Hi,
Greetings DOJO Hall.
Singtel used Tenable software to do a Windows Server scan on DMA1,2,3,DEV
Attached is the full report we only look at severity = high, critical.
DMA1 VM (private IP 172.30.105.X)
DMA2 VM (private IP 172.30.105.X)
DMA3 VM (private IP 172.30.105.X)
DMA DEV (private IP 172.30.105.X)
The DMA s are all running Web Servers.
Tenable software :51192 SSL Certificate General Medium[ severity] 172.30.105.5 DMA-DEV Server.
Tenable software :Synopsis: The SSL certificate for this service cannot be trusted
Tenable software: The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :
Solution: Purchase or generate a proper SSL certificate for this service.
I tried self signed certificate does seem to work.
Please advise if Singtel need to purchase SSL certificate for DMA Web Servers or there is a work around.
Regard
Raj
This depends on the use case:
- For DMA agents which are accessed only within a private network, then you can use certificates that are signed by a self-signed root certificate. This root certificate will have to be installed on all agents and client machines (possible via a domain controller) so that the certificates are seen as trusted.
- If a DMA agent is connected to the public Internet (or via a Dashboards Gateway/Portal), and can be accessed via a public hostname, then a certificate has to be used from a certificate authority so that any client connecting via the public hostname will see the certificate as trusted.
Hi Seetharam,
For a certificate to be trusted, it needs to be obtained from a valid Certificate authority.
There are various options, some of them are paid, others offer free certificates.
A self-signed certificate will be marked as insecure as it's not generated by a valid Certificate authority.