ACM Certificate Without Validation Options

This plugin plays a crucial role in the detection of certificates that do not have domain validation options.

Risk Level: Low

Description: 

This plugin plays a crucial role in the detection of certificates that do not have domain validation options. ACM renews the certificates automatically if they are valid excluding the case of the certificates being invalid.

PingSafe stresses the importance of ensuring that ACM-managed certificates must be DNS validated.

About the Service :

AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

Impact : 

In the presence of ACM Certificates without validation, the certificates will become invalid and we will have to request new SSL/TLS certificates. This will undoubtedly cause interference with services and applications. We won’t be able to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. Moreover, secure network communications cannot be established in the absence of the same.

Compliances covered :

Steps to reproduce :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. In this tab, we can view the status of the Certificates by clicking on Show/Hide Details button.
  4. In the status tab, we can monitor the status of a certificate, whether it’s validated, invalid or its validation is pending.
  5. We can clearly see the status of our certificate shows pending validation. 
  6. Similarly, we can check the status of other certificates too.

 

Steps for remediation :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. The next step is to select the SSL/TLS certificate that is not validated.
  4. One of the possible solutions is to resend the validation email which can be done by clicking on the Action button from the dashboard top menu and when we try to select the Resend validation email option from the dropdown menu we can observe that it is not possible because the certificate does not have DNS validation options.
  5. PingSafe hence strongly recommends ensuring that the DNS validation is in place.

 

References: