Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have a vulnerability on port 8443 reported by Nessus scanner
I have third-party certificate already installed at LDAP and Apache services
I have root and intermediate certificate also installed on pki-tomcat service as shown below
The certificate caSigningCert cert-pki-ca which is causing this vulnerability
Any Suggestions to overcome this issue?
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:'
Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"
Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"
[root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=*.IPA.EXAMPLE.COM u,u,u
IPA.EXAMPLE.COM IPA CA CT,C,C
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
[root@aaa01 ~]#
[root@aaa01 ~]#
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Scanning Report and Solution Given:
8443 SSL Certificate Cannot Be Trusted The SSL certificate for this service cannot be trusted.
8443 SSL Self-Signed Certificate "The SSL certificate chain for this service ends in an unrecognized
self-signed certificate."
Solution:
Purchase or generate a proper SSL certificate for this service.
Scanners. There is nothing wrong with this CA cert. Self-signed doesn't have to mean "bad".
Nothing outside the IPA machine should even be able to talk to it so it's not a problem even if the CA cert were somehow bad, and it isn't.
You can ignore this.
rob