I am working at a client site whom falls under PCI Security mandates. The client is scanned by a Third party Vendor each month, and the test results are published.
The client was hit on 2 critical vulnerabilities this time around. Both of these Critical rankings were generated against the ASA that faces the public Internet at the client site.
The first Critical vulnerability found was as follows:
The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service.
Extension: Subject Key Identifier (22.214.171.124) Critical: 0 Subject Key Identifier: CB 5C 84 EE 58 15 C1 5F 4F 1C EF C6 31 54 61 A6 CF ED 38 B4
OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310
My question is as follows. Where do we install, import, or otherwise enable Certificates on the ASA for HTTPS?
The 2nd Critical vulnerability was reported as follows:
The SSL certificate for this service is signed by an unknown certificate authority.
The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host.
Purchase or generate a proper certificate for this service.