SSL Certificate Validity - Duration

Medium Nessus Plugin ID 121009

Synopsis

The SSL certificate is valid over a time period that is too long.

Description

The CA/Browser Forum has passed a resolution setting the maximum validity period for SSL/TLS subscriber certificates via ballot 193.

Certificates issued after March 1, 2018 may not be valid longer than 825 days. Certificates issued after July 1, 2016 through March 1, 2018 may not be valid longer than 39 months. Certificates issued on or before July 1, 2016 may not be valid longer than 60 months.

Long validity periods encourage certificate owners to keep certificates in production that have vulnerabilities associated with weak cryptography and that may be out of compliance with other security guidelines.

Note: CA/Browser Forum ballot 193 specifies policy based on the day the certificate was issued. SSL/TLS certificates do not carry an issuance date. This plugin uses a certificate's 'Not Valid Before' date as a proxy for the date the certificate was issued.

Solution

Replace the SSL certificate with a certificate having a validity period less than or equal to 825 days.

See Also

http://www.nessus.org/u?5c70535d

Plugin Details

Severity: Medium

ID: 121009

File Name: ssl_cert_long_duration.nasl

Version: 1.9

Type: remote

Family: General

Published: 2019/01/08

Updated: 2019/03/27

Dependencies: 15901

Risk Information

Risk Factor: Medium

CVSS Score Source: manual

CVSS Score Rationale: Certificates that are outdated despite their validity period can have cryptographic and protocol weaknesses.

CVSS v2.0

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS v3.0

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

Required KB Items: SSL/Supported