cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Raj_Khatri
Copper

Internal CA VPN certificate

After performing an external vulnerability scan, the following vulnerability shows up.  It appears to be getting flagged because the IP address of the firewall was changed at some point and there is a mismatch.  The firewall that was scanned (ie: 2.2.2.2) is showing the following in the certificate (ie:1.1.1.1) for Subject Alternate Name. This is not causing any issues with VPN tunnels.  What is being presented is the Internal CA VPN certificate and wondering if there is an easy fix other possibly a re-SIC?


X.509 Certificate Subject CN Does Not Match the Entity Name


The subject common name found in the X.509 certificate does not seem to match the scan target:
Subject CN fw-xxxxxxxxxx VPN Certificate does not match target name specified in the site.
Subject CN fw-xxxxxxxxxx VPN Certificate could not be resolved to an IP address via DNS lookup.
Subject Alternative Name x.x.x.x does not match target name specified in the site.

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server. If wildcard certificates are in use please submit the FQDN for the host for validation of the wildcard.

 

0 Kudos
1 Reply
Highlighted
Wolfgang
Gold

Re: Internal CA VPN certificate

Raj,

this is normal behaviour if you don‘t change the default.

All your VPN certificates are issued from the internal CA of your SMS. This CA is not registered outside or known to the internet, it is for internal use.

The certificate you are scanning from the internet is from the possibilities for remote access like MOB, SSL extender,  VPN clients...

If you want to get a valid certificate there, you can install your own and correct certificate from a trusted CA or you can disable all the remote access solutions on your gateway if not used.

In my book it is not a whole security risk to have the shown mismatch.

Wolfgang