Skip to content

Example: Searching for certificate instances that are vulnerable to known attacks

You can search for certificate instances that are vulnerable to web attacks, and then install the appropriate patches from the vendor. This example shows you how to search for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerabilities. However, Venafi Cloud can use any of these parameters to search:

  • heartbleed
  • logjamVulnerable
  • poodleVulnerable
  • poodleTlsVulnerable

To search for certificate instances that are vulnerable to known attacks

  1. If you have not already done so, obtain an API key.

  2. Use the certificateinstance function and the appropriate JSON body (next step). For example:

    POST https://api.venafi.cloud/v1/certificateinstance
    tppl-api-key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    
  3. In the JSON body, specify a condition operator with true or false for the poodleVulnerable. For additional help, use the parameter descriptions from ´╗┐our screenshotdocumentation. For example:

Example JSON body

{
   "expression":{
      "operands":[
         {
            "field":"poodleVulnerable",
            "operator":"EQ",
            "value":"true"
         }
      ]
   },
   "ordering":{
      "orders":[
         {
            "direction":"ASC",
            "field":"subjectCN"
         },
         {
            "direction":"DESC",
            "field":"keyStrength"
         }
      ]
   },
   "paging":{
      "pageNumber":0,
      "pageSize":1
   }
}
Example response
{
   "count":1,
   "instances":[
      {
         "id":"80c61360-2faa-11e7-bbb8-d7e9aadda3cb",
         "certificateId":"80c30620-2faa-11e7-bbb8-d7e9aadda3cb",
         "companyId":"9c731a20-2f8e-11e7-be41-1507c9a9e451",
         "zoneId":"9c7dc881-2f8e-11e7-be41-1507c9a9e451",
         "fingerprint":"5DE3432B00F9CE2399AB7163676520C6774EA622",
         "certificateSource":"TRUSTNET_SCAN",
         "certificateStatuses":[
            "NONE"
         ],
         "creationDate":"2017-05-03T02:45:00.950+0000",
         "modificationDate":"2017-05-03T02:45:00.950+0000",
         "ipAddress":"127.0.0.1",
         "ipAddressAsLong":2927720739,
         "hostname":" ",
         "port":443,
         "sslProtocols":[
            "SSLv2",
            "SSLv3",
            "TLSv1"
         ],
         "cipherSuites":[
            "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
            "TLS_RSA_WITH_AES_128_CBC_SHA",
            "TLS_RSA_WITH_RC4_128_SHA",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_RSA_WITH_RC4_128_MD5",
            "TLS_RSA_WITH_AES_256_CBC_SHA",
            "PCT_SSL_CERT_TYPE"
         ],
         "heartbleedVulnerable":false,
         "logjamVulnerable":false,
         "poodleVulnerable":true,
         "poodleTlsVulnerable":false,
         "hstsEnabled":false,
         "alpnEnabled":false,
         "forwardSecrecyEnabled":true,
         "npnEnabled":false,
         "ocspStaplingEnabled":false,
         "renegotiationEnabled":false,
         "secureRenegotiationSupported":true,
         "tnLastUpdated":"2017-05-03T02:43:14.171+0000",
         "lastScanDate":"2017-03-05T11:00:00.000+0000",
         "sslProtocolsSecurityStatus":"DEPRECATED",
         "cipherSuitesSecurityStatus":"DEPRECATED",
         "compliance":{
            "score":0
         },
         "certificate":{
            "id":"80c30620-2faa-11e7-bbb8-d7e9aadda3cb",
            "companyId":"9c731a20-2f8e-11e7-be41-1507c9a9e451",
            "fingerprint":"5DE3432B00F9CE2399AB7163676520C6774EA622",
            "certificateSource":"TRUSTNET_SCAN",
            "certificateStatuses":[
               "NONE"
            ],
            "certificateType":"END_ENTITY",
            "creationDate":"2017-05-03T02:45:00.930+0000",
            "modificationDate":"2017-05-03T02:45:00.930+0000",
            "totalInstanceCount":1,
            "validityStart":"2017-01-25T17:01:32.000+0000",
            "validityEnd":"2018-01-25T17:01:32.000+0000",
            "validityPeriodDays":365,
            "validityPeriodRange":"GT_30_DAYS_LTE_2_YEARS",
            "selfSigned":false,
            "signatureAlgorithm":"SHA256_WITH_RSA_ENCRYPTION",
            "signatureHashAlgorithm":"SHA256",
            "encryptionType":"RSA",
            "keyStrength":2048,
            "publicKeyHash":"F7B78F7471AB2EED777CD488377E32A90B9DB530",
            "subjectKeyIdentifierHash":"8C8ADFDDDB849486A8E003A270D0785918E79EE2",
            "authorityKeyIdentifierHash":"CC338779405F8AD8846161E347F5EADDDC9FC2E1",
            "serialNumber":"1F3EBEFB0001000080C6",
            "subjectCN":[
               "iisUSPS13.lab.venafi.com"
            ],
            "subjectST":"UT",
            "subjectL":"Salt Lake City",
            "subjectC":"US",
            "subjectAlternativeNamesByType":{
               "otherName":[

               ],
               "rfc822Name":[

               ],
               "dNSName":[

               ],
               "x400Address":[

               ],
               "directoryName":[

               ],
               "ediPartyName":[

               ],
               "uniformResourceIdentifier":[

               ],
               "iPAddress":[

               ],
               "registeredID":[

               ]
            },
            "issuerCN":[
               "traininglab-Root-CA"
            ],
            "keyUsage":[
               "digitalSignature",
               "keyEncipherment"
            ],
            "ocspNoCheck":false,
            "compliance":{
               "score":0.7691358024691359
            }
         }
      }
   ]
}