7.9 Ensure that CA certificates are rotated as appropriate

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

You should rotate root CA certificates as appropriate.

Rationale:

Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. Node certificates depend upon root CA certificates. For operational security, it is important to rotate these frequently. Currently, root CA certificates are not rotated automatically and you should therefore establish a process for rotating them in line with your organizational security policy.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You should run the command below to rotate a certificate.

docker swarm ca --rotate

Default Value:

By default, root CA certificates are not rotated.

See Also

https://workbench.cisecurity.org/files/4244