Enable Certificate Transparency

Risk Level: Medium (should be achieved)

Rule ID: KeyVault-012

Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates in order to adhere to web security best practices. Certificate Transparency (CT) is a new Internet standard that addresses the concerns about mis-issued certificates by making the Transport Layer Security (TLS) ecosystem publicly auditable. Without CT, as domain owner there is no way to be aware of certificates that are issued to your domain, unless you request it yourself. With Certificate Transparency, you can easily audit the quality of the certificates that the Certificate Authority (CA) issued and determine whether the certificate is compliant with the standards enforced by the Certification Authority Browser Forum, also known as CA/Browser Forum.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Certificate Transparency aims to remediate SSL/TLS certificate-based threats by making the issuance process and the existence of the certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency (CT) has three main goals:

Make it extremely difficult for a Certificate Authority (CA) to issue an SSL certificate for a domain without the certificate being visible to the owner of that domain.

Provide an open auditing and a monitoring system that allows any domain owner or CA to determine whether the SSL certificate has been mistakenly or maliciously issued.

Protect users from being duped by SSL certificates that were mistakenly or maliciously issued.

Audit

To determine if your Microsoft Azure Key Vault SSL/TLS certificates are configured to use certificate transparency, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the certificate's issuance policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab and check the Enable Certificate Transparency? setting status. If the configuration setting status is set to No, the Certificate Transparency feature is not enabled for the selected Azure Key Vault certificate.

10 Repeat steps no. 7 – 9 for each certificate issued within the selected vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names:

[
  "cc-production-key-vault",
  "cc-app-manager-key-vault"
]

03 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL/TLS certificates available within the selected vault:

az keyvault certificate list
	--vault-name "cc-production-key-vault"
	--query '[?(attributes.enabled==`true`)].id'

04 The command output should return an array with the requested certificate identifiers:

[
"https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity",
"https://cc-production-key-vault.vault.azure.net/certificates/cloudrealisation"
]

05 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the Key Vault certificate that you want to examine as identifier parameter and custom query filters to get the configuration status of the Certificate Transparency feature, available for the selected certificate:

az keyvault certificate show
	--id https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity
	--query 'policy.issuerParameters.certificateTransparency'

06 The command output should return the requested information for the selected certificate:

false

If the keyvault certificate show command output returns false, as shown in the example above, the Certificate Transparency feature is not enabled for the selected Azure Key Vault SSL/TLS certificate.

07 Repeat step no. 5 and 6 for each SSL/TLS certificate issued in the selected vault.

08 Repeat steps no. 3 – 7 for each Key Vault available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable certificate transparency for your Microsoft Azure Key Vault SSL/TLS certificates, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

09 On the Issuance Policy page, click on the Advanced Policy Configuration tab, select Yes next to Enable Certificate Transparency?, then choose OK to close the panel. Click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL/TLS certificate deployed in the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Set the boolean value of the "certificateTransparency" property to true, as shown in the example below, and save the "issuerParameters" object to a JSON file named enable-certificate-transparency.json:

{
    "issuerParameters": {
        "certificateTransparency": true,
        "certificateType": null,
        "name": "Self"
    }
}

02 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL/TLS certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy associated with the selected certificate with the object defined at the previous step (i.e. enable-certificate-transparency.json) in order to enable the Certificate Transparency feature for the selected Azure Key Vault certificate:

az keyvault certificate set-attributes
	--id https://cc-production-key-vault.vault.azure.net/certificates/cloudconformity
	--policy @enable-certificate-transparency.json

03 The command output should return the metadata available for the reconfigured certificate:

{
  "attributes": {
    "created": "2020-03-21T08:23:11+00:00",
    "enabled": true,
    "expires": "2021-03-21T08:23:11+00:00",
    "notBefore": "2020-03-21T08:13:11+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-03-21T13:57:14+00:00"
  },

    ...

    "issuerParameters": {
      "certificateTransparency": true,
      "certificateType": null,
      "name": "Self"
    },

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

04 Repeat step no. 2 and 3 for each SSL/TLS certificate deployed within the current vault.

05 Repeat steps no. 2 – 4 for each Azure Key Vault available in the current subscription.

06 Repeat steps no. 2 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
About keys, secrets, and certificates
Introduction of AD CS Certificate Transparency

Azure Command Line Interface (CLI) Documentation
az keyvault list
az keyvault certificate list
az keyvault certificate show
az keyvault certificate set-attributes

Certificate Transparency Project Documentation
What is Certificate Transparency?

Publication date Apr 7, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Certificate Transparency

Risk Level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related KeyVault rules