Verify SSL Certificate Modified on Host

Docs > Datadog Security > OOTB Rules > Verify SSL Certificate Modified on Host

Security recommendation

Impact	Remediation complexity	Severity	Recommended value
4	3	3	No unauthorized modifications

SSL/TLS certificates and certificate stores should remain unchanged unless modifications are part of authorized certificate updates, installations, or system package management.

Compliance

File Integrity Monitoring requirement, Found in PCI DSS 11.5

Documentation

SSL/TLS certificates are critical components of secure communications, establishing trust between clients and servers. Certificate stores typically reside in system directories such as /etc/ssl/certs, /etc/pki/tls/certs, and /usr/share/ca-certificates.

Remediation

Prerequisites

You must have root or administrative privileges
Access to system logs and audit trails
Backup of known-good certificate store
Understanding of your organization’s certificate management policies

Step-by-step guide

Step 1: Identify Modified Certificate

Review the Finding to determine which certificate or certificate store file was modified:

# Check certificate details
ls -l /etc/ssl/certs/
stat /path/to/modified/certificate

# View certificate information
openssl x509 -in /path/to/modified/certificate -text -noout

Step 2: Verify Legitimate Change

Check if the modification was part of an authorized certificate update:

# Check recent certificate updates (Debian/Ubuntu)
grep "ca-certificates" /var/log/dpkg.log

# Check recent certificate updates (RHEL/CentOS)
grep "ca-certificates" /var/log/dnf.log

# Review system update logs
journalctl -u unattended-upgrades --since "1 day ago"