Control: Certificates should have a complete chain of trusted certificates

Description

An invalid certificate chain effectively renders the server certificate invalid and results in browser warnings. End-entity SSL/TLS certificates are generally signed by intermediate certificates rather than a CA’s root key. It is recommended to use two or more certificates to build a complete chain of trust.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_certificate_use_complete_certificate_chain

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_certificate_use_complete_certificate_chain --share

Steampipe Tables

net_certificate

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

select
  common_name as resource,
  case
    when chain @> '[{"is_certificate_authority": true}]' then 'ok'
    when jsonb_array_length(chain) >= 2 then 'ok'
    else 'alarm'
  end as status,
  common_name || ' has ' || jsonb_array_length(chain) || ' certificate(s) along with the server certificates.' as reason
from
  net_certificate
where
  domain in (
    select
      jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
  )
order by
  common_name;