal-app-vault"
	--query '[?(attributes.enabled==`true`)].id'

07 The command output should return an array with the requested certificate identifiers: 

[
	"https://cc-internal-app-vault.vault.azure.net/certificates/trendmicro",
	"https://cc-internal-app-vault.vault.azure.net/certificates/cloudconformity"
]

08 Run keyvault certificate show command (Windows/macOS/Linux) with the ID of the SSL certificate that you want to examine as the identifier parameter and custom query filters to describe the validity period configured the selected certificate: 

az keyvault certificate show
	--id https://cc-internal-app-vault.vault.azure.net/certificates/trendmicro
	--query 'policy.x509CertificateProperties.validityInMonths'

09 The command output should return the certificate validity period in number of months: 

"24"

If the value (integer) returned by the keyvault certificate show command output is greater than 12, the certificate configuration is non-compliant with industry standards, increasing the risk of using long-lived, potentially compromised, or misissued certificates.

10 Repeat step sno. 8 and 9 for each SSL certificate deployed in the selected vault.

11 Repeat steps no. 6 – 10 for each Key Vault available within the current subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the issuance policy attached to your Azure Key Vault certificates in order to increase their key size, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Key vault for Value, and select Apply to list all the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Azure Key Vault that you want to access.

06 In the left navigation panel, under Objects, select Certificates to access the SSL certificates stored in the selected Key Vault.

07 Click on the name of the active SSL certificate that you want to configure, listed in the Completed section. An active SSL certificate has the Status set to Enabled.

08 On the selected certificate page, choose Issuance Policy from the console top menu to access the certificate's issuance policy.

09 On the Issuance Policy page, set the Validity Period (in months) value to an integer between 1 and 12, inclusive. Choose Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL certificate issued in the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Replace the existing validity period, available as value of the "validityInMonths" property, with a value between 1 and 12, inclusive, and save the "x509CertificateProperties" object to a JSON file named compliant-validity-period.json: 

{
	"x509CertificateProperties": {
		"validityInMonths": "12"
	}
}

05 Run keyvault certificate set-attributes command (Windows/macOS/Linux) with the ID of the active SSL certificate that you want to configure as the identifier parameter, to update the issuance policy assigned to the selected certificate with the new validity period defined in the previous step (i.e., compliant-validity-period.json) in order to follow security best practices and comply with the industry standards: 

az keyvault certificate set-attributes
	--id https://cc-internal-app-vault.vault.azure.net/certificates/trendmicro
	--policy @compliant-validity-period.json

06 The command output should return the information available for the configured certificate: 

{
	"attributes": {
		"created": "2025-11-10T09:49:11+00:00",
		"enabled": true,
		"expires": "2027-11-10T09:49:11+00:00",
		"notBefore": "2025-11-10T09:39:11+00:00",
		"recoveryLevel": "Recoverable+Purgeable",
		"updated": "2025-1110-10T09:49:11+00:00"
	},
	"contentType": null,
	"id": "https://cc-internal-app-vault.vault.azure.net/certificates/trendmicro/abcdabcdabcdabcdabcdabcdabcdabcd",
	"kid": "https://cc-internal-app-vault.vault.azure.net/keys/trendmicro/abcdabcdabcdabcdabcdabcdabcdabcd",
	"name": "trendmicro",
	"policy": {
		"attributes": {
			"created": "2025-11-10T09:49:10+00:00",
			"enabled": true,
			"expires": null,
			"notBefore": null,
			"recoveryLevel": null,
			"updated": "2025-11-10T10:32:36+00:00"
		},
		"id": "https://cc-internal-app-vault.vault.azure.net/certificates/trendmicro/policy",
		"issuerParameters": {
			"certificateTransparency": null,
			"certificateType": null,
			"name": "Self"
		},
		"keyProperties": {
			"curve": null,
			"exportable": true,
			"keySize": 2048,
			"keyType": "RSA",
			"reuseKey": false
		},
		"lifetimeActions": [
		{
			"action": {
				"actionType": "AutoRenew"
			},
			"trigger": {
				"daysBeforeExpiry": null,
				"lifetimePercentage": 90
			}
		}
		],
		"secretProperties": {
			"contentType": "application/x-pem-file"
		},
		"x509CertificateProperties": {
			"keyUsage": [
				"digitalSignature",
				"keyEncipherment"
			],
			"subject": "CN=trendmicro.com",
			"subjectAlternativeNames": {
				"dnsNames": null,
				"emails": null,
				"upns": null
			},
			"validityInMonths": 12
		}
	},
	"sid": "https://cc-internal-app-vault.vault.azure.net/secrets/trendmicro/abcdabcdabcdabcdabcdabcdabcdabcd",
	"tags": {}
}

07 Repeat steps no. 4 - 6 for each SSL certificate issued within the current vault.

08 Repeat steps no. 4 – 7 for each Azure Key Vault available in the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 7, 2025

Related KeyVault rules