troubleshooting Question

PCI Issue with self signed security certificate

Avatar of Jeanette Durham
Jeanette DurhamFlag for United States of America asked on
Microsoft IIS Web ServerWindows Server 2008SSL / HTTPS
11 Comments1 Solution8945 ViewsLast Modified:
Dear Experts,

On our PCI security scan I have 2 items I need help deciding what I should do with.
As far as getting a specific certificate for our web hosting server machine, I am ok with that. Should I do that? And if I do, does it need to point to SERVER.iondata.com? Also, what use is the security certificate for the machine itself anyways? Do you guys suppose that maybe FTP uses it or something and that is why securitymetrics sees it?

Here is the first one:

Synopsis:
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Resolution:
Purchase or generate a proper certificate for this service.

Data Received:
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=SERVER.iondata.com

Also, the second item really confuses me.. iondataexpress.com has it's own security certificate and it's working great. How is security metrics even seeing the certificate for the machine, and why does that matter? They aren't complaining about our other certificate for our other website on the machine?
How do you see a certificate chain? I'd like to see what they're talking about, because maybe then it'd make more sense.

And the 2nd:

Title
SSL Certificate with Wrong Hostname
close
Synopsis:
The SSL certificate for this service is for a different host.

Impact:
The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Resolution:
Purchase or generate a proper certificate for this service.

Data Received:
The identities known by SecurityMetrics are : iondataexpress.com www.iondataexpress.com The Common Name in the certificate is : SERVER.iondata.com

Thanks guys! I'm mainly looking for understanding on what these items mean and advice on what approach I should take to fix them..
~Jeffrey
ASKER CERTIFIED SOLUTION
Greg Hejl
Principal Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros