Configure Trusted Certificates

    The X.509 certificate issued for this domain cannot be trusted. Clients such as browsers will show warnings or not be able to connect if they cannot trust the certificate. Read here, how you can configure trusted certificates!

    Security Assessment

    Security_Assessment_ConfigureTrustedCertificates

    CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

    Vulnerability Information

    The X.509 certificate issued for this domain cannot be trusted. Clients such as browsers will show warnings or not be able to connect if they cannot trust the certificate. Trust issues arise if the common name in the certificate does not match the webserver domain, if an intermediate certificate is not provided by the server or if the certificate is self-signed.

    Guides

    To issue a trusted certificate for your web application, the certificate needs to contain the correct information for your web application such as the domain name as common name of the certificate. The certificate needs to be signed by a certificate authority (CA) that the users' browser trust. The webserver has then to be configured to present the certificate on incoming https requests. Use one of the following guides to generate and use a trusted certificate.

    Let's Encrypt

    With Let's Encrypt is is very easy to generate secure and trusted certificates. Install thecertboton the server which runs the webserver and run the following command:

    trustedcertificates

    https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/trusted _certificates/lets_encrypt

    OpenSSL

    You can manually create a new, secure, certificate and a certificate signing request (CSR). To generate the certificate with private key and the CSR run:

    trustedcertificates (1)

    https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/trusted _certificates/openssl_cert_gen

    Answer all questions according to your needs. Then send the csr.pem file to your CA. They will use this request to sign your certificate and provide you with the signed certificate. If the signed certificate is returned to you as new.crt, you can combine the key and the signed certificate as follows:

    trustedcertificates (2)

    https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/trusted _certificates/openssl_combine_key_cert

    The resulting new.pem file can be copied to your webserver directory to be used in the web application. If your certificate is signed by an intermediate certificate (which is not stored in your users certificate storages), instead of a root certificate (which is stored in your users certificate storages), you will need to bundle the intermediate certificate with your own server certificate.

    Apache

    On Apache you need insert the certificate into the virtual host configuration in/etc/apache2/sites-enabled/domain.confor/etc/httpd/sites-enabled/domain.conf:

    trustedcertificates (3)

    https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/trusted _certificates/apache

    nginx

    For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf/etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add the following directive to the server section:

    trustedcertificates (4)

    https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/trusted _certificates/nginx

    For more information about Crashtest Security visit crashtest-security.com

    Crashtest Security GmbH Wiki