question

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 asked LimitlessTechnology-2700 answered

How to identify the certificate not correct?

Hello,

I have this report:

![Asset Names Service Port Vulnerability ID Vulnerability Risk Score Vulnerability
Title Vulnerability Description Vulnerability Solution Vulnerability Proof Vulnerability CVSS Score Vulnerability CVSSv3 Score


Server_name 3389 tls-untrusted-ca 697 Untrusted TLS/SSL server X.509 certificate The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not well-known or trusted. This could happen if: the chain/intermediate certificate is missing, expired or has been revoked; the server hostname does not match that configured in the certificate; the time/date is incorrect; or a self-signed certificate is being used. The use of a self-signed certificate is not recommended since it could indicate that a TLS/SSL man-in-the-middle attack is taking place Obtain a new certificate from your CA
and ensure the server configuration is correct

Ensure the common name (CN) reflects
the name of the entity presenting the certificate
(e.g., the hostname). If the certificate(s) or any
of the chain certificate(s) have expired or been
revoked, obtain a new certificate from your
Certificate Authority (CA) by following their
documentation. If a self-signed certificate is
being used, consider obtaining a signed certificate
from a CA.

References: Mozilla: Connection Untrusted Error
(https://support.mozilla.org/en-US/kb/connection-untrusted-error-message) SSLShopper: SSL Certificate Not Trusted Error (https://www.sslshopper.com/ssl-certificate-not-trusted-error.html) Windows/IIS certificate chain config (https://support.microsoft.com/en-us/kb/954755) Apache SSL config (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html) Nginx SSL config (http://nginx.org/en/docs/http/configuring_https_servers.html)
CertificateChain.io (https://certificatechain.io/) TLS/SSL certificate signed by unknown, untrusted CA: CN=Servername -- [Path does not chain with any of the trust anchors]. FireEye HX,JAMF,STATS-Internal,Sophos,Windows Server
][1]

How do I identify the correct certificate creating this report?

Thanks,
Dom


[1]: /answers/storage/attachments/189328-image.png

windows-server-security
image.png (10.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hi @DucheminDominique-7551

You can compare the certificate signature with the error report to find out the source of the certificate errors.

To view certificates for the current user, open the command console, and then type certmgr. msc.

The Certificate Manager tool for the current user appears. To view your certificates, under Certificates - Current User in the left pane, expand the directory for the type of certificate you want to view.

You can take note of these certificates and then compare them with your error report to find the source.

Hope this resolves your Query!!

--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.