Solved

SBS2011 failing PCI scan - SSL Certificate Cannot Be Trusted

Posted on 2014-01-30
6
2,377 Views
Last Modified: 2014-01-31
Hi Experts

I have purchased a GoDaddy cert and installed it via the SBS Console wizard however the PCI scan is failing.  If I hit https://remote.DOMAINNAME.co.uk the chain is valid.  Is this something to do with Exchange as its port 25?
Protocol: TCP
Port: 25
Program: SMTP
Description: SSL Certificate Cannot Be Trusted
Synopsis: The SSL certificate for this service cannot be trusted.

Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man-in-the- middle attack against the remote host.

Data Received: The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 6.4

Thanks
0
Comment
Question by:George-
  • 3
  • 2
6 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Try the Fix my network wizard in the SBS console first.

Did you use the SSL wizard to get the certificate.?
Just do it again and rekey it in the Godaddy SSL Panel. When asked if you have the cert just say you need more time and finish the wizard.
When approved download the Exchange 2010 option for import open the wizard again to import.
Hope that helps,
Olaf
0
 
LVL 3

Expert Comment

by:cristiantm
Comment Utility
What is most probably happening is that the SMTP server is not sending the intermediate certificate, and therefore the scanner cannot find a trust path from the server certificate to a trusted anchor.

Let me detail this a little bit. Usually a certificate is issued by an intermediate certification authority. And this intermediate certificate authority has a certificate that is issued by a root certification authority. To verify a certificate, you need to have the full "chain" of certificates, from the server to a root ca. Then you verify the server certificate using the intermediate ca certificate, and the intermediate ca certificate using the root ca certificate, and finally check if the root ca certificate is trusted on your computer.

The last message says that the top certificate received is the server certificate (CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA) and the Issuer of this certificate (an intermediate certificate) is unknwon. Thats normal, because intermediate certificates should not be previously known for the client, the server should send this certificate. The client only needs to already known root cas. So what you need to do is setup your server to send the intermediate certificate. I´m not sure how to do this on your software, but I hope you can find that or another expert can complement the answer with that info.
0
 
LVL 1

Author Comment

by:George-
Comment Utility
Hi Olaf

I ran the SBS wizard to Add a Trusted Certificate.

Should it be the Exchange 2010 I download?  I thought it should be IIS7 for SBS2011?

I've also done some more reading and it looks like with GoDaddy I need to install an intermediate certificate.  If I install the intermediate as below will I need to reimport the trusted cert from GoDaddy?

http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 22

Accepted Solution

by:
Olaf De Ceuster earned 500 total points
Comment Utility
I have never had to use the intermediate at all.
I just import the final cert.
I always use the exchange one.
Hope that helps
Olaf
The support at GoDaddy has always been 100% or "number one" as we say in Vanuatu if you get stuck.
0
 
LVL 1

Author Comment

by:George-
Comment Utility
Hi Olaf

I phoned GoDaddy support and they said they had nobody who could help with installing the cert in SBS.

I ran the scan again and it passed.  The only change I made was on the router for something else that was failing.

Thanks anyway, I will close the question and pass you the points as if it fails again I will create a new cert and download the Exchange version.

Cheers
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Thanks and good luck.
Olaf
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now