mudcow007
asked on
Exchange 2013 - Self Certifified SSL (PCI Compliance)
Hello all , we are being PCI Scanned an are failing on a few items, one being a self signed cert in Exchange
the X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Exchange has a 3rd party SSL certificate installed already which is assigned to
IMAP, POP, IIS, SMTP
the self signed cert is assigned to
IIS, SMTP
Im unable to de-select these options.
Do i need to delete the self signed certificate? if so how would i go about it
thanks
the X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Exchange has a 3rd party SSL certificate installed already which is assigned to
IMAP, POP, IIS, SMTP
the self signed cert is assigned to
IIS, SMTP
Im unable to de-select these options.
Do i need to delete the self signed certificate? if so how would i go about it
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Pete
I dont know if this is of a concern but the CN (common name?) on the certs are all "servername" where the 3rd part cert is a mail.domain.com
would this effect anything. Im just crossing the t's etc...
command i have written is
just wary to press return
I dont know if this is of a concern but the CN (common name?) on the certs are all "servername" where the 3rd part cert is a mail.domain.com
would this effect anything. Im just crossing the t's etc...
command i have written is
enable-exchangecertificate -services none -thumbprint 0123456789099ggld4899
just wary to press return
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmm, I "grew some" an ran the command.
an didnt see any changes.
so restarted IIS
an still so no changes.
self signed cert is still listed under with SMTP & IIS still greyed out
Servers > Certificates >
an didnt see any changes.
so restarted IIS
an still so no changes.
self signed cert is still listed under with SMTP & IIS still greyed out
Servers > Certificates >
Options provided
ASKER
i was under the impression Exchange used/ needed it for something?