cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3656
Views
5
Helpful
3
Replies

Self signed certificate vulnerability finding by Nessus scan

sbdladla1
Level 1
Level 1
 

I have six ASA 5500 firewall 4 are 5585 and two 5515 and they are connected active standby.

our security team scans and find a vulnerability on the certificate in use. I have gone to our CA and requested certificates. It worked on the 5515 firewalls but not on the 5585 firewalls  and  I can view the certificate but when they scan again same issue comes self sign certificate. I have zeroed the default keyring still getting same issue.   If there a way to delete the self sign certificate will be appreciated. 

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

The trustpoint defined under "ssl trust-point" command dictates what certificate will be used. If you have changed the trustpoint to the new trusted certificate, it should not send the self-signed certificate. I do not think there is a way to delete the default self-signed certificate, since it is not tied to a trustpoint. 

View solution in original post

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

The trustpoint defined under "ssl trust-point" command dictates what certificate will be used. If you have changed the trustpoint to the new trusted certificate, it should not send the self-signed certificate. I do not think there is a way to delete the default self-signed certificate, since it is not tied to a trustpoint. 

SSl trust-point help on two of the firewalls, now I still have some issues with the certificate on the remaining devices . The certificate have no trustpoint association on them. how do I make them to have an association on them? here the certificate below

BE30CEFC1# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 00cc3e
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn= CA
o=I Corporation
c=US
Subject Name:
0.9.2342.19200300.100.1.3=#16135342444c41444c41407a612e69626d2e636f6d
0.9.2342.19200300.100.1.1=#1309303131303434383634
cn=be7ufc0830
ou=VS
o=
l=Johannesburg
st=Johannesburg
c=ZA
CRL Distribution Points:
[1] cn=CRL105 INTERNAL INTERMEDIATE CA,o= Corporation,c=US
[2] http:
Validity Date:
start date: 04:00:00 UTC Apr 17 2018
end date: 03:59:59 UTC Apr 16 2021
Associated Trustpoints:

have you created trustpoints on the remaining devices and have you authenticated the trust point?

 

 

Please remember to rate useful posts, by clicking on the stars below.

Review Cisco Networking for a $25 gift card