Renewed SSL certificates but still getting Self-signed certificate error vulnerability notification
search cancel

Renewed SSL certificates but still getting Self-signed certificate error vulnerability notification

book

Article ID: 380827

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Last month we renewed our SSL certs with the help of the Broadcom support team, yet again, we are getting self-signed certificate vulnerability notification from our internal tool vulnerability scanner. While checking I am not able to see ssl in the wasp probe. How is this possibly deleted from the server?

Environment

  • DX UIM 20.4 CU5
  • wasp
  • Primary hub
  • Internally generated SSL certificates

Cause

  • HP Systems Management homepage port

Resolution

This techdoc describes the step-by-step process to follow which we share with all of our customers and they find it easy to follow:

Configure HTTPS in Admin Console or Operator Console (Authority-Signed Certificate)

Install the certificate: If you are on a trusted network, you can manually add the internally-generated certificate to your browser's Trusted certificate store.

Check/confirmation of the SSL certificate:

  1. Check Expiration Dates on All Certificates

    Use the SSL analysis tool on your server or a website like SSL Labs to inspect the certificate chain. Make sure none of the certificates are expired – if so, they will need to be renewed. The website certificate should be issued to the correct domain name and be valid for the proper server.

  2. Verify the Trusted Root CA

    Confirm the root CA certificate is present in your server’s trust store and matches the built-in list of trusted CAs in major web browsers and devices. If the root CA is not widely trusted, you may need to INSTALL the certificate.

  3. Examine the Intermediate Certificates

    Carefully inspect any intermediate or chained CA certificates between the root and website certificate. If any are self-signed rather than issued by the parent CA, there is a problem with the chain. The intermediate certs should form an UNBROKEN CHAIN OF TRUST to the root.

  4. Make Sure the Full Chain is Installed

    Check that the intermediate certificate chain is complete on the server. You may need to install any missing CA certificates in the appropriate trust store to link the website cert to the trusted root.

  5. Update Certificate and Chain

    After making any corrections, ensure the updated certificate files and fully completed intermediate chain are installed per your server or application’s SSL configuration. Restart services as needed.

  6. Clear Browser Caches

    Have users clear their browser caches (choose 'All time') and then reconnect to the website over HTTPS. The “self-signed cert” error when the scan is run should now be fixed.


Customer's vulnerability scan of their Primary hub and OC systems kept throwing an error on Self-Signed certificates but they were using an Internally generated certificate
.


Upon examination in the browser the certificate seemed to be configured correctly, but the port it identified was 2381 which seemed unusual.

Ran netstat with options but we could not identify the application. Web search of the error and port and as it turns out was caused by the HP Systems Management application/page. So by hitting http://localhost:2381 we identified this page/app.

Therefore, the customer will contact HP and find out how to work around it or stop that service on the Primary and OC and rerun the scan.

Process: hpsmhd.exe 2381

Reference: HP System Management Homepage and SSL Server Allows Anonymous Authentication Vulnerability issue

Additional Information