none
Abandoning Self-Signed SSL Certificates? RRS feed

  • Question

  • Hello,

    I'm working on remediation of some security flaws and have encountered a finding that calls out each of my domain-added workstations as having self signed SSL certificates.  I'm not an expert on the subject, but I do know the following things:

    1)  An earlier finding lead to me disabling all forms of SSL on my servers and workstations

    2)  Workstations use certificates to identify themselves to other domain assets.

    Now my servers all have their own certs signed by an outside authority.  However, it would be a huge amount of work to go through the process for each and every workstation.  So my questions are these:

    1)  Can I create a NON-SSL self signed cert for these machines to use?

    2)  How do I remove these current SSL certs without having to hover over each workstation?

    Basically, what's the least effort to remove self-signed SSL certs and replace them with something more secure?

    Thanks,

    M.

    Wednesday, March 4, 2015 4:09 PM

Answers

  • Ah yes! We're dealing with the same "headaches" in our industry as well. I suspected that's what you meant, but I wanted to be clear.

    The internal CA route is your best bet. Certificate Services is not as daunting as you might think, and there's PLENTY of support for it out in the wild. A very basic, out of the box install of AD CS will get you up and running. Then you'll just have to configure group policy to disseminate your root certificate and configure auto-enrollment for all of your computers to retrieve customer certificates from the domain CA.

    Do not fear the CA. It's one area of IT that's growing quickly and you might find, like I did, that you enjoy it.

    Wednesday, March 4, 2015 4:32 PM

All replies

  • What do you mean when you say that you've disabled all forms of SSL on your servers and workstations? SSL serves to provide secure communications for all of your domain operations, so disabling SSL, in general, would likely break your entire domain. If you're using certificates on your workstations, then you're using certificate-based security (IPSec) in some manner.

    Do you have AD CS or some other certificate signing authority/PKI in your environment? If not, you would have to pay a public provider (i.e. VeriSign) to provide certificates, and I can assure you that gets very expensive.

    If you have Microsoft servers in your environment, you can install and use Certificate Services to provide an internal signing mechanism which can be managed through group policy. You can replace all of the workstation certificates with ones signed by your internal certificate authority (CA,) and those will pass muster with any auditor provided the appropriate safeguards are put into place elsewhere in your environment.

    Least effort for you would be to implement an internal CA, which admittedly isn't a low-effort endeavor, and have the CA assign individual certificates to all of your machines, users, and any other assets you need to protect. If your auditors are requiring the removal of the self-signed certificates, you might find a way to script the removal of the certificates. In my experience, however, most auditors just want IPSec to be done with certificates that terminate somewhere other than the local workstation (i.e. an internal CA).

    • Proposed as answer by Ron Arestia Wednesday, March 4, 2015 5:14 PM
    Wednesday, March 4, 2015 4:17 PM
  • Ron,

    I suspected I would need an internal CA to handle it (why I left it out of my original post, I do not know).

    When I mention disabling "All forms of SSL", I really mean what is hit with keys within:  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

    3.0 and 2.0 were findings, and setting these to disabled didn't seem to impact anything usually.

    M.

    Wednesday, March 4, 2015 4:27 PM
  • Ah yes! We're dealing with the same "headaches" in our industry as well. I suspected that's what you meant, but I wanted to be clear.

    The internal CA route is your best bet. Certificate Services is not as daunting as you might think, and there's PLENTY of support for it out in the wild. A very basic, out of the box install of AD CS will get you up and running. Then you'll just have to configure group policy to disseminate your root certificate and configure auto-enrollment for all of your computers to retrieve customer certificates from the domain CA.

    Do not fear the CA. It's one area of IT that's growing quickly and you might find, like I did, that you enjoy it.

    Wednesday, March 4, 2015 4:32 PM
  • Fantastic!  Though, as I brought up recently in other threads, I appear to have issues with GroupPolicy getting passed out, so I will really have to resolve that before I get any further it appears.  Cheers!

    M.

    Wednesday, March 4, 2015 5:12 PM