Skip to main content
← All controls
SC-17 / SC-23 / IA-5(2) NIST SP 800-53 Rev 5

Do you monitor certificates (TLS) for expiry, weak algorithms, and certificate transparency logs for new issuances?

Demonstrate that the organization maintains comprehensive, automated monitoring of all TLS certificates for expiration, cryptographic weaknesses, and unauthorized issuances through Certificate Transparency log surveillance.

Description

What this control does

This control ensures that organizations continuously monitor all TLS/SSL certificates in use across their infrastructure for potential security weaknesses and expiration events. Monitoring includes tracking certificate validity periods with automated alerts prior to expiry, scanning for deprecated or weak cryptographic algorithms (e.g., SHA-1, RSA keys below 2048 bits, expired cipher suites), and subscribing to Certificate Transparency (CT) logs to detect unauthorized or mistakenly issued certificates bearing the organization's domain names. Effective implementation prevents service outages from expired certificates, reduces exposure to cryptographic downgrade attacks, and enables rapid detection of certificate mis-issuance or compromise by detecting rogue certificates before they are used maliciously.

Control objective

What auditing this proves

Demonstrate that the organization maintains comprehensive, automated monitoring of all TLS certificates for expiration, cryptographic weaknesses, and unauthorized issuances through Certificate Transparency log surveillance.

Associated risks

Risks this control addresses

  • Service outages and application downtime caused by expired certificates interrupting encrypted communications without warning
  • Man-in-the-middle attacks exploiting weak or deprecated cryptographic algorithms (SHA-1, SSLv3, weak ciphers) that remain undetected in production certificates
  • Unauthorized certificate issuance by compromised or rogue Certificate Authorities enabling adversary-in-the-middle attacks that go undetected without CT log monitoring
  • Reputational damage and customer trust erosion when browsers display security warnings for expired or weak certificates on public-facing services
  • Compliance violations and audit findings when certificates using non-compliant algorithms remain in production past mandated deprecation dates
  • Delayed incident response when fraudulent certificates are issued for organizational domains but not detected until active exploitation occurs
  • Shadow IT and unmanaged certificate proliferation creating blind spots where expired or weak certificates persist outside centralized inventory

Testing procedure

How an auditor verifies this control

  1. Request and review the organization's complete certificate inventory including all internal and external TLS certificates, certificate management system exports, and discovery scan results.
  2. Examine the configuration of automated certificate monitoring tools or platforms, verifying scan frequency, coverage of all certificate stores, and thresholds for expiration alerts (typically 30, 14, and 7 days prior to expiry).
  3. Review alert configuration and notification workflows to confirm that certificate expiration warnings are routed to appropriate technical teams with defined response procedures.
  4. Obtain evidence of cryptographic algorithm scanning settings, verifying detection of weak key sizes (RSA <2048 bits, ECC <224 bits), deprecated hash functions (MD5, SHA-1), and obsolete protocols (SSLv2, SSLv3, TLS 1.0/1.1).
  5. Select a sample of 10-15 active certificates from the inventory and validate that monitoring tools correctly identify expiration dates, key lengths, signature algorithms, and compliance status.
  6. Review Certificate Transparency log monitoring configuration, confirming subscription to relevant CT logs (Google, Cloudflare, DigiCert) and automated matching against authorized domain lists.
  7. Request evidence of CT log alerts from the past 12 months, including examples of newly detected certificates and the corresponding investigation or validation workflow demonstrating legitimate vs. unauthorized issuances.
  8. Test the monitoring system by reviewing a recently expired or soon-to-expire certificate from logs, tracing the alert generation, ticket creation, and remediation action to confirm the end-to-end process functions as documented.
Evidence required Configuration exports from certificate monitoring platforms (e.g., Venafi, Certdog, HashiCorp Vault PKI, open-source scanners) showing scan schedules, algorithm detection rules, and expiration thresholds. Alert notification logs and ticketing system records demonstrating automated warnings for expiring or weak certificates within defined timeframes. Certificate Transparency log subscription configurations, domain monitoring rulesets, and sample alert records showing detection of new certificate issuances with corresponding investigation outcomes or validation records.
Pass criteria The control passes if automated monitoring covers all in-scope TLS certificates with expiration alerts configured at least 30 days in advance, cryptographic weakness scanning detects deprecated algorithms per current standards, and Certificate Transparency log monitoring is active with documented procedures for investigating unexpected certificate issuances.