Certificate Source Check
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
cdn-use-my-certificate |
|
Identifier |
Certificate Source Check |
|
Description |
If a domain has its Certificate Source set to My certificate, this domain is non-compliant. |
|
Tag |
cdn |
|
Trigger Type |
Configuration change |
|
Filter Type |
cdn.domains |
|
Rule Parameters |
None |
Application Scenarios
CDN supports your own certificates or SCM certificates. For details, see Configuring an HTTPS Certificate.
You are advised to use SCM certificates. Using your own certificates may have the following problems:
- Private key leakage: If the private key is not properly stored, attackers can steal it, decrypt sensitive data, or launch man-in-the-middle attacks.
- Weak encryption algorithm: If your own certificate uses an outdated algorithm, it may be attacked by brute force.
- Complex certificate lifecycle management: You need to manually or build a system to handle all lifecycle operations of certificates, such as issuing, deploying, renewing, and revoking certificates. As a result, certificates may expire due to negligence.
- Insufficient support for automation tools: Your own certificates need to be manually uploaded and updated, increasing O&M burdens.
- Complex team collaboration: Development, O&M, and security teams need to collaboratively manage certificate policies, increasing communication complexity.
Solution
Use SCM certificates instead of your own certificates.
Rule Logic
- If the CDN certificate source is your own certificate, the check result is non-compliant.
- If the CDN certificate source is not your own certificate, the check result is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
