Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Certificate Expiry Report

by Josef Weiss
September 24, 2015

The Certificate Expiry Report provides details on SSL certificates within the environment that have expired, or are expiring in 60 days or less. Certificates that have not yet reached their validity period are also reported. Both passive and active scan results provide vulnerability data to populate this report.

SSL certificates can be purchased from a Certificate Authority (CA), who, as a trusted third party, validates the site owner’s identity. Certificates can also be issued by the organization itself, which self-signs its certificates. In the most basic of terms, when you connect to a site using encryption, the server will send its certificate. Either the client must then trust the certificate directly, or a third party that the client trusts must do so.

Every certificate has an expiration date. When a certificate is expired, the revocation status is no longer published. When the revocation status cannot be checked, you should not trust the certificate, as you don’t know if the certificate was revoked a long time ago. Subsequently, you cannot validate that you are communicating with a trusted site. Maintaining certificate expiry is essential in providing trust to end users. If certificate issues exist, uncertainty may cause clients to not trust the site. Devices or hosts with expired certificates may also suggest poor security practices are in place.

In order to aid the organization in managing its certificate environment, the Certificate Expiry Report assists in determining if any expired certificates exist. This is accomplished using data from passive and active scanning. Active and passive plugins are utilized to determine if expired certificates have been detected within the environment. As an aid in avoiding potential expired certificates, a chapter exists to highlight any SSL certificates that have been found to be within 60 days of expiration. Certificates can sometimes be installed that have not yet reached their validity period. The validity period of an SSL certificate is the time, or specific date, to expiration that the certificate is valid. A chapter also exists to determine if these types of certificates exist in the environment.

Certificate expiration warnings are purely client-side. By providing details in regard to expired, about to expire, or not yet valid certificates, organizations can avoid costly certificate problems. Many times, expired certificates cause a loss of confidence in the trustworthiness of an organization or website. In addition, clients will face warning messages, and may prevent some services, such as image, video or other media to stop functioning.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection.

The report requirements are:

  • Tenable.sc 5.0.2
  • Nessus 8.6.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Nessus Network Monitor (NNM). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network.

The report contains the following Chapters:

  • Executive Summary - The Executive Summary chapter provides an overview that summarizes the longer, more detailed chapters that follow. The executive summary provides a series of components that readers can rapidly become acquainted with, and that cover the remaining chapters without having to read all the detailed information. The subsequent chapters provide in depth details on the hosts and SSL certificates found to be expired, soon to expire, or out of their validity period, through a series of table and matrix components.
  • Expired Certificates - The Expired Certificate chapter reports on SSL certificates that have been found to exist in the environment that have expired. Certificate expiry is essential in providing trust to end users. If certificate issues exist, uncertainty may cause clients to not trust the site. Devices or hosts with expired certificates may also suggest poor security practices are in place. This chapter provides results for both active and passive detection of expired certificates.
  • Certificates with Future Validity - When certificates are issued, they are defined to be valid from a specific date until a specific date (expiration date). This timeframe is the validity period. This table displays information on SSL certificates that have been found to exist within the environment, but are not yet within their validity period.
  • Certificates Expiring Soon - The Certificates Expiring Soon chapter provided a detailed report on hosts that have a certificate that will expire in the next 60 days or less. This timeframe is a configurable item that can be modified by editing the ssl_cert_exiry.nasl, and changing the look ahead to a value other than the default of 60. NASL is a scripting language designed for the Nessus security scanner. Prior to making any modification to any nasl, the analyst should understand how to correctly edit nasl scripts and make a backup of all files prior to making any edits.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training