Hi Team,

 

I have a vulnerability on port 8443 reported by Nessus scanner

 

I have third-party certificate already installed at LDAP and Apache services

 

I have root and intermediate certificate also installed on pki-tomcat service as shown below

 

The certificate “caSigningCert cert-pki-ca” which is causing this vulnerability

 

Any Suggestions to overcome this issue?

 

 

[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:'

        Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"

        Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"

 

 

[root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/

 

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

 

CN=*.IPA.EXAMPLE.COM                                                                      u,u,u

IPA.EXAMPLE.COM                               IPA CA                                      CT,C,C

NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,C,C

[root@aaa01 ~]#

[root@aaa01 ~]#

 

 

[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

 

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

 

caSigningCert cert-pki-ca                                    CTu,Cu,Cu

ocspSigningCert cert-pki-ca                                  u,u,u

Server-Cert cert-pki-ca                                      u,u,u

subsystemCert cert-pki-ca                                    u,u,u

auditSigningCert cert-pki-ca                                 u,u,Pu

NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,C,C

 

 

Scanning Report and Solution Given:

 

8443       SSL Certificate Cannot Be Trusted             The SSL certificate for this service cannot be trusted.

8443       SSL Self-Signed Certificate            "The SSL certificate chain for this service ends in an unrecognized

self-signed certificate."

 

Solution:

 

Purchase or generate a proper SSL certificate for this service.

 

Regards

Sai

 



DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.