092 – Use externally signed certificates

Summary

The organization must use certificates signed by valid external certification authorities when these are for external applications.

Description

Using externally signed certificates refers to obtaining digital certificates for your web servers, applications, or other network services from a trusted Certificate Authority (CA) outside of an organization. External CAs are third-party entities that are widely recognized and trusted by web browsers and other software.

Supported In

Advanced: True

References

• CAPEC-94. Adversary in the middle (AiTM)
• CMMC-AC_L1-3_1_20. External connections
• HITRUST-01_j. User authentication for external connections
• PTES-7_4_2_7. Post exploitation - Pillaging (certificate authority)
• OSAMM-OM. Operational Management
• ASVS-9_2_1. Server communication security
• CASA-9_2_1. Server Communication Security

Weaknesses

• 163 – Insecure digital certificates
• 348 – Insecure digital certificates - Lifespan
• 350 – Insecure digital certificates - Chain of trust

Last updated

2024/02/09