Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3260
Views
5
Helpful
3
Replies

Self signed certificate vulnerability finding by Nessus scan

Go to solution
sbdladla1
Level 1
Level 1

‎07-12-2018 05:42 AM - edited ‎02-21-2020 07:58 AM

 

I have six ASA 5500 firewall 4 are 5585 and two 5515 and they are connected active standby.

our security team scans and find a vulnerability on the certificate in use. I have gone to our CA and requested certificates. It worked on the 5515 firewalls but not on the 5585 firewalls  and  I can view the certificate but when they scan again same issue comes self sign certificate. I have zeroed the default keyring still getting same issue.   If there a way to delete the self sign certificate will be appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2018 12:55 PM

The trustpoint defined under "ssl trust-point" command dictates what certificate will be used. If you have changed the trustpoint to the new trusted certificate, it should not send the self-signed certificate. I do not think there is a way to delete the default self-signed certificate, since it is not tied to a trustpoint. 

View solution in original post

3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2018 12:55 PM

The trustpoint defined under "ssl trust-point" command dictates what certificate will be used. If you have changed the trustpoint to the new trusted certificate, it should not send the self-signed certificate. I do not think there is a way to delete the default self-signed certificate, since it is not tied to a trustpoint. 

Go to solution
sbdladla1
Level 1
Level 1
In response to Rahul Govindan

‎08-06-2018 02:28 AM

SSl trust-point help on two of the firewalls, now I still have some issues with the certificate on the remaining devices . The certificate have no trustpoint association on them. how do I make them to have an association on them? here the certificate below

BE30CEFC1# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 00cc3e
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn= CA
o=I Corporation
c=US
Subject Name:
0.9.2342.19200300.100.1.3=#16135342444c41444c41407a612e69626d2e636f6d
0.9.2342.19200300.100.1.1=#1309303131303434383634
cn=be7ufc0830
ou=VS
o=
l=Johannesburg
st=Johannesburg
c=ZA
CRL Distribution Points:
[1] cn=CRL105 INTERNAL INTERMEDIATE CA,o= Corporation,c=US
[2] http:
Validity Date:
start date: 04:00:00 UTC Apr 17 2018
end date: 03:59:59 UTC Apr 16 2021
Associated Trustpoints:

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to sbdladla1

‎08-06-2018 05:16 AM

have you created trustpoints on the remaining devices and have you authenticated the trust point?

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card