SSL/TLS Certificate Verification: How to Identify Expired Certificates

Verifying SSL/TLS certificates and establishing effective certificate management in your environment can be challenging. With cnquery's cloud-native asset inventory capabilities, you can retrieve all information about your deployed certificates and their certificate chain across your entire infrastructure. With cnspec’s cloud-native solution to assess the security and compliance, you can enforce that your certificates and their certificate chain are verified as well as not expired all the time.


How to determine if my certificate is valid or expired?

Mondoo’s GraphQL-based query language, MQL, allows you to quickly gather information about a SSL/TLS endpoint.

If you have not yet installed cnquery, follow our instructions. Once you've installed, you can gather information about the complete certificate chain, if the certificate is valid, revoked, is it a CA certificate and about the certificate expiration date:

tls.certificates { subject expiresIn isRevoked isVerified isCA }
cnquery shell host

We added a specific SSL/TLS certificate incident response query pack to gather quickly all data about the SSL/TLS endpoint. You can validate the SSL/TLS certificate and the encryption configuration of a domain.

To inspect a SSL/TLS certificate and configuration of a domain, run:

$ cnquery scan host --querypack mondoo-ssl-tls-certificate-incident-response
ssltls configuration domain check

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

How can I ensure that no unverified or expired SSL/TLS certificates are in use?

Once you've updated all SSL/TLS certificates, you want to make sure that no new systems use the expired SSL/TLS certificate and that you get 90 days before a SSL/TLS certificate expires a message about it.

We added a new TLS Security Policy to cnspec that validates the SSL/TLS certificates and configurations.

If you have not yet installed cnspec, follow our instructions.

cnspec enforces the correct settings through controls that use MQL queries.  This query allows you to verify that the certificate is not expired. Likewise, the score worsens as the expiration date approaches:

switch {
       case tls.certificates.first.expiresIn.days > 150: score(100);
       case tls.certificates.first.expiresIn.days > 120: score(70);
       case tls.certificates.first.expiresIn.days > 90: score(50);
       case tls.certificates.first.expiresIn.days > 60: score(20);
       case tls.certificates.first.expiresIn.days > 30: score(9);
       default: score(0);

The full policy is available on Github.

cnspec scan host -f cnspec-policies/core/mondoo-tls-security.mql.yaml
ssltls scan results

Success, you should be all set to go now! Feel free to begin running this process on your own and ensuring you're as secure as possible.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

You might also like

Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights
Exploring the Latest Security Features in Ubuntu 24.04