Loading controls...

Control: Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods

Description

Acquire your certificate from a trusted certificate authority (CA) that is reliable and serious about its certificate business and security, which should provide support for both Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) revocation methods.

Usage

Run the control in your terminal:

steampipe check net_insights.control.ssl_certificate_check_for_reliable_ca

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.ssl_certificate_check_for_reliable_ca

Plugins & Tables

net_certificate

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with revocation_info as (
  select
    common_name,
    case
      when crl_distribution_points is null then 0
      else jsonb_array_length(crl_distribution_points)
    end as crl_count,
    jsonb_array_length(ocsp_servers) as ocsp_count
  from
    net_certificate
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  order by
    common_name
)
select
  common_name as resource,
  case
    when (
      crl_count > 0
      and ocsp_count > 0
    ) then 'ok'
    else 'alarm'
  end as status,
  (
    common_name || ' has ' || ocsp_count || ' OCSP endpoint(s) and ' || crl_count || ' CRL endpoint(s).'
  ) as reason
from
  revocation_info;

turbot/net_insights

Control: Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods

Description

Usage

Plugins & Tables

Params

SQL

Steampipe

Resources

Community