Control: Issuing certificate authority (CA) should support for both CRL and OCSP revocation methods

Description

Acquire your certificate from a trusted certificate authority (CA) that is reliable and serious about its certificate business and security, which should provide support for both Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) revocation methods.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_certificate_check_for_reliable_ca

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_certificate_check_for_reliable_ca --share

Steampipe Tables

net_certificate

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with revocation_info as (
  select
    common_name,
    case
      when crl_distribution_points is null then 0
      else jsonb_array_length(crl_distribution_points)
    end as crl_count,
    jsonb_array_length(ocsp_servers) as ocsp_count
  from
    net_certificate
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  order by
    common_name
)
select
  common_name as resource,
  case
    when (
      crl_count > 0
      and ocsp_count > 0
    ) then 'ok'
    else 'alarm'
  end as status,
  (
    common_name || ' has ' || ocsp_count || ' OCSP endpoint(s) and ' || crl_count || ' CRL endpoint(s).'
  ) as reason
from
  revocation_info;