Check for Allowed Certificate Key Types

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Allowed Certificate Key Types rule settings and identify the certificates key type(s) allowed within your organization.

Sign in to Azure Management Console.

Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

Choose the Azure subscription that you want to access from the Subscription filter box.

From the Type filter box, select Key vaults to list all Key Vault instances available in the selected subscription.

Click on the name of the Azure Key Vault that you want to examine.

In the navigation panel, under Settings, select Certificates to access the SSL certificates deployed in the selected vault.

On the Certificates page, under Completed, click on the active SSL certificate that you want to examine. The status for an active certificate is set to Enabled.

On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the certificate's issuance policy.

On the Issuance Policy page, click on the Advanced Policy Configuration tab and check the certificate key type available in the Key Type section. If the verified key type is different than the one(s) identified at step no. 1, the selected Microsoft Azure Key Vault SSL certificate does not have the appropriate key type.

Repeat steps no. 8 – 10 for each certificate deployed within the selected vault.

Repeat steps no. 6 – 11 for each Azure Key Vault available in the selected subscription.

Repeat steps no. 4 – 12 for each subscription created in your Microsoft Azure cloud account.

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Allowed Certificate Key Types rule settings and identify the certificates key type(s) allowed within your organization.

Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription:

az keyvault list
	--query '[*].name'

The command output should return the requested Azure Key Vault names:

[
  "cc-internal-app-vault",
  "cc-development-vault"
]

Run keyvault certificate list command (Windows/macOS/Linux) using the name of the Key Vault that you want to examine as identifier parameter to list the IDs of all the active SSL certificates available within the selected vault:

az keyvault certificate list
	--vault-name "cc-internal-app-vault"
	--query '[?(attributes.enabled==`true`)].id'

The command output should return an array with the requested certificate identifiers:

[
  "https://cc-internal-app-vault.vault.azure.net/certificates/example",
  "https://cc-internal-app-vault.vault.azure.net/certificates/cloudrealisation"
]

Run keyvault certificate show command (Windows/macOS/Linux) using the ID of the SSL certificate that you want to examine as identifier parameter and custom query filters to describe the key type used by the selected Key Vault certificate:

az keyvault certificate show
	--id https://cc-internal-app-vault.vault.azure.net/certificates/example
	--query 'policy.keyProperties.keyType'

The command output should return the requested information for the selected certificate:

"EC"

If the key type returned by the keyvault certificate show command output is different than the one(s) identified at step no. 1, the selected Microsoft Azure Key Vault SSL certificate does not use the compliant key type.

Repeat step no. 6 and 7 for each SSL certificate deployed in the selected vault.

Repeat steps no. 4 – 8 for each Key Vault available within the current subscription.

Repeat steps no. 2 – 9 for each subscription created in your Microsoft Azure cloud account.

Sign in to Azure Management Console.

Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

Choose the Azure subscription that you want to access from the Subscription filter box.

From the Type filter box, select Key vaults to list all Key Vault instances available in the selected subscription.

Click on the name of the Azure Key Vault that you want to access.

In the navigation panel, under Settings, select Certificates to access the SSL certificates created in the selected vault.

On the Certificates page, under Completed, click on the active SSL certificate that you want to reconfigure (see Audit section part I to identify the right certificate).

On the selected certificate page, click on the Issuance Policy button from the dashboard top menu to access the policy.

On the Issuance Policy page, click on the Advanced Policy Configuration tab, select the key type allowed by your organization for the Key Type configuration setting, then choose OK to close the panel. Click Save to apply the changes.

Repeat steps no. 7 – 9 for each SSL certificate issued in the selected Key Vault.

Repeat steps no. 5 – 10 for each Azure Key Vault available in the selected subscription.

Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Replace the existing key type, available as value of the "keyType" property, with the compliant key type allowed by your organization, and save the "keyProperties" object to a JSON file named allowed-key-type.json. In this case the certificate key type allowed is RSA:

{
    "keyProperties": {
          "curve": "",
          "keySize": 4096,
          "keyType": "RSA"
    }
}

Run keyvault certificate set-attributes command (Windows/macOS/Linux) using the ID of the active SSL certificate that you want to reconfigure as identifier parameter (see Audit section part II to identify the right certificate), to update the issuance policy assigned to the selected certificate with the key type defined at the previous step (i.e. allowed-key-type.json) in order to follow security best practices and comply with the organization standards:

az keyvault certificate set-attributes
	--id https://cc-internal-app-vault.vault.azure.net/certificates/example
	--policy @allowed-key-type.json

The command output should return the metadata available for the reconfigured certificate:

{
  "attributes": {
    "created": "2020-03-20T18:36:54+00:00",
    "enabled": true,
    "expires": "2021-03-20T18:36:54+00:00",
    "notBefore": "2020-03-20T18:26:54+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-03-20T18:48:39+00:00"
  },

    ...

    "keyProperties": {
      "exportable": true,
      "keySize": 4096,
      "keyType": "RSA",
      "reuseKey": false
    },

    ...

    "x509CertificateProperties": {
      "subject": "CN=example.com",
      "subjectAlternativeNames": {
        "dnsNames": [],
        "emails": null,
        "upns": null
      },
      "validityInMonths": 12
    }
  }
}

Repeat step no. 2 and 3 for each SSL certificate issued within the current vault.

Repeat steps no. 2 – 4 for each Azure Key Vault available in the current subscription.

Repeat steps no. 2 – 5 for each subscription created in your Microsoft Azure cloud account.