changing self signed certificate for pci to pass

Anyone know how to change the self assigned certificate on SBS 2011. The PCI scan fails as per below

1 CVE-2004-2761 Insecure Certificate
Signature Algorithm in Use
5.00 Medium Fail Port: tcp/25
This finding indicates that SHA-1 and/or MD5 hashing algorithms have
been detected during your scan. The concept of hashing is to use a
string of numbers to verify the integrity of a file being transmitted
electronically. These algorithms have known weaknesses that can be
exploited by attackers. The PCI SSC (Payment Card Industry Security
Standards Council) has banned the use of SHA-1 and/or MD5
encryption in PCI Compliant environments.
CVE: CVE-2004-2761
NVD: CVE-2004-2761
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: microsoft:smtp_server
Reference:
http://www.kb.cert.org/vuls/id/836068
http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/SHA-1
Evidence:
Subject: /CN=remote.domain.com
Issuer: /CN=domain-SERVER-CA
Certificate Chain Depth: 0
Certificate Signature Algorithm: sha1WithRSAEncryption
Remediation:
Ask your IT professional to update all certificates to use a secure hash
function such as SHA-2 or greater as its signature algorithm.
LVL 1
LewisNetworking Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Indeed SHA-1 certificates are being phased out very quickly and in 2017 Microsoft will stop trusting them. Better to request SHA-2 certificates and have replaced any SHA-1 certificates soon and to get through the PCI check (or at least by the end of 2015).

Either get a CSR first from the server and acquired it from 3rd party CA if internally there is none as re--issuing another self sign within SBS may not work out as the crypto for supporting the required SHA2 family may not be available. Regardless, once you have the cert you can assign the cert imported (via its thumbprint) for the Exchange as you needed

Installing a GoDaddy Standard SSL Certificate on SBS 2008 - see http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
using Exchange PowerShell cmdlet for re-assigning cert via thumbprint - http://blog.the-it-blog.co.uk/2013/01/25/re-issuing-a-self-signed-certificate-for-exchange-sbs/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cris HannaSr IT Support EngineerCommented:
Is it possible that you have not updated the SBS 2011 server for a while???   There are several updates that affect the SSL as well as third party certs

You should be dumping the Self Signed Cert in lieu of a 3rd part trusted SSL cert.   You can get a trusted Comodo Cert for about 5.00/year from https://www.ssls.com/?fromCheapSSLs

So why are you doing PCI scans?   Are you processing and storing CC info on your SBS server?   Really bad idea and I'd suggest changing that, but you may find this article helpful
http://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx
btanExec ConsultantCommented:
Importing an SHA-256 Certificate into the server will close this - it can still be self signed (which can be created by yourself with Tools like Open-SSL (ont top of those shared prev). Also you can also request a Certificate from a Trusted CA like GoDaddy and request SHA-256 Certificate from this GoDaddy (or other trusted CAs like Verisign)..but as shared by Chris, avoid having to store those card info to reduce your PCI scope as well - you may close one but there would be more coming up .... better to patch server to latest possible too
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.