PCI Issue with self signed security certificate
Dear Experts,
On our PCI security scan I have 2 items I need help deciding what I should do with.
As far as getting a specific certificate for our web hosting server machine, I am ok with that. Should I do that? And if I do, does it need to point to SERVER.iondata.com? Also, what use is the security certificate for the machine itself anyways? Do you guys suppose that maybe FTP uses it or something and that is why securitymetrics sees it?
Here is the first one:
Also, the second item really confuses me.. iondataexpress.com has it's own security certificate and it's working great. How is security metrics even seeing the certificate for the machine, and why does that matter? They aren't complaining about our other certificate for our other website on the machine?
How do you see a certificate chain? I'd like to see what they're talking about, because maybe then it'd make more sense.
And the 2nd:
Thanks guys! I'm mainly looking for understanding on what these items mean and advice on what approach I should take to fix them..
~Jeffrey
On our PCI security scan I have 2 items I need help deciding what I should do with.
As far as getting a specific certificate for our web hosting server machine, I am ok with that. Should I do that? And if I do, does it need to point to SERVER.iondata.com? Also, what use is the security certificate for the machine itself anyways? Do you guys suppose that maybe FTP uses it or something and that is why securitymetrics sees it?
Here is the first one:
Synopsis:
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Resolution:
Purchase or generate a proper certificate for this service.
Data Received:
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=SERVER.iondata.com
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Resolution:
Purchase or generate a proper certificate for this service.
Data Received:
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=SERVER.iondata.com
Also, the second item really confuses me.. iondataexpress.com has it's own security certificate and it's working great. How is security metrics even seeing the certificate for the machine, and why does that matter? They aren't complaining about our other certificate for our other website on the machine?
How do you see a certificate chain? I'd like to see what they're talking about, because maybe then it'd make more sense.
And the 2nd:
Title
SSL Certificate with Wrong Hostname
close
Synopsis:
The SSL certificate for this service is for a different host.
Impact:
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Resolution:
Purchase or generate a proper certificate for this service.
Data Received:
The identities known by SecurityMetrics are : iondataexpress.com www.iondataexpress.com The Common Name in the certificate is : SERVER.iondata.com
SSL Certificate with Wrong Hostname
close
Synopsis:
The SSL certificate for this service is for a different host.
Impact:
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Resolution:
Purchase or generate a proper certificate for this service.
Data Received:
The identities known by SecurityMetrics are : iondataexpress.com www.iondataexpress.com The Common Name in the certificate is : SERVER.iondata.com
Thanks guys! I'm mainly looking for understanding on what these items mean and advice on what approach I should take to fix them..
~Jeffrey
When you request a cert you don't always put the lan host name... You use the name it will PUBLICALLY respond to... That is why you are getting the name mismatch... IE... the server may be named SERVER.iondata.com, but if you go to its web page with www.iondata.com that would be the actual common name on the cert... As was said above, a cert can have more than one common name...
ASKER
So... when the security metrics does the scan on iondataexpress.com, it resolves the domain name back to the ip address and then somehow the machine's security certificate is linked to that ip? As far as I know, that IP address should only work for the website.. it's not the ip address of our web server machine. On their webpage they say that they are scanning our domain, and there doesn't seem to be an option to change the ip address it's scanning.
ASKER
scott_silva,
so, is it a good idea to include the lan name? Is the mismatch simply because the server name doesn't match the domain name?
so, is it a good idea to include the lan name? Is the mismatch simply because the server name doesn't match the domain name?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Including the lan name is only useful if internal machines need to connect using the internal name AND need the cert to show valid... It is just as easy to do split DNS, and have the same name resolve to public IP outside and private IP on the inside... For example our exchange servers internal name is not on the cert (at least not anymore since they changed the rules about having non publically resolvable names on certs). All mail access is done by its public name, even though its internal server name is completely different... The name resolves to our internal lan ip on the inside, and to its public ip on the outside...
As long as the name you put in the web browser matches the name on the cert, that error goes away...
And PCI will NEVER accept a self signed cert...
As long as the name you put in the web browser matches the name on the cert, that error goes away...
And PCI will NEVER accept a self signed cert...
ASKER
Ok, I'm thinking that based on what I understand.. the issue here is that the iondataexpress.com and www.iondataexpress.com isn't covering the other services, just the website.
The errors from PCI both say they are TCP, so I believe that means it is my remote desktop stuff they are complaining about.
So, for the remote desktop, can I use the security certificate for iondataexpress.com, perhaps? That would save me the need to buy one..
If not, or that's not the best idea perhaps, would you guys recommend just buying one for the server itself, and then somehow setting the tcp to use it?
Thanks everyone!
The errors from PCI both say they are TCP, so I believe that means it is my remote desktop stuff they are complaining about.
So, for the remote desktop, can I use the security certificate for iondataexpress.com, perhaps? That would save me the need to buy one..
If not, or that's not the best idea perhaps, would you guys recommend just buying one for the server itself, and then somehow setting the tcp to use it?
Thanks everyone!
Actually you can provide justification for that open port and the self signed certificate, then remove the alert from your PCI Scan.
Call your PCI Scanner for how to do this.
Call your PCI Scanner for how to do this.
ASKER
Ok I looked up how to set the certificate for TCP, and I set it to the iondataexpress.com one. So I think I'm good. I'm going to rerun the scan. It will probably take until after 5 when it's done..
So, for the moment, I might have this fixed.
I'll come back tomorrow and if it works, close the question up and all that good stuff.
Thanks a bunch everyone!
Jeffrey
So, for the moment, I might have this fixed.
I'll come back tomorrow and if it works, close the question up and all that good stuff.
Thanks a bunch everyone!
Jeffrey
If it is Remote Desktop port that PCI is picking up you could also try this:
http://serverfault.com/questions/566503/using-ca-certificate-for-remote-desktop-connection
You'll also want to put a HTTPS Redirect rule in your web.config to force traffic to use SSL.
https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/
http://serverfault.com/questions/566503/using-ca-certificate-for-remote-desktop-connection
You'll also want to put a HTTPS Redirect rule in your web.config to force traffic to use SSL.
https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/
ASKER
Turns out the certificate was a wildcard certificate. So assigning it to the TCP service fixed it. So I'm going to go with this as the best answer. Thanks everyone for all your input and advice. I understand security certificates much better than I did before!
Option 1 - reissue with this SAN name added
Option 2 - if you have multiple static IP address's with your broadband change your PCI scan to point to another IP address