Use externally signed certificates
Summary​
The organization must use certificates signed by valid external certification authorities when these are for external applications.
Description​
Using externally signed certificates refers to obtaining digital certificates for your web servers, applications, or other network services from a trusted Certificate Authority (CA) outside of an organization. External CAs are third-party entities that are widely recognized and trusted by web browsers and other software.
Supported In​
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References​
- CAPECâ„¢-94. Adversary in the middle (AiTM)
- CMMC-AC_L1-3_1_20. External connections
- HITRUST CSF-01_j. User authentication for external connections
- PTES-7_4_2_7. Post exploitation - Pillaging (certificate authority)
- OWASP SAMM-OM. Operational Management
- OWASP ASVS-9_2_1. Server communication security
- CASA-9_2_1. Server Communication Security
Vulnerabilities​
- 163. Insecure digital certificates
- 348. Insecure digital certificates - Lifespan
- 350. Insecure digital certificates - Chain of trust
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.