091 – Use internally signed certificates

Summary

The organization must use certificates signed by valid internal certification authorities when these are for internal applications.

Description

Internally signed certificates refers to the practice of an organization issuing its own digital certificates for internal purposes, instead of obtaining them from a third-party Certificate Authority (CA). This approach is common in internal network environments where the certificates are primarily used for securing communication within the organization.

Supported In

Advanced: True

References

• CWE-295. Improper certificate validation
• PTES-7_4_2_7. Post exploitation - Pillaging (certificate authority)
• OSAMM-OM. Operational Management
• ASVS-9_2_1. Server communication security
• CASA-9_2_1. Server Communication Security

Weaknesses

• 163 – Insecure digital certificates
• 348 – Insecure digital certificates - Lifespan
• 350 – Insecure digital certificates - Chain of trust

Last updated

2024/02/09