|   Trend Micro™ Cloud One
Open menu

Rotate Expiring SSL Client Certificates

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Risk level: Medium (should be achieved)

Ensure that the client-side SSL certificates used by your Amazon API Gateway APIs for secure authentication at the API integration endpoint level are rotated before their expiration date.

The SSL client certificates used by Amazon API Gateway service are valid for 365 days. To avoid any downtime for your Amazon API Gateway APIs, rotate the associated certificates before they expire.

Note: This conformity rule assumes that your Amazon API Gateway APIs have already attached.

Audit

To determine if there are any SSL certificates that are about to expire, attached to your API Gateway APIs, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to access the APIs listing page.

04 Choose the API that you want to examine, then click on its name (link) to access the API details.

05 In the selected API submenu, click Stages to list the stages created for your API.

06 Under Stages, choose the API stage that you want to examine, then select the Settings tab from the dashboard top panel.

07 On the Settings panel, in the Client Certificate section, identify and note the ID of the SSL certificate associated with the selected API stage, available in the Certificate dropdown.

08 Go back to the navigation panel and select Client Certificates.

09 On the Client Certificates listing page, search for the SSL certificate entry identified at step no. 7 and check its expiration date, e.g. expiration date. If the selected client-side SSL certificate is about to expire soon, follow the instructions outlined in the Remediation/Resolution section to rotate the certificate as quickly as possible.

10 Repeat steps no. 6 – 9 for each API stage created for the selected API.

11 Repeat steps no. 4 – 10 to verify other Amazon API Gateway APIs available in the current region.

12 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected AWS region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested information (i.e. API IDs):

----------------
|  GetRestApis |
+--------------+
|  aabbccaabb  |
|  abcdabcdab  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id abcdabcdab
	--output table
	--query 'item[*].stageName'

04 The command output should return the requested API stage name(s):

----------------
|  GetStages   |
+--------------+
|  Production  |
|  Testing     |
|  Development |
+--------------+

05 Run get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier and custom query filters to return the ID of the SSL client certificate associated with the selected API stage:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aabbccaabb
	--query 'item[?(stageName==`Production`)].clientCertificateId'

06 The command output should return an array with the requested certificate ID:

[
    "aabbcc"
]

07 Run get-client-certificate command (OSX/Linux/UNIX) using the ID of the client certificate returned at the previous step as identifier and custom query filters to return the timestamp when the selected certificate will expire:

aws apigateway get-client-certificate
	--region us-east-1
	--client-certificate-id aabbcc
	--query 'expirationDate'

08 The command output should return the requested timestamp:

1579948577

09 The value returned by get-client-certificate command at the previous step is using the Unix/epoch time format, which represents the number of seconds that have passed since midnight UTC of 1 January 1970. To convert the returned value into a human-readable format, run the following command (replace the Unix timestamp with your own timestamp returned at step no. 8):

date -d @1579948577

10 The command output should return the RI purchasing date in a human-readable format:

Sat Jan 25 10:36:17 UTC 2020

Based on the expiration date returned by the command output, if the selected client-side SSL certificate is about to expire soon, follow the steps outlined in the Remediation/Resolution section to rotate the SSL certificate before this expires.

11 Repeat step no. 5 – 10 for each API stage created for the selected API.

12 Repeat steps no. 3 – 11 to verify other Amazon API Gateway APIs available in the current region.

13 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 12 to perform the entire process for other regions.

Remediation / Resolution

To rotate an SSL client certificate that is about to expire, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at .

03 In the left navigation panel, select Client Certificates.

04 Click Generate Client Certificate button from the dashboard top menu to create a new SSL client certificate.

05 Once the certificate is created, click Edit and provide a descriptive title in the Description box, then click Save to apply the changes.

06 Update the backend server or service to include the new SSL certificate. Do not remove the existing client certificate yet from the server/service configuration.

07 In the navigation panel, select APIs to open the APIs listing page.

08 Choose the API that you want to reconfigure, then click on its name (link) to access the API configuration.

09 Within the API submenu, click Stages to list the stages available for the selected API.

10 Under Stages, choose the API stage that you want to update and select the Settings tab to access the stage configuration panel.

11 In the Client Certificate section, select the ID of the client-side SSL certificate created at step no. 4 from the Certificate dropdown list, then click Save Changes to apply the changes.

12 Update the backend server/service to remove the old SSL certificate (i.e. the one that is about to expire).

13 Now that the new client-side SSL certificate is active at the API stage level and backend server/service level, delete the old certificate from the Amazon API Gateway service:

  1. Go back to the console navigation panel and select Client Certificates.
  2. Choose the SSL certificate that is about to expire and click Delete Client Certificate (i.e. x button) to initiate the removal process.
  3. Within Delete Client Certificate dialog box, click Delete <certificate-id> to remove the selected client certificate from the API Gateway service.

14 Repeat steps no. 9 – 13 to rotate SSL certificates for other API stages created in the selected API.

15 Repeat steps no. 3 – 14 to reconfigure other Amazon API Gateway APIs available in the selected region.

16 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run generate-client-certificate command (OSX/Linux/UNIX) to generate a new a client-side SSL certificate for Amazon API Gateway service:

aws apigateway generate-client-certificate
	--region us-east-1
	--description "New Client SSL Certificate Amazon API Gateway API"

02 The command output should return the SSL certificate metadata:

{
    "clientCertificateId": "abc123",
    "expirationDate": 1579948577,
    "createdDate": 1611497555,
    "pemEncodedCertificate": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
    "description": "New Client SSL Certificate Amazon API Gateway API"
}

03 Update the backend service or server to include the new SSL certificate. Do not remove the existing client certificate yet from the service/server configuration.

04 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier (see Audit section part II to identify the right stage) to attach the new SSL certificate, created at the previous steps, to the selected API stage:

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aabbccaabb
	--stage-name 'Production'
	--patch-operations op=replace,path=/clientCertificateId,value=abc123

05 The command output should return the command request metadata:

{
    "clientCertificateId": "abc123",
    "tracingEnabled": false,
    "stageName": "Production",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "cbacba",
    "lastUpdatedDate": 1548413501,
    "createdDate": 1548406766,
    "methodSettings": {}
}

06 Now you can update the backend service/service to remove the old SSL certificate (i.e. the one that is about to expire).

07 Once the new client-side SSL certificate is active at the API stage level and backend service/server level, remove the old certificate from the API Gateway service by executing the delete-client-certificate command (OSX/Linux/UNIX) with the ID of the SSL certificate that you want to delete as identifier (the command does not produce an output):

aws apigateway delete-client-certificate
	--region us-east-1
	--client-certificate-id aabbcc

08 Repeat steps no. 4 – 7 to rotate SSL certificates for other API stages created in the selected API.

09 Repeat steps no. 1 – 8 to reconfigure other Amazon API Gateway APIs available in the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jan 27, 2019

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to