ACM Certificate DNS Validation Check

This plugin plays a crucial role in the detection of certificates that are not using DNS validation.

Risk Level: Low

Description: 

This plugin plays a crucial role in the detection of certificates that are not using DNS validation. ACM renews the certificates automatically if they are valid and CNAME remains in DNS configuration excluding the case of the certificates being invalid.

PingSafe stresses the importance of configuring ACM-managed certificates to be DNS validated.

About the Service :

AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

Impact : 

In the presence of ACM Certificates without validation, the certificates will become invalid and we will have to request new SSL/TLS certificates. This will undoubtedly cause interference with services and applications. We won’t be able to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. Moreover, secure network communications cannot be established in the absence of the same.

Steps to reproduce :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. In this tab, we can view the status of the Certificates by clicking on Show/Hide Details button.
  4. In the status tab, we can monitor the status of a certificate, whether it’s validated, invalid or its validation is pending.
  5. We can clearly see the status of our certificate shows pending validation. 
  6. Similarly, we can check the status of other certificates too.

Steps for remediation :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. The next step is to select the SSL/TLS certificate that is not validated.
  4. One of the possible solutions is to resend the validation email which can be done by clicking on the Action button from the dashboard top menu and select the Resend validation email option from the dropdown menu.
  5. Once we resend the validation email, an email will be generated to different hosts including the domain registrant, administrative, and technical contacts requesting verification. After validation, the certificate will be issued or renewed.



References: