SSL Certificate - Signature Verification Failed Vulnerability

ssl https iis-8 pci
11,987

Basically the error response you got from the SSL signature verification is:

unable to get local issuer certificate

The issuer is the signing authority that received your certificate signing request (CSR), signed it, and returned you the server certificate (which you installed along with the private key that you generated with the CSR). The server certificate is a PEM file with a .cer or .crt extention. It is a text file with certificates encoded in blocks between:

-----BEGIN CERTIFICATE-----

     gibberish not copied

-----END CERTIFICATE-----

The error text explains:

The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority.

But for this verification to happen, at least one other certificate is needed, namely the certificate of the issuer, and possibly also the one of the certificate root authority (CA).

A count of 1 in grep -c BEGIN /etc/pki/tls/certs/yourserver.crt will show that, when you have such a local issuer, its certificate is not available. It takes at least 2 certificates to verify.

A scanner, such as the PCI DSS External Vulnerability Scan, needs to know about these additional certificates. They can either be well-known/built-in CA's like Verisign or Thawte, but quite possible they can be unknown, because the CA could be your company's. The canonical name (CN=), and the (missing) domain components, in your output, show that the certificate was not signed by a CA that is built-in to the scanner by its vendor.

It is common practice to append the issuer certificate and the root ca certificate (in that order) to the server certificate, as of to tell the SSL client about the trust chain.

cat issuer.cer root_ca.cer >> etc/pki/tls/certs/yourserver.crt

But this does not establish trust. The scanner, and SSL clients in general, need to have the issuer’s root CA’s certificate. If your company has its own CA, then you need to install it everywhere.

Share:
11,987

Related videos on Youtube

VladLosev
Author by

VladLosev

Updated on September 18, 2022

Comments

  • VladLosev
    VladLosev almost 2 years

    We ran PCI DSS External Vulnerability Scan on our website and the scan failed with many vulnerabilities, all of them are PCI severity: Low except one medium and another one high.

    The high one is:

    Threat: An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority. If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.

    Impact: By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur. Exception: If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.

    Solution: Please install a server certificate signed by a trusted third-party Certificate Authority. Result: Certificate #0 CN=132123-server1 unable to get local issuer certificate

    And I have no idea how to solve this issue to pass this point when I rerun the scan. is there any steps I can follow?

    Notes:
    The server is IIS 8
    Website is using SSL wildcard from godaddy.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to test https rest webservice in postman
Getting a certificate from an https site
OS X 10.11.6 El Capitan SSLRead() return error -9841
iPhone: install certificate for SSL connection
Magento - onePage checkout and SSL (HTTPS)
Flutter https with self signed certificate
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
iOS HTTPS requests 101
how SSL & cookies work?
HTTP Error 500.19 - Internal Server Error The requested page cannot (WCF + REST + IIS7 + SSL)