Overview: validating certificates¶
Certificate validations help ensure that you're using your certificates in a way that secures your machine identities. In fact, after certificates are added to the certificate inventory, TLS Protect Cloud validates them automatically (every 24 hours).
Why is certificate validation important? Because as security, compliance, and technological innovations introduce new criteria for the validation of certificates and the servers that host them, TLS Protect Cloud uses validation techniques to ensure that your certificates remain valid and are being used properly.
TLS Protect Cloud warns you automatically about any certificates that fail validation. In addition, a Machine Identity Digest is sent out through email notifications to specified recipients so that they can take immediate action.
In addition to validating certificates automatically, you can also run validation on certificates manually using Validate Now. And Validate Now can also sniff out any additional TLS server endpoints in your inventory.
Types of certificate validations¶
TLS Protect Cloud supports two types of certificate validation:
-
SSL/TLS validation
-
Certificate chain validation
About SSL/TLS validation¶
The validation feature in TLS Protect Cloud performs an SSL/TLS validation on each certificate every 24 hours, or you can run a validation manually at any time. The SSL/TLS validation checks that the correct certificate is in use on an application, and that the certificate is properly configured.
| Validation Status | Description | Risk level | Resolution |
|---|---|---|---|
| Hostname mismatch | The TLS target presented a certificate, but the common name or SAN of your SSL/TLS certificate does not match the domain where the certificate is installed | High | Install the correct version of the certificate associated with the domain. Or reissue a certificate by verifying the CN and SAN. |
| Old version of certificate found | One of your TLS server endpoints is using older versions of certificates that should be replaced with the newer versions. | High | Deploy the current version of the certificate on the target TLS server. |
| No certificate present | TLS target specified in the TLS Protect Cloud platform didn't present a certificate on a specified port | Warning | Verify TLS server installation and port number and ensure if the target is valid. If target is valid, investigate why certificate is not present. If the target is no longer valid, remove target from discovery target list or Alternatively, the user just needs to wait until the installation is aged out. Current installation aged out time is 30 days. |
| Unexpected certificate found | Certificate found on the TLS target contains a different fingerprint than the one that TLS Protect Cloud expected. | Warning | Install the correct certificate on the endpoint. |
| Unknown error | TLS Protect Cloud encountered an error but could not identify it. | Warning | When an unknown error occurs, TLS Protect Cloud automatically captures the details of the condition and submits it to Venafi for future enhancement. If you have additional questions, contact Venafi Support. |
| Pending | The validation process has not yet occurred. | Warning | When this occurs, try running a manual validation (Validate Now) or waiting until the next automated validation occurs. If you have additional questions, contact Venafi Support. |
About certificate chain validation¶
Each certificate in TLS Protect Cloud shows that certificate's chain. A certificate chain starts with the end-entity certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. Root certificates are typically issued by a trusted certificate authority (CA), but you can upload additional root certificates if needed, such as for an internal CA. Certificate chain validation makes sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Any error in the certificate chain could cause an outage.
To help avoid chain-related outages, TLS Protect Cloud continuously monitors all certificates in the chain.
What is a certificate chain?
If you are unfamiliar with certificate chains, read through How do Certificate Chains Work for background.
Following are the possible certificate chain validation states, their descriptions, and resolution actions.
| Validation Status | Description | Risk level | Resolution |
|---|---|---|---|
| Chain expiring soon | One or more of the CA certificates in the trust chain expires before the end-entity does, or is expiring soon. | High | Identify the expiring or about to expire CA certificate from end entity certificate, download and install the current chain. If the current chain is not available, renew the certificate, download and install end-entity and chain certificates. |
| Chain building failed | One or more intermediate or root CA certificates is missing, and a complete chain can't be constructed. This means VC can build the chain for the certificate independent of the CA certificates returned by the server. | Warning | Install the missing intermediate CA certificate(s) on the TLS server target. |
| Incomplete chain | The chain returned by the endpoint did not include a sufficient number of valid intermediate certificates to build a complete chain anchored by a root CA. If you miss installing the intermediate certificate or upload the wrong one, then it can not be chained back and the browsers will not trust the certificate and may generate a broken chain or similar sort of warnings. | Warning | Check if your intermediate certificate is invalid due to revocation or expiration. Download and install your end entity certificate along with proper intermediate certificate(s) that form its trust chain. |
| Chain not trusted | The chain returned by the target cannot be used to form a Trusted chain | Warning | Add the missing CA certificate to the Trusted CA Certificate inventory |
| Unknown error | TLS Protect Cloud encountered an error but could not identify it. | Warning | When an unknown error occurs, TLS Protect Cloud automatically captures the details of the condition and submits it to Venafi for future enhancement. If you have additional questions, contact Venafi Support. |
| Pending | The validation process has not yet occurred. | Warning | When this occurs, try running a manual validation (Validate Now) or waiting until the next automated validation occurs. If you have additional questions, contact Venafi Support. |
What's next?¶
Learn more about the following concepts: