Use internally signed certificates
Summary​
The organization must use certificates signed by valid internal certification authorities when these are for internal applications.
Description​
Internally signed certificates refers to the practice of an organization issuing its own digital certificates for internal purposes, instead of obtaining them from a third-party Certificate Authority (CA). This approach is common in internal network environments where the certificates are primarily used for securing communication within the organization.
Supported In​
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References​
- CWEâ„¢-295. Improper certificate validation
- PTES-7_4_2_7. Post exploitation - Pillaging (certificate authority)
- OWASP SAMM-OM. Operational Management
- OWASP ASVS-9_2_1. Server communication security
- CASA-9_2_1. Server Communication Security
Vulnerabilities​
- 163. Insecure digital certificates
- 348. Insecure digital certificates - Lifespan
- 350. Insecure digital certificates - Chain of trust
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.