AWS Certificate Manager

ACM Certificate Renew Eligibility Check

This plugin determines the SSL/TLS certificates which are not eligible for auto-renewal.

Risk Level: Low

Description: 

This plugin determines the SSL/TLS certificates which are not eligible for auto-renewal. The certificates without DNS validation or email validation will be ineligible for renewal and hence the plugin identifies these certificates.

PingSafe suggests ensuring AWS is able to renew the certificate via email or DNS validation of the domain.

About the Service :

AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

Impact : 

If the SSL/TLS certification is not renewed before its expiry date, the Secure Sockets Layer / Transport Layer Security certificates are not valid, and the communications between the client and the AWS resource implementing the certificate are no longer secure.

Steps to reproduce :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. We can check the renewal eligibility of the Certificates on the certificates page that appears. The Renewal eligibility column shows us the renew eligibility of a certificate, whether it’s eligible or ineligible.
  4. We can clearly see the renewal eligibility of our certificate shows Ineligible.

Steps for remediation :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. We can check the renewal eligibility of the Certificates on the certificates page that appears. The Renewal eligibility column shows us the renew eligibility of a certificate, whether it’s eligible or ineligible.
  4. If the certificate is ineligible we can reimport the certificate by the Actions button and then by selecting the Reimport Certificate option from the dropdown menu.
  5. On the Import Certificate page, perform the actions like:
    1. pasting the PEM-encoded certificate to import for the Certificate Body
    2.  pasting the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key for the Certificate private key.
  6. At last, click on the Review and Import button to continue the process.
  7. Now on the Review and Import, select Import to finish with the renewal process.



References: