locked
PCI compliance test fail RRS feed

  • Question

  • Hi

    I am with a pci compliance test failure. Here the output:

    mpact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

    First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

    Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates

    |-Subject : CN=EXCHSRV

    i am not understanding why this issue it's happening, can you help me with this?I am using Exchange server 2007.

    Best Regards

    Friday, February 21, 2014 3:55 PM

Answers

  • Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).

    You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Proposed as answer by Niko.Cheng Monday, February 24, 2014 9:33 AM
    • Marked as answer by cara chen Sunday, March 2, 2014 7:19 AM
    Friday, February 21, 2014 10:23 PM