Renew TLS Certificates

The domain certificate is expired or will expire closely. An expired certificate will result in error messages for the web application's users.

Security Assessment

Security_Assessment_ RenewTLSCertificates

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

The domain certificate is expired or will expire very closely. An expired certificate will result in error messages for the web application's users. To guarantee secure connections between the users and the webserver, request a newly signed certificate with your certificate authority.

Guides

Use one of the following guides to renew your certificates.

OpenSSL

To generate a certificate signing request for your certificate run:

renewtlscertificates

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/renew_tls_certificates/certificate _signing_request

This assumes that your certificate to renew (including private key) is stored inssl/certificate.key. Then submit thecertificate_signing_request.csrto your certificate authority. They will use this request to sign your certificate and provide you with the signed certificate. If the signed certificate is returned to you asnew.crt, you can combine the key and the signed certificate as follows:

renewtlscertificates (1)

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/renew_tls_certificates/combine_key_certificate

The resultingnew.pemfile can be copied to your webserver directory to be used in the web application.

Let's Encrypt

If you are using Let's Encrypt as your certificate authority, simply run the certbot renew command:

renewtlscertificates (2)

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/renew_tls_certificates/lets_encrypt

To enable manual renewal, add the renew command to your crontab by runningsudo crontab -e:

renewtlscertificates (3)

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/renew_tls_certificates/lets_encrypt_manual

This will run the renew command once a week at midnight trying to renew all your certificates.

For more information about Crashtest Security visit crashtest-security.com