none
SSL Certificate Cannot Be Trusted RRS feed

  • Question

  • I run the nessus scan on a PC but it keep coming with SSL error.

    The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :

    - First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

    - Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

    - Third, the certificate chain may contain a signature that either didn't match the certificate's information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize.

    If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

    The following certificate was at the top of the certificate
    chain sent by the remote host, but it is signed by an unknown
    certificate authority :
    
    |-Subject : CN=PCName.Domian.local
    |-Issuer  : CN=PCName.Domian.local

    This is happening on other PC but not on my PC. for some reason my PC is not showing any errors.

    How can i check where this certificated is located and how I can remove it remotly on 300 PC



    • Edited by lalaJee Wednesday, October 10, 2018 12:11 PM
    Wednesday, October 10, 2018 12:05 PM

All replies

  • Hi, 

    We could go to MMC console to check the existing certificate in certificate snap-in on server side. 

    But as the error code is reported by the third party software Nessus whose work is going to look for is whether your server has a trusted publicly signed certificate. When it doesn't find one It is going to report to you that it is a vulnerability. Or you are using a very recent version of Nessus or their service, there is another potential problem taht is some certificate have been compromised over the past few months, meaning someone has stolen or cracked their keys. 

    Here is a similar thread with yours, please take it as reference. 

    SSL Certificate Cannot Be Trusted

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    For certificate issue, we recommend to ask for help from Windows Server Security forum. They are more familiar with certificate issue, and as the issue occurred on most of the devices in your environment, it would be more related with server side.

    Thank you for your understanding.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 11, 2018 7:38 AM
    Moderator
  • Hi Joy,

    Thank you for the answer. i compare my cert with other pc from MMC and I cant see any thing different. I though they might be a another location where these cert might live.

    I Know my laptop was recent build.

    We use to have 2003 certt server which has been decommssion about 5 months ago

    Thursday, October 11, 2018 9:06 AM
  • Hi, 

    We also could check the certificate through Internet Explorer\Settings\Internet Options\Contents\Certificate. 

    If it not exist either, I will recommend to check if you install it on your side. Or ask for help from Windows Server  Security forum. 

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 12, 2018 9:52 AM
    Moderator
  • same cert as me in Internet Explorer\Settings\Internet Options\Contents\Certificate.
    Monday, October 15, 2018 11:45 AM
  • Hi,

    Thank you for your reply. 

    I understand your existing mood about this issue, however I think the Server support forum might the best place for consulting. The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. 

    Thank you for your understanding.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 16, 2018 9:29 AM
    Moderator