AWS Certificate Manager
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Certificate Manager

      ACM Expired Certificates

      This plugin is crucial in the identification of ACM (AWS Certificate Manager) certificates that have been expired.

      Risk Level: High

      Description: 

      This plugin is crucial in the identification of ACM (AWS Certificate Manager) certificates that have been expired. To adhere to Amazon Security Best Practices it is vital to remove the expired certificates. 

      PingSafe strongly recommends ensuring that AWS is able to renew the certificate via email or DNS validation of the domain.

      About the Service :

      AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

      Impact : 

      In the absence of the detection of ACM Certificates expiration, the certificates will expire and we won’t be able to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. Moreover, secure network communications cannot be established in the absence of the same.

      Steps to reproduce :

      1. Login to your AWS console.
      2. Navigate to the AWS ACM dashboard.
      3. In this tab, we can view the status of the Certificates that have expired. The status tab shows us the status of a certificate, whether it’s expired or nearing its expiration or is valid or not.
      4. We can clearly see the status of our certificate shows pending validation. Under the same heading, we could see the expired certificates if there were any.

      Steps for remediation :

      1. Login to your AWS console.
      2. Navigate to the AWS ACM dashboard.
      3. We could check for the status of certificates that have expired and delete them or AWS will attempt to automatically renew the certificate but may be unable to do so if email or DNS validation cannot be confirmed.
      4. To delete the certificate we will click on the Actions button from the dashboard top menu and select the Delete option from the dropdown menu.
      5. After deleting the certificate if there are no certificates we’ll come back to the Create ACM home page.

      References: