TLS/SSL Private Key
Service Name: Transport Layer Security/Secure Sockets Layer
Service Description: TLS/SSL private keys are cryptographic keys used in the TLS/SSL protocol to establish secure encrypted connections between clients and servers. These keys are essential for HTTPS websites, secure email communications, VPNs, and other secure network communications.
Service Address: Not applicable (used across multiple services and platforms)
Validation Type: NHI Enriched
IP Allow list: Does not exist (IP restrictions are typically managed at the server or application level, not at the key level)
Secret Access Scope: Grants the ability to decrypt traffic intended for the server, impersonate the server in TLS/SSL handshakes, and potentially intercept secure communications.
Secret Revokement URL: Does not exist (revocation requires generating a new certificate with a new private key and updating it on servers)
Secret Example:
Suspicious Activity Investigation Instructions:
- Check server logs for unauthorized access attempts or unusual connection patterns.
- Verify if the private key has been exposed in code repositories, logs, or other insecure locations.
- Review access logs to determine who might have had access to the private key file.
- Check for any unexpected certificate issuance using the compromised key.
- Monitor for man-in-the-middle attacks or unexpected TLS/SSL certificate warnings.
Mitigation Instructions:
- Generate a new private key and certificate immediately.
- Revoke the old certificate through your Certificate Authority.
- Update all servers and services with the new certificate and private key.
- Implement proper key management practices:
- Store private keys in secure, encrypted storage.
- Use hardware security modules (HSMs) for critical keys.
- Implement proper access controls for key files.
- Set up regular key rotation schedules.
- Audit and update your certificate management processes to prevent future exposures.
- Consider implementing certificate transparency monitoring to detect unauthorized certificate issuance.