AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Certificates should not expire within the specified number of days

Azure BuiltIn Policy definition

Source Azure Portal
Display name Certificates should not expire within the specified number of days
Id f772fb64-8e40-40ad-87bc-7706e1949427
Version 2.1.1
Details on versioning
Versioning Versions supported for Versioning: 2
2.1.1
2.1.0-preview
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.1.1'
Repository: Azure-Policy f772fb64-8e40-40ad-87bc-7706e1949427
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types none
Compliance
The following 1 compliance controls are associated with this Policy definition 'Certificates should not expire within the specified number of days' (f772fb64-8e40-40ad-87bc-7706e1949427)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-7 Azure_Security_Benchmark_v3.0_DP-7 Microsoft cloud security benchmark DP-7 Data Protection DP-7 Use a secure certificate management process Shared **Security Principle:** Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. **Azure Guidance:** Use Azure Key Vault to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and Azure service (if supported) based on the defined schedule and when there is a certificate expiration. If automatic rotation is not supported in the front application, use a manual rotation in Azure Key Vault. Avoid using self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificate in Azure Key Vault. The following CAs are the current partnered providers with Azure Key Vault. - DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. - GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. Note: Use only approved Certificate Authority (CA) and ensure the known bad CA root/intermediate certificates and certificates issued by these CAs are disabled. **Implementation and additional context:** Get started with Key Vault certificates: https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios Certificate Access Control in Azure Key Vault: https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control n/a link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Microsoft cloud security benchmark v2 e3ec7e09-768c-4b64-882c-fcada3772047 Security Center Preview BuiltIn unknown
Enforce recommended guardrails for Azure Key Vault Enforce-Guardrails-KeyVault Key Vault GA ALZ
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-02-13 19:27:15 change Patch, old suffix: preview (2.1.0-preview > 2.1.1)
2022-04-01 20:29:14 change Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview)
2021-10-25 16:02:14 change Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview)
2021-08-30 14:27:30 change Patch, old suffix: preview (2.0.0-preview > 2.0.1)
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration
2019-11-19 11:26:09 change Previous DisplayName: [Preview]: Certificates should not expire in the specified number of days
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC