Loading controls...
Benchmark: SSL/TLS Certificate Best Practices
Overview
An SSL certificate (also known as a TLS or SSL/TLS certificate) is a digital document that binds the identity of a website to a cryptographic key pair consisting of a public key and a private key. The certificate includes the public key, which allows a web browser to initiate an encrypted communication session with a web server via the TLS and HTTPS protocols. The private key is kept secure on the server and is used to sign web pages and other documents digitally.
This benchmark performs various standard checks on your domain certificates, for example:
- Is my certificate valid?
- Is my certificate expired (or expiring soon)?
- Is my certificate revoked by the certificate authority (CA)?
- Is my certificate using any insecure key?
Usage
Browse dashboards and select SSL/TLS Certificate Best Practices:
steampipe dashboard
Or run the benchmarks in your terminal:
steampipe check net_insights.benchmark.ssl_certificate_best_practices
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share net_insights.benchmark.ssl_certificate_best_practices
Controls
- Certificate common names should be listed in subject alternative name (SAN)
- Certificates should be valid
- Certificates should not be expired
- Self-signed certificates should not be used
- Certificates should not be revoked
- Use strong and secure private key (at least a 2048-bit RSA or 256-bit ECDSA key)
- Ensure certificates have sufficient hostname coverage
- Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods
- Certificates should not use insecure certificate algorithm (e.g., MD2, MD5, SHA1)
- Certificates should be visible in Certificate Transparency (CT) logs
- Ensure domains have a CAA record configured to whitelist a CA for issuing certificates