Check for Sufficient Certificate Auto-Renewal Period

Risk Level: Medium (should be achieved)

Rule ID: KeyVault-013

Ensure that your Microsoft Azure Key Vault SSL certificates have a sufficient auto-renewal period configured for security and compliance purposes. This period indicates the amount of time (number of days) before SSL certificate expiration, when the renewal process is automatically triggered.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Having the right number of days before expiration set to trigger auto-renewal for your Azure Key Vault SSL certificates, will enforce your certificate renewal strategy to follow the best practices as specified in the compliance regulations implemented within your organization. Setting a longer period of time before certificate expiration will allow you to mitigate efficiently any issues that your auto-renewal process may encounter such as an invalid or expired Certificate Authority (CA).

Audit

To determine if your Azure Key Vault SSL certificates have configured a sufficient period of time before expiration for auto-renewal, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu and check the number available in the Number of Days Before Expiry configuration box. If the value set for the Number of Days Before Expiry is lower than what your organization specified, the selected Microsoft Azure Key Vault SSL certificate does not have a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.

09 Repeat step no. 7 and 8 for each certificate available within the selected vault.

10 Repeat steps no. 5 – 9 for each Azure Key Vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names:

[
  "cc-backend-app-vault",
  "cc-internal-app-vault"
]

03 Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL certificates available within the selected vault:

az keyvault certificate list
	--vault-name "cc-backend-app-vault"
	--query '[?(attributes.enabled==`true`)].id'

04 The command output should return an array with the requested certificate identifiers:

[
"https://cc-backend-app-vault.vault.azure.net/certificates/cloudconformity",
"https://cc-backend-app-vault.vault.azure.net/certificates/cloudrealisation"
]

05 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to examine as identifier parameter and custom query filters to describe the number of days before expiration when the renewal process is automatically triggered, configured for the selected certificate:

az keyvault certificate show
	--id "https://cc-backend-app-vault.vault.azure.net/certificates/cloudconformity"
	--query 'policy.lifetimeActions[*].trigger.daysBeforeExpiry'

06 The command output should return the number of days before certificate expiration:

[
  2
]

If the value returned by the keyvault certificate show command output is lower than what your organization specified, the selected Microsoft Azure Key Vault SSL certificate does not have a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.

07 Repeat step no. 5 and 6 for each SSL certificate available in the selected vault.

08 Repeat steps no. 3 – 7 for each Key Vault available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure the optimal period of time before certificate expiration, when the renewal process is automatically triggered, for your Azure Key Vault certificates, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to access.

06 In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

07 On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

08 On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

09 On the Issuance Policy page, type the sufficient value in the Number of Days Before Expiry box, then click Save to apply the changes.

10 Repeat steps no. 7 – 9 for each SSL certificate issued in the selected Key Vault.

11 Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to reconfigure as identifier parameter and custom query filters to describe the lifetime actions configuration for the issuance policy associated with the specified certificate:

az keyvault certificate show
	--id "https://cc-backend-app-vault.vault.azure.net/certificates/cloudconformity"
	--query '{"lifetimeActions":policy.lifetimeActions}'

02 The command output should return the requested configuration information (JSON format):

{
  "lifetimeActions": [
    {
      "action": {
        "actionType": "AutoRenew"
      },
      "trigger": {
        "daysBeforeExpiry": 2,
        "lifetimePercentage": null
      }
    }
  ]
}

03 Replace the value of the "daysBeforeExpiry" property and save the content to a JSON file named auto-renewal-config.json. The following lifetime actions configuration will automatically trigger the renewal process 30 days before the SSL certificate expiration:

{
  "lifetimeActions": [
    {
      "action": {
        "actionType": " AutoRenew"
      },
      "trigger": {
        "daysBeforeExpiry": 30,
        "lifetimePercentage": null
      }
    }
  ]
}

04 Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy assigned to the selected certificate with the lifetime actions configuration defined at the previous step (i.e. auto-renewal-config.json) in order to optimize the Key Vault certificate auto-renewal process:

az keyvault certificate set-attributes
	--id "https://cc-backend-app-vault.vault.azure.net/certificates/cloudconformity"
	--policy @auto-renewal-config.json

05 The command output should return the metadata available for the reconfigured certificate:

{
  "attributes": {
    "created": "2019-12-19T08:55:00+00:00",
    "enabled": true,
    "expires": "2020-01-19T08:55:00+00:00",
    "notBefore": "2019-12-20T08:45:00+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-12-21T11:01:56+00:00"
  },

    ...

    "lifetimeActions": [
      {
        "action": {
          "actionType": "AutoRenew"
        },
        "trigger": {
          "daysBeforeExpiry": 30,
          "lifetimePercentage": null
        }
      }
    ],

    ...

    "x509CertificateProperties": {
      "subject": "CN=cloudconformity.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

06 Repeat steps no. 1 – 4 for each SSL certificate issued within the current vault.

07 Repeat steps no. 1 – 5 for each Azure Key Vault available in the current subscription.

08 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Azure Command Line Interface (CLI) Documentation
az keyvault list
az keyvault certificate list
az keyvault certificate show
az keyvault certificate set-attributes

Publication date Aug 31, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Check for Sufficient Certificate Auto-Renewal Period

Risk Level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related KeyVault rules