Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Compliant Trust Configuration

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Certificate Manager Trust Configs are configured with compliant trust stores in order to prevent certificate validation bypass. A Trust Config is a resource that represents your public key infrastructure (PKI) configuration in Google Cloud Certificate Manager for use in mutual TLS (mTLS) authentication. It encapsulates a single trust store, which in turn encapsulates a trust anchor and, optionally, one or more intermediate certificates. For the trust store in a Certificate Manager Trust Config to be compliant, it must contain a valid chain of trust. This is critical because the Trust Config is used for mutual TLS authentication, where a client and server must verify each other's identities. The trust store provides the necessary trust anchors (root certificates) and intermediate certificates to validate the certificate presented by the client. Before running this conformity rule, the trust store certificates must be defined in the rule settings, in your Trend Cloud One™ – Conformity account.

Security

Trust Configs are using trust stores to define which Certificate Authorities (CAs) and certificates are trusted for SSL/TLS validation. Overly permissive trust configurations or the inclusion of unauthorized Certificate Authorities (CAs) and certificates in a trust store can lead to your system accepting malicious certificates. This creates a significant vulnerability, enabling Man-in-the-Middle (MITM) attacks or certificate impersonation. Therefore, proper trust configuration is critical for maintaining the integrity of certificate validation and protecting against certificate-based attacks that target application communications.

Audit

To determine if your Certificate Manager Trust Configs are valid and compliant, perform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Compliant Trust Configuration conformity rule settings and identify the trust store certificates defined for your SSL/TLS certificate.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that contains your Certificate Manager resources from the console top navigation bar.

04 Navigate to Certificate Manager console available at https://console.cloud.google.com/security/ccm/list/certificates.

05 Select the Trust configs tab to list the Certificate Manager Trust Configs available within the selected GCP project.

06 Click on the name (link) of the Trust Config that you want to examine, listed in the Name column.

07 In the Trust Stores section, identify the Trust Anchors and Intermediate CAs defined for the trust store. A trust store represents the trust secret configuration in Certificate Manager for use in mutual TLS authentication. Choose Show more to fully display the trust store certificates. Compare the Trust Anchors and Intermediate CAs certificates with the trusted ones you identified in step no 1. If one or more certificates don't match, the trust store configuration of the Trust Config resource defined for your SSL/TLS certificate is not compliant. As a result, this can lead to certificate validation being bypassed.

08 Repeat steps no. 6 and 7 for each Trust Config resource, available in your Google Cloud Platform (GCP) project.

09 Repeat steps no. 3 – 8 for each project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Compliant Trust Configuration conformity rule settings and identify the trust store certificates defined for your SSL/TLS certificate.

02 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

03 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

04 Run certificate-manager trust-configs list command (Windows/macOS/Linux) with the ID of the GCP project that contains your Certificate Manager resources as the identifier parameter, to describe the Trust Config instances available for the selected project: 

gcloud certificate-manager trust-configs list
	--format="table(name)"

05 The command output should return the requested resource names: 

NAME: cc-project5-trust-config
NAME: cc-prod-cert-trust-config

06 Run certificate-manager trust-configs describe command (Windows/macOS/Linux) with the name of the Trust Config instance that you want to examine as the identifier parameter, to describe the trust store certificates (i.e., trust anchors and intermediate CAs) defined for the selected Trust Config. A trust store represents the trust secret configuration in Certificate Manager for use in mutual TLS authentication: 

gcloud certificate-manager trust-configs describe cc-project5-trust-config
	--format="yaml(trustStores)"

07 The command output should return the requested trust store certificates (in PEM format): 

trustStores:
	- intermediateCas:
		- pemCertificate:
			-----BEGIN CERTIFICATE-----
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
			-----END CERTIFICATE-----
		trustAnchors:
		- pemCertificate:
			-----BEGIN CERTIFICATE-----
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
			-----END CERTIFICATE-----

Compare the intermediateCas and trustAnchors certificates with the trusted ones you identified in step no 1. If one or more certificates don't match, the trust store configuration of the Trust Config resource defined for your SSL/TLS certificate is not compliant. Consequently, this can lead to certificate validation being bypassed.

08 Repeat steps no. 6 and 7 for each Trust Config resource, available in your Google Cloud Platform (GCP) project.

09 Repeat steps no. 3 – 8 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Certificate Manager Trust Configs are configured with valid and compliant trust stores, perform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Compliant Trust Configuration conformity rule settings and copy the trust store certificates defined for your SSL/TLS certificate.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that contains your Certificate Manager resources from the console top navigation bar.

04 Navigate to Certificate Manager console available at https://console.cloud.google.com/security/ccm/list/certificates.

05 Select the Trust configs tab to list the Certificate Manager Trust Configs available within the selected GCP project.

06 Click on the name (link) of the Trust Config that you want to update and choose Edit from the page top menu.

07 In the Trust Stores section, perform the following actions to update the trust store configuration:

  1. For Trust Anchors, choose the non-compliant trust anchor certificate that you want to remove, choose Actions (i.e., 3-dot button), and select Delete. After the invalid certificate was removed, select Add trust anchor, paste the trust anchor certificate copied in step no. 1, and choose Add to attach the compliant trust anchor certificate.
  2. For Intermediate CAs, choose the non-compliant intermediate CA certificate that you want to remove, choose Actions (i.e., 3-dot button), and select Delete. Select Add trust anchor, paste the intermediate CA certificate copied in step no. 1, and choose Add to attach the compliant intermediate certificate. This lets you add another level of trust between the root certificate and your server certificate.
  3. Choose Save to apply the changes.

08 Repeat steps no. 6 and 7 for each Trust Config instance that you want to configure, available in your Google Cloud Platform (GCP) project.

09 Repeat steps no. 3 – 8 for each project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Compliant Trust Configuration conformity rule settings and copy the trust store certificates defined for your SSL/TLS certificate to .pem files. Copy the trust anchor certificate to valid-trust-anchor.pem file and intermediate CA certificate valid-intermediate-ca.pem file.

02 Run certificate-manager trust-configs update cc-project5-trust-config command (Windows/macOS/Linux) to replace the invalid, non-compliant trust store certificates from your Trust Config instance with the valid ones copied in the previous step (valid-trust-anchor.pem for trust anchor certificate and valid-intermediate-ca.pem intermediate certificate): 

gcloud certificate-manager trust-configs update cc-project5-trust-config
	--description="Compliant Trust Config"
	--trust-store=trust-anchors="valid-trust-anchor.pem",intermediate-cas="valid-intermediate-ca.pem"

03 The command output should return the updated Trust Config certificates: 

Request issued for: [cc-project5-trust-config]
	Waiting for operation [projects/cc-project5-123123/locations/global/operations/operation-abcd1234] to complete...done.
	Updated trustConfig [cc-project5-trust-config].
	allowlistedCertificates:
	- pemCertificate: |
		-----BEGIN CERTIFICATE-----
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
		-----END CERTIFICATE-----
	createTime: '2025-08-12T08:17:51.144736994Z'
	description: Compliant Trust Config
	name: projects/cc-project5-123123/locations/global/trustConfigs/cc-project5-trust-config
	trustStores:
	- intermediateCas:
	- pemCertificate: |
		-----BEGIN CERTIFICATE-----
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd
		-----END CERTIFICATE-----
	trustAnchors:
	- pemCertificate: |
		-----BEGIN CERTIFICATE-----
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
		-----END CERTIFICATE-----
	updateTime: '2025-08-12T10:21:29.098134798Z'

04 Repeat steps no. 2 and 3 for each Trust Config instance that you want to configure, available in your Google Cloud Platform (GCP) project.

05 Repeat steps no. 2 – 4 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date Aug 13, 2025

Related CertificateManager rules