[Freeipa-users] Re: vulnerability on port 8443 reported by Nessus scanner- caSigningCert cert-pki-ca

Polavarapu Manideep Sai via FreeIPA-users wrote:

Hi Team,

I have a vulnerability on port 8443 reported by Nessus scanner

I have third-party certificate already installed at LDAP and Apache services

I have root and intermediate certificate also installed on pki-tomcat service as shown below

The certificate “caSigningCert cert-pki-ca” which is causing this vulnerability

Any Suggestions to overcome this issue?

[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:'

Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"

Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"

[root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/

Certificate Nickname                                         Trust Attributes

SSL,S/MIME,JAR/XPI

CN=*.IPA.EXAMPLE.COM                                                                      u,u,u

IPA.EXAMPLE.COM                               IPA CA                                      CT,C,C

NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C

[root@aaa01 ~]#

[root@aaa01 ~]#

[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu

ocspSigningCert cert-pki-ca                                  u,u,u

Server-Cert cert-pki-ca                                      u,u,u

subsystemCert cert-pki-ca                                    u,u,u

auditSigningCert cert-pki-ca                                 u,u,Pu

NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C

Scanning Report and Solution Given:

8443       SSL Certificate Cannot Be Trusted             The SSL certificate for this service cannot be trusted.

8443       SSL Self-Signed Certificate            "The SSL certificate chain for this service ends in an unrecognized

self-signed certificate."

Solution:

Purchase or generate a proper SSL certificate for this service.

Scanners. There is nothing wrong with this CA cert. Self-signed doesn't have to mean "bad".

Nothing outside the IPA machine should even be able to talk to it so it's not a problem even if the CA cert were somehow bad, and it isn't.

You can ignore this.

rob