Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable SSL Certificate Auto-Renewal

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: KeyVault-006

Microsoft Azure Key Vault service can renew your SSL certificates automatically in order to prevent any application or service outage, credential leak, or process violation that can disrupts your business. As long as your information with the public Certificate Authority (CA) is up-to-date, the Auto-Renewal feature does not require any action from you. The Key Vault service retrieves the new certificate before your old one expires and the Azure App service picks up the renewed certificate automatically and performs the SSL re-binding.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When SSL certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the Azure service or application that implements the certificates is no longer secure and may become interrupted. Configuring the Key Vault service to send an email notification just before your SSL certificates expires does not guarantee success, therefore to reduce the chances of an outage or to prevent insecure communication between the application and its clients, Cloud Conformity strongly recommends enabling Auto-Renewal feature. Once Auto-Renewal is enabled, when your certificate is about to expire, Azure Key Vault attempts to renew the certificate using the public CA that you provided.

Note: Having an up-to-date public Certificate Authority (CA) is vital for the Auto-Renewal feature. This conformity rule assumes that your public CA is valid and active within your Azure Key Vault service settings.


Audit

To determine if Auto-Renewal is enabled for your Azure Key Vault SSL certificates, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Certificates to access the certificates deployed in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu and check the Lifetime Action Type dropdown list configuration. If Lifetime Action Type is not set to Automatically renew at a given percentage lifetime or Automatically renew at a given number of days before expiry, the Auto-Renewal feature is not enabled for the selected Azure Key Vault SSL certificate.

09 Repeat step no. 7 and 8 for each certificate deployed within the selected vault.

10 Repeat steps no. 5 – 9 for each Azure Key Vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances created in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names:

[
  "cc-webapp-key-vault",
  "cc-internal-app-vault"
]

03 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault instance that you want to examine as identifier parameter to list the IDs of all the active SSL certificates issued in the selected vault:

az keyvault certificate list
	--vault-name "cc-webapp-key-vault"
	--query '[?(attributes.enabled==`true`)].id'

04 The command output should return an array with the requested certificate identifiers:

[
"https://cc-webapp-key-vault.vault.azure.net/certificates/cloudconformity",
"https://cc-webapp-key-vault.vault.azure.net/certificates/cloudrealisation"
]

05 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to examine as identifier parameter and custom query filters to get the lifetime action type configured for the issuance policy associated with the selected certificate:

az keyvault certificate show
	--id "https://cc-webapp-key-vault.vault.azure.net/certificates/cloudconformity"
	--query 'policy.lifetimeActions[*].action.actionType'

06 The command output should return the name of the lifetime action type configured for the specified certificate:

[
  "EmailContacts"
]

If the keyvault certificate show command output returns "EmailContacts", as shown in the example above, the certificate owner/administrator receives just an email notification before this expires, therefore the Auto-Renewal feature is not enabled for the selected Azure Key Vault SSL certificate.

07 Repeat step no. 5 and 6 for each SSL certificate available in the current vault.

08 Repeat steps no. 3 – 6 for each Key Vault instance available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure Auto-Renewal feature for all your Azure Key Vault SSL certificates, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

09 On the Issuance Policy page, perform the following operations:

  1. Select the Automatically renew at a given number of days before expiry option from the Lifetime Action Type dropdown list to enable the Auto-Renewal feature.
  2. In the Number of Days Before Expiry box, type the number of days before certificate expiration when to automatically trigger the renewal process.
  3. Click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL certificate issued within the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to reconfigure as identifier parameter and custom query filters to describe the lifetime actions configuration for the issuance policy associated with the selected certificate:

az keyvault certificate show
	--id "https://cc-webapp-key-vault.vault.azure.net/certificates/cloudconformity"
	--query '{"lifetimeActions":policy.lifetimeActions}'

02 The command output should return the requested configuration in JSON encoded format:

{
  "lifetimeActions": [
    {
      "action": {
        "actionType": "EmailContacts"
      },
      "trigger": {
        "daysBeforeExpiry": 3,
        "lifetimePercentage": null
      }
    }
  ]
}

03 Replace "actionType" property value from "EmailContacts" to "AutoRenew", set the appropriate value for "daysBeforeExpiry", and save the content to a JSON file named lifetime-actions-config.json. The following lifetime actions configuration will enable the Auto-Renewal feature and automatically trigger the renewal process 7 days before certificate expiration:

{
  "lifetimeActions": [
    {
      "action": {
        "actionType": "AutoRenew"
      },
      "trigger": {
        "daysBeforeExpiry": 7,
        "lifetimePercentage": null
      }
    }
  ]
}

04 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy assigned to the selected certificate with the lifetime actions object defined at the previous step (i.e. lifetime-actions-config.json) in order to enable the Auto-Renewal feature:

az keyvault certificate set-attributes
	--id "https://cc-webapp-key-vault.vault.azure.net/certificates/cloudconformity"
	--policy @lifetime-actions-config.json

05 The command output should return the metadata available for the reconfigured certificate:

{
  "attributes": {
    "created": "2019-12-19T08:55:00+00:00",
    "enabled": true,
    "expires": "2020-01-19T08:55:00+00:00",
    "notBefore": "2019-12-20T08:45:00+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-12-20T11:01:56+00:00"
  },

  ...

  "policy": {
    "attributes": {
      "created": "2019-12-19T08:54:41+00:00",
      "enabled": true,
      "expires": null,
      "notBefore": null,
      "recoveryLevel": null,
      "updated": "2019-12-19T11:01:56+00:00"
    },

    ...

    "lifetimeActions": [
      {
        "action": {
          "actionType": "AutoRenew"
        },
        "trigger": {
          "daysBeforeExpiry": 7,
          "lifetimePercentage": null
        }
      }
    ],

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  },

  ...

  "sid": "https://cc-webapp-key-vault.vault.azure.net/secrets/cloudconformity/abcdabcdabcdabcdabcdabcdabcdabcd",
  "tags": null
}

06 Repeat steps no. 1 – 5 for each SSL certificate issued within the current vault.

07 Repeat steps no. 1 – 6 for each Azure Key Vault available in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 31, 2020