Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Certificate Transparency

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-012

Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates in order to adhere to web security best practices. Certificate Transparency (CT) is a new Internet standard that addresses the concerns about mis-issued certificates by making the Transport Layer Security (TLS) ecosystem publicly auditable. Without CT, as domain owner there is no way to be aware of certificates that are issued to your domain, unless you request it yourself. With Certificate Transparency, you can easily audit the quality of the certificates that the Certificate Authority (CA) issued and determine whether the certificate is compliant with the standards enforced by the Certification Authority Browser Forum, also known as CA/Browser Forum.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Certificate Transparency aims to remediate SSL/TLS certificate-based threats by making the issuance process and the existence of the certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency (CT) has three main goals:

Make it extremely difficult for a Certificate Authority (CA) to issue an SSL certificate for a domain without the certificate being visible to the owner of that domain.

Provide an open auditing and a monitoring system that allows any domain owner or CA to determine whether the SSL certificate has been mistakenly or maliciously issued.

Protect users from being duped by SSL certificates that were mistakenly or maliciously issued.

Audit

To determine if your Microsoft Azure Key Vault SSL/TLS certificates are configured to use certificate transparency, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the certificate's issuance policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab and check the Enable Certificate Transparency? setting status. If the configuration setting status is set to No, the Certificate Transparency feature is not enabled for the selected Azure Key Vault certificate.

10 Repeat steps no. 7 – 9 for each certificate issued within the selected vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names: 

[
  "cc-production-key-vault",
  "cc-app-manager-key-vault"
]

03 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL/TLS certificates available within the selected vault: 

az keyvault certificate list
	--vault-name "cc-production-key-vault"
	--query '[?(attributes.enabled==`true`)].id'

04 The command output should return an array with the requested certificate identifiers: 

[
"https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity",
"https://cc-production-key-vault.vault.azure.net/certificates/cloudrealisation"
]

05 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the Key Vault certificate that you want to examine as identifier parameter and custom query filters to get the configuration status of the Certificate Transparency feature, available for the selected certificate: 

az keyvault certificate show
	--id https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity
	--query 'policy.issuerParameters.certificateTransparency'

06 The command output should return the requested information for the selected certificate: 

false

If the keyvault certificate show command output returns false, as shown in the example above, the Certificate Transparency feature is not enabled for the selected Azure Key Vault SSL/TLS certificate.

07 Repeat step no. 5 and 6 for each SSL/TLS certificate issued in the selected vault.

08 Repeat steps no. 3 – 7 for each Key Vault available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable certificate transparency for your Microsoft Azure Key Vault SSL/TLS certificates, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab, select Yes next to Enable Certificate Transparency?, then choose OK to close the panel. Click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL/TLS certificate deployed in the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Set the boolean value of the "certificateTransparency" property to true, as shown in the example below, and save the "issuerParameters" object to a JSON file named enable-certificate-transparency.json: 

{
    "issuerParameters": {
        "certificateTransparency": true,
        "certificateType": null,
        "name": "Self"
    }
}

02 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL/TLS certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy associated with the selected certificate with the object defined at the previous step (i.e. enable-certificate-transparency.json) in order to enable the Certificate Transparency feature for the selected Azure Key Vault certificate: 

az keyvault certificate set-attributes
	--id https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity
	--policy @enable-certificate-transparency.json

03 The command output should return the metadata available for the reconfigured certificate: 

{
  "attributes": {
    "created": "2020-03-21T08:23:11+00:00",
    "enabled": true,
    "expires": "2021-03-21T08:23:11+00:00",
    "notBefore": "2020-03-21T08:13:11+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-03-21T13:57:14+00:00"
  },

    ...

    "issuerParameters": {
      "certificateTransparency": true,
      "certificateType": null,
      "name": "Self"
    },

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

04 Repeat step no. 2 and 3 for each SSL/TLS certificate deployed within the current vault.

05 Repeat steps no. 2 – 4 for each Azure Key Vault available in the current subscription.

06 Repeat steps no. 2 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020

Related KeyVault rules