Exceeded SSL Certificate Validity Period
ID: gcloud-certificate-validity-exceeded
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,certificate-manager,gcp-cloud-config
Description
Section titled “Description”Ensure that SSL certificates managed with Google Cloud Certificate Manager don’t have a validity period greater than 398 days (13 months). This is to enhance security by reducing the risk of certificate compromise and misuse, while aligning with industry standards and support from modern web browsers.
YAML Source
Section titled “YAML Source”id: gcloud-certificate-validity-exceeded
info: name: Exceeded SSL Certificate Validity Period author: princechaddha severity: medium description: | Ensure that SSL certificates managed with Google Cloud Certificate Manager don't have a validity period greater than 398 days (13 months). This is to enhance security by reducing the risk of certificate compromise and misuse, while aligning with industry standards and support from modern web browsers. impact: | An SSL certificate with a validity period exceeding 398 days poses a higher risk of compromise and misuse. It also fails to comply with industry standards, potentially leading to incompatibilities or security warnings in web browsers. remediation: | Review and adjust the renewal configurations for SSL certificates to ensure their validity periods do not exceed 398 days. reference: - https://cloud.google.com/certificate-manager/docs tags: cloud,devops,gcp,gcloud,certificate-manager,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let certificate of iterate(template.certificates)){ set("certificateName", certificate) code(3) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud certificate-manager certificates list --project $projectId --format="json(name)"
extractors: - type: json name: certificates internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud certificate-manager certificates describe $certificateName --project $projectId --format="json(createTime,expireTime)" | jq '[(.expireTime | fromdateiso8601) - (.createTime | fromdateiso8601) < 34444800] | any'
matchers: - type: word words: - 'false'
extractors: - type: dsl dsl: - '"Non-compliant SSL Certificate: " + certificateName + " in Project: " + projectId + " with Expiry beyond 398 days"'# digest: 490a004630440220249ea895515d2fc98d8c0890a791e1ab9758411dd16248ba4da5dc9379dba072022034c8195a381830f12737dbc03be0daf4756d73906fb9e9a50a117c8349cee3bf:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/certificatemanager/gcloud-certificate-validity-exceeded.yaml"