This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raj_Khatri
Advisor
‎2019-06-12 12:48 PM

Internal CA VPN certificate

After performing an external vulnerability scan, the following vulnerability shows up.  It appears to be getting flagged because the IP address of the firewall was changed at some point and there is a mismatch.  The firewall that was scanned (ie: 2.2.2.2) is showing the following in the certificate (ie:1.1.1.1) for Subject Alternate Name. This is not causing any issues with VPN tunnels.  What is being presented is the Internal CA VPN certificate and wondering if there is an easy fix other possibly a re-SIC?


X.509 Certificate Subject CN Does Not Match the Entity Name


The subject common name found in the X.509 certificate does not seem to match the scan target:
Subject CN fw-xxxxxxxxxx VPN Certificate does not match target name specified in the site.
Subject CN fw-xxxxxxxxxx VPN Certificate could not be resolved to an IP address via DNS lookup.
Subject Alternative Name x.x.x.x does not match target name specified in the site.

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server. If wildcard certificates are in use please submit the FQDN for the host for validation of the wildcard.

 

0 Kudos
1 Reply
Wolfgang
Authority
Authority
‎2019-06-12 01:08 PM

Raj,

this is normal behaviour if you don‘t change the default.

All your VPN certificates are issued from the internal CA of your SMS. This CA is not registered outside or known to the internet, it is for internal use.

The certificate you are scanning from the internet is from the possibilities for remote access like MOB, SSL extender,  VPN clients...

If you want to get a valid certificate there, you can install your own and correct certificate from a trusted CA or you can disable all the remote access solutions on your gateway if not used.

In my book it is not a whole security risk to have the shown mismatch.

Wolfgang

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top