Loading controls...
Control: Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods
Description
Acquire your certificate from a trusted certificate authority (CA) that is reliable and serious about its certificate business and security, which should provide support for both Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) revocation methods.
Usage
Run the control in your terminal:
steampipe check net_insights.control.ssl_certificate_check_for_reliable_ca
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share net_insights.control.ssl_certificate_check_for_reliable_ca
Plugins & Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | domain_names |
| DNS domain names. |
SQL
with revocation_info as ( select common_name, case when crl_distribution_points is null then 0 else jsonb_array_length(crl_distribution_points) end as crl_count, jsonb_array_length(ocsp_servers) as ocsp_count from net_certificate where domain in ( select jsonb_array_elements_text(to_jsonb($1 :: text [ ])) ) order by common_name)select common_name as resource, case when ( crl_count > 0 and ocsp_count > 0 ) then 'ok' else 'alarm' end as status, ( common_name || ' has ' || ocsp_count || ' OCSP endpoint(s) and ' || crl_count || ' CRL endpoint(s).' ) as reasonfrom revocation_info;