Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SSL certificates validity period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CertificateManager-001

Ensure that SSL certificates managed with Google Cloud Certificate Manager don't have a validity period greater than 398 days (13 months). The maximum validity period for SSL certificates being set at 398 days is to enhance security by reducing the risk of certificate compromise and misuse, while aligning with industry standards and gaining support from modern web browsers.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Reliability
Operational
excellence

A longer duration for SSL certificates leads to prolonged validation expiration, thereby increasing the risk of security vulnerabilities. Utilizing short validity periods provides an effective solution for this issue, as algorithm changes can be automatically incorporated during the renewal process, minimizing the waiting time for adoption.

Audit

To determine if your SSL/TLS certificates are renewed within the validity period of 398 days, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Certificate Manager console available at https://console.cloud.google.com/security/ccm.

04 Select the CERTIFICATES tab, and ensure the Filter box is cleared to list the active SSL certificates managed by Certificate Manager for the selected GCP project.

05 Choose the SSL certificate that you want to examine and check the values (dates) listed in the Create time and Expire time column to determine if the certificate is renewed within the validity period of 398 days. If the selected SSL certificate is not renewed within the specified validity period, the renewal configuration of the SSL certificate is not compliant.

06 Repeat step no. 5 for each certificate managed by Certificate Manager within the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s): 

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run certificate-manager certificates list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to describe the name of each SSL certificate managed by Certificate Manager in the selected project. Set the --location parameter value to the GCP location that holds your SSL certificates, i.e. a specific region such as us-central1 or global. If the --location parameter is not specified, the default value of location is global: 

gcloud certificate-manager certificates list
  --location=us-central1
  --project cc-web-app-project-112233
  --format="value(name)"

04 The command output should return the name of each requested SSL certificate: 

trendmicro
cloudconformity

05 Run certificate-manager certificates describe command (Windows/macOS/Linux) using the name of the SSL certificate that you want to examine as the identifier parameter and custom filters to describe the creation and expiration time of the selected certificate: 

gcloud certificate-manager certificates describe trendmicro
  --location=us-central1
  --format="text(createTime,expireTime)"

06 The command output should return the requested timestamps: 

create_time: 2023-04-18T15:39:15Z
expire_time: 2024-07-07T23:59:59Z

Check the certificate-manager certificates describe command output to determine if the verified certificate is renewed within the validity period of 398 days. If the selected SSL certificate is not renewed within the specified validity period, the renewal configuration of the SSL certificate is not compliant.

07 Repeat steps no. 5 and 6 for each certificate managed by Certificate Manager in the selected GCP project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud Platform (GCP) account.

Remediation / Resolution

Starting with September of 2020, new SSL certificates can't be issued for longer than 397 days. Therefore, to ensure that your SSL certificate validity period is compliant with industry best practices and the certificate is renewed within 398 days, you must re-create (reissue) your SSL certificate managed with Google Cloud Certificate Manager by performing the following operations:

Provisioning SSL certificates via Certificate Manager console is not currently supported.

Using GCP CLI

01 To create an SSL certificate managed by Google Cloud Certificate Manager, run certificate-manager certificates create command (Windows/macOS/Linux) using the ID of the GCP project that you want to use as the identifier parameter: 

gcloud certificate-manager certificates create trendmicro
  --domains="trendmicro.com"
  --dns-authorizations=<dns-authorization-name>
  --location=us-central1
  --project cc-web-app-project-112233

02 The command output should return the full ID and status of the performed operation: 

Create request issued for: [trendmicro]
  Waiting for operation [projects/cc-web-app-project-112233/locations/us-central1/operations/operation-1234abcd1234-1234abcd1234-abcd1234-abcd1234] to complete...done.
  Created certificate [trendmicro].

03 To create (upload) a self-managed SSL certificate with Google Cloud Certificate Manager, run certificate-manager certificates create command (Windows/macOS/Linux) using the ID of the GCP project that you want to access as the identifier parameter. Use the SSL certificate files (PEM format) provided by the certificate provider for the --private-key-file and --certificate-file command parameters: 

gcloud  certificate-manager certificates create trendmicro
  --private-key-file=private-key.pem
  --certificate-file=certificate.pem
  --domains="trendmicro.com"
  --dns-authorizations=<dns-authorization-name>
  --location=us-central1
  --project cc-web-app-project-112233

04 The command output should return the ID and status of the performed operation: 

Create request issued for: [trendmicro]
  Waiting for operation [projects/cc-web-app-project-112233/locations/us-central1/operations/operation-abcd1234abcd-1234abcd1234-abcd1234-abcd1234] to complete...done.
  Created certificate [trendmicro].

05 Repeat steps no. 1 – 4 for each project created in your Google Cloud Platform (GCP) account.

References

Publication date May 25, 2023

Related CertificateManager rules