Certificates have insufficient auto renewal period
More Info:
In Microsoft Azure Key Vault, ensure that certificates have a sufficient auto-renewal period configured for security and compliance purposes. This period indicates the amount of time (number of days) before SSL certificate expiration, when the renewal process is automatically triggered.Risk Level
LowAddress
SecurityCompliance Standards
GDPRTriage and Remediation
Remediation
Using Console
Using Console
To remediate the certificate auto-renewal issue in Azure using the Azure console, you can follow the below steps:
- Open the Azure portal and navigate to the specific certificate that needs to be remediated.
- Click on the certificate to open its properties.
- In the properties page, scroll down to the “Automation” section and click on the “Auto-renewal” option.
- In the “Auto-renewal” section, enable the “On” toggle button to turn on the auto-renewal feature.
- Specify the “Number of days before expiry” (e.g., 30 days) to trigger the auto-renewal process.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the insufficient auto-renewal period for certificates in Azure using Azure CLI, follow these steps:
- Open Azure CLI on your machine.
-
Log in to your Azure account using the command:
az login -
Once you are logged in, select the subscription that contains the certificate you want to remediate using the command:
az account set --subscription <subscription_id> -
Check the current auto-renewal period of the certificate using the command:
az keyvault certificate show --vault-name <vault_name> --name <certificate_name> --query 'attributes.autoRenewalDaysBeforeExpiry'Replace<vault_name>with the name of the Key Vault where the certificate is stored and<certificate_name>with the name of the certificate. -
If the auto-renewal period is less than the desired period, update it using the command:
az keyvault certificate set-attributes --vault-name <vault_name> --name <certificate_name> --auto-renew-days <days>Replace<vault_name>and<certificate_name>with the appropriate values, and set<days>to the desired number of days before expiry when the certificate should be auto-renewed. -
Verify that the auto-renewal period has been updated using the command:
az keyvault certificate show --vault-name <vault_name> --name <certificate_name> --query 'attributes.autoRenewalDaysBeforeExpiry'This should return the updated auto-renewal period. -
Exit Azure CLI using the command:
exit
Using Python
Using Python
To remediate the issue of insufficient auto-renewal period for certificates in Azure using Python, you can follow these steps:Note: You will need to replace the placeholders (
- Import the necessary libraries:
- Authenticate to the Azure portal using the
DefaultAzureCredentialclass:
- Initialize the
WebSiteManagementClientclass with the appropriate subscription ID and credential:
- Use the
web_client.certificates.getmethod to retrieve the certificate details:
- Check the
expiration_timeproperty of the certificate to see if it is within the desired auto-renewal period. If not, use theweb_client.certificates.create_or_updatemethod to update the certificate with a newexpiration_timevalue:
your_subscription_id, your_resource_group_name, your_certificate_name, desired_auto_renewal_date, and new_expiration_date) with your specific values.