by Josef Weiss
September 24, 2015
The Certificate Expiry Report provides details on SSL certificates within the environment that have expired, or are expiring in 60 days or less. Certificates that have not yet reached their validity period are also reported. Both passive and active scan results provide vulnerability data to populate this report.
SSL certificates can be purchased from a Certificate Authority (CA), who, as a trusted third party, validates the site owner’s identity. Certificates can also be issued by the organization itself, which self-signs its certificates. In the most basic of terms, when you connect to a site using encryption, the server will send its certificate. Either the client must then trust the certificate directly, or a third party that the client trusts must do so.
Every certificate has an expiration date. When a certificate is expired, the revocation status is no longer published. When the revocation status cannot be checked, you should not trust the certificate, as you don’t know if the certificate was revoked a long time ago. Subsequently, you cannot validate that you are communicating with a trusted site. Maintaining certificate expiry is essential in providing trust to end users. If certificate issues exist, uncertainty may cause clients to not trust the site. Devices or hosts with expired certificates may also suggest poor security practices are in place.
In order to aid the organization in managing its certificate environment, the Certificate Expiry Report assists in determining if any expired certificates exist. This is accomplished using data from passive and active scanning. Active and passive plugins are utilized to determine if expired certificates have been detected within the environment. As an aid in avoiding potential expired certificates, a chapter exists to highlight any SSL certificates that have been found to be within 60 days of expiration. Certificates can sometimes be installed that have not yet reached their validity period. The validity period of an SSL certificate is the time, or specific date, to expiration that the certificate is valid. A chapter also exists to determine if these types of certificates exist in the environment.
Certificate expiration warnings are purely client-side. By providing details in regard to expired, about to expire, or not yet valid certificates, organizations can avoid costly certificate problems. Many times, expired certificates cause a loss of confidence in the trustworthiness of an organization or website. In addition, clients will face warning messages, and may prevent some services, such as image, video or other media to stop functioning.
The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection.
The report requirements are:
- Tenable.sc 5.0.2
- Nessus 8.6.0
- NNM 5.9.0
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Nessus Network Monitor (NNM). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network.
The report contains the following Chapters:
- Executive Summary - The Executive Summary chapter provides an overview that summarizes the longer, more detailed chapters that follow. The executive summary provides a series of components that readers can rapidly become acquainted with, and that cover the remaining chapters without having to read all the detailed information. The subsequent chapters provide in depth details on the hosts and SSL certificates found to be expired, soon to expire, or out of their validity period, through a series of table and matrix components.
- Expired Certificates - The Expired Certificate chapter reports on SSL certificates that have been found to exist in the environment that have expired. Certificate expiry is essential in providing trust to end users. If certificate issues exist, uncertainty may cause clients to not trust the site. Devices or hosts with expired certificates may also suggest poor security practices are in place. This chapter provides results for both active and passive detection of expired certificates.
- Certificates with Future Validity - When certificates are issued, they are defined to be valid from a specific date until a specific date (expiration date). This timeframe is the validity period. This table displays information on SSL certificates that have been found to exist within the environment, but are not yet within their validity period.
- Certificates Expiring Soon - The Certificates Expiring Soon chapter provided a detailed report on hosts that have a certificate that will expire in the next 60 days or less. This timeframe is a configurable item that can be modified by editing the ssl_cert_exiry.nasl, and changing the look ahead to a value other than the default of 60. NASL is a scripting language designed for the Nessus security scanner. Prior to making any modification to any nasl, the analyst should understand how to correctly edit nasl scripts and make a backup of all files prior to making any edits.