I am working at a client site whom falls under PCI Security mandates.  The client is scanned by a Third party Vendor each month, and the test results are published.

The client was hit on 2 critical vulnerabilities this time around.  Both of these Critical rankings were generated against the ASA that faces the public Internet at the client site.

The first Critical vulnerability found was as follows:

Description

The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.

See also

http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068

Solution

Contact the Certificate Authority to have the certificate reissued.

Risk factor

Medium / CVSS Base Score : 4.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

Plugin output

Here is the service's SSL certificate :

Subject Name:

Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Issuer Name:

Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Serial Number: F8 E5 C3 49

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Mar 20 18:52:40 2009 GMT
Not Valid After: Mar 18 18:52:40 2019 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 82 9D AB 31 AA 1B D6 A6 26 5F 74 31 AC F6 95 44 AB F6 A0
32 46 DB 02 CA B5 51 AC FB 5B 19 67 6E B6 01 D8 33 3B 8E 6B
A5 5A 42 CE BA 5C 7D DC A1 BE 96 86 A1 AB 26 10 69 49 B1 9C
6B C7 40 74 8C 8C EA 0C D5 82 AC BA 19 9D 46 6A 38 97 49 04
AC B3 90 5C C3 27 83 37 31 71 AA EC 74 C4 C3 8A 73 15 32 AB
4F 9D FD 44 F2 E5 22 E6 B1 2F FA FB B1 A1 85 94 87 36 06 41
3F 4C 2F 7D C7 9E A6 62 6F
Exponent: 01 00 01

Signature: 00 42 BA D4 57 02 C0 B1 B4 22 DF 10 64 65 F8 6B 37 6B FF C1
10 F0 58 A1 02 EA 2C CB B3 A0 E1 FF 73 2A 87 B1 94 50 74 7A
2E CB CD B5 61 18 92 C3 CB 99 47 2A 97 3D 0A DB 6E 98 82 5F
9B E6 BB 03 FE 26 11 05 D8 DB 98 3F 4D B2 B6 54 E9 D7 F3 21
BC 48 C6 BC 89 3E A2 C5 6E AB 81 F1 A1 11 22 A8 41 4F C5 12
B4 C2 ED AC 9C 51 2A 70 17 E2 4A FB A0 D6 E8 9E C5 13 03 1E
2B 3B DC 97 96 A3 E7 40 10

Extension: Basic Constraints (2.5.29.19)
Critical: 1
Data: 30 03 01 01 FF

Extension: Key Usage (2.5.29.15)
Critical: 1
Key Usage: Digital Signature, Key Cert Signature, CRL Signature

Extension: Authority Key Identifier (2.5.29.35)
Critical: 0

Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: CB 5C 84 EE 58 15 C1 5F 4F 1C EF C6 31 54 61 A6 CF ED 38 B4

CVE

CVE-2004-2761

BID

11849, 33065

Other reference

OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310

My question is as follows.   Where do we install, import, or otherwise enable Certificates on the ASA for HTTPS?

The 2nd Critical vulnerability was reported as follows:

Synopsis

The SSL certificate for this service is signed by an unknown
certificate authority.

Description

The X.509 certificate of the remote host is not signed by a known
public certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man in the middle attack against the remote host.

Solution

Purchase or generate a proper certificate for this service.

Risk factor

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin output

*** ERROR: Unknown root CA in the chain:
Common Name: bhiasaop
Unstructured Name: bhiasaop.boarsheadinn

Certificate chain:
|-Common Name: bhiasaop
|-Unstructured Name: bhiasaop.boarsheadinn

I am not sure why all of a sudden we are getting hit on these items which we have formerly been passing.  What recommendations are there to resolve this?

Thank You

Kevin