Solved

SBS2011 failing PCI scan - SSL Certificate Cannot Be Trusted

Posted on 2014-01-30
6
2,397 Views
Last Modified: 2014-01-31
Hi Experts

I have purchased a GoDaddy cert and installed it via the SBS Console wizard however the PCI scan is failing.  If I hit https://remote.DOMAINNAME.co.uk the chain is valid.  Is this something to do with Exchange as its port 25?
Protocol: TCP
Port: 25
Program: SMTP
Description: SSL Certificate Cannot Be Trusted
Synopsis: The SSL certificate for this service cannot be trusted.

Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man-in-the- middle attack against the remote host.

Data Received: The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 6.4

Thanks
0
Comment
Question by:George-
  • 3
  • 2
6 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39820309
Try the Fix my network wizard in the SBS console first.

Did you use the SSL wizard to get the certificate.?
Just do it again and rekey it in the Godaddy SSL Panel. When asked if you have the cert just say you need more time and finish the wizard.
When approved download the Exchange 2010 option for import open the wizard again to import.
Hope that helps,
Olaf
0
 
LVL 3

Expert Comment

by:cristiantm
ID: 39820317
What is most probably happening is that the SMTP server is not sending the intermediate certificate, and therefore the scanner cannot find a trust path from the server certificate to a trusted anchor.

Let me detail this a little bit. Usually a certificate is issued by an intermediate certification authority. And this intermediate certificate authority has a certificate that is issued by a root certification authority. To verify a certificate, you need to have the full "chain" of certificates, from the server to a root ca. Then you verify the server certificate using the intermediate ca certificate, and the intermediate ca certificate using the root ca certificate, and finally check if the root ca certificate is trusted on your computer.

The last message says that the top certificate received is the server certificate (CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA) and the Issuer of this certificate (an intermediate certificate) is unknwon. Thats normal, because intermediate certificates should not be previously known for the client, the server should send this certificate. The client only needs to already known root cas. So what you need to do is setup your server to send the intermediate certificate. I´m not sure how to do this on your software, but I hope you can find that or another expert can complement the answer with that info.
0
 
LVL 1

Author Comment

by:George-
ID: 39820417
Hi Olaf

I ran the SBS wizard to Add a Trusted Certificate.

Should it be the Exchange 2010 I download?  I thought it should be IIS7 for SBS2011?

I've also done some more reading and it looks like with GoDaddy I need to install an intermediate certificate.  If I install the intermediate as below will I need to reimport the trusted cert from GoDaddy?

http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

Thanks
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 22

Accepted Solution

by:
Olaf De Ceuster earned 500 total points
ID: 39822056
I have never had to use the intermediate at all.
I just import the final cert.
I always use the exchange one.
Hope that helps
Olaf
The support at GoDaddy has always been 100% or "number one" as we say in Vanuatu if you get stuck.
0
 
LVL 1

Author Comment

by:George-
ID: 39823422
Hi Olaf

I phoned GoDaddy support and they said they had nobody who could help with installing the cert in SBS.

I ran the scan again and it passed.  The only change I made was on the router for something else that was failing.

Thanks anyway, I will close the question and pass you the points as if it fails again I will create a new cert and download the Exchange version.

Cheers
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39823462
Thanks and good luck.
Olaf
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now