SSL Self-Signed Certificate PCI Compliance
I am trying to get our Plesk server through PCI Compliance but I am failing with allot of certificate errors, please see example below
Port 465
Protocol TCP
Service smtp
SSL Self-Signed Certificate
Synopsis :
The SSL certificate chain for this service ends in an unrecognized self-signed
certificate.
Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate
authority. If the remote host is a public host in production, this nullifies the use of
SSL as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate
that is not self-signed, but is signed by an unrecognized certificate authority.
Data Received
The following certificate was found at the top of the certificate chain sent by the
remote host, but is self-signed and was not found in the list of known certificate
authorities : |-Subject :
C=US/ST=Washington/L=Seatt
I am very new to the and don't know how do I sort these out?
Port 465
Protocol TCP
Service smtp
SSL Self-Signed Certificate
Synopsis :
The SSL certificate chain for this service ends in an unrecognized self-signed
certificate.
Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate
authority. If the remote host is a public host in production, this nullifies the use of
SSL as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate
that is not self-signed, but is signed by an unrecognized certificate authority.
Data Received
The following certificate was found at the top of the certificate chain sent by the
remote host, but is self-signed and was not found in the list of known certificate
authorities : |-Subject :
C=US/ST=Washington/L=Seatt
I am very new to the and don't know how do I sort these out?
Last Comment
Steven Vona
I am not familiar with PCI compliance, but in order to secure a web connection you need a certificate signed by a recognized authority like verisign or thawte.
ASKER
I could be wrong but don't the certificates cover domains not the server?
The certificate authenticates the name by which access is granted, such as
mail.yourdomain.com
www.yourdomain.com
For PCI the scan the IP you provide and then validate any open port.
Generate a CSR with Same alternate name (san) making sure to add function markers for nail exchange request and get it signed by a known CA as referenced,
Then you can use this certificate on the mail portion as well as any other secure port that your server is configured for accepting connections.
mail.yourdomain.com
www.yourdomain.com
For PCI the scan the IP you provide and then validate any open port.
Generate a CSR with Same alternate name (san) making sure to add function markers for nail exchange request and get it signed by a known CA as referenced,
Then you can use this certificate on the mail portion as well as any other secure port that your server is configured for accepting connections.
follow the steps @ https://major.io/2007/05/21/changing-the-default-ssl-certificate-in-plesk/ to replace the default self signed certificate
ASKER
Thanks for the responses, I am doing some more investigation as it looks like when you add the default certificate to Plesk it doesn't apply it to Postfix this has to be done manually via ssh and it looks very complicated!
It is not that complicatred, you would add the certificate private/signed and then within postfix config point the respective key/cert to the new files....
Which part is complicated the csr request?
Which part is complicated the csr request?
ASKER
I am struggling with adding it to the postfix config
Please provide context/details to what your issue is.
When generating CSR, did you add mail related functionality I.e. Is the error you get when adding to postfix that the certificate does not match what it is being used for?
Did you add the signing CAs root/intermediate authority to postfix's trusted root CA list?
Did you set a passphrase when generating the CSR and now being prompted for the pass-phrase anytime postfix starts?
When generating CSR, did you add mail related functionality I.e. Is the error you get when adding to postfix that the certificate does not match what it is being used for?
Did you add the signing CAs root/intermediate authority to postfix's trusted root CA list?
Did you set a passphrase when generating the CSR and now being prompted for the pass-phrase anytime postfix starts?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Linux
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.
71K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
