Skip to content

SSL Certificate Cannot Be Trusted

Fabien edited this page Apr 17, 2024 · 1 revision

Overview

This page discusses the security risks associated with SSL/TLS certificates that cannot be trusted. These issues arise when the SSL/TLS certificates used by websites or services are not issued by a trusted Certificate Authority (CA), are self-signed, or have expired, leading to potential security warnings and vulnerabilities.

  • Severity: Medium to High

Impact

The use of untrusted SSL certificates can lead to various security risks, including:

  • Man-in-the-Middle Attacks: Attackers can intercept and manipulate data if users bypass security warnings.
  • Data Interception: Confidential information such as login credentials and personal data can be exposed and captured.
  • Loss of Trust: Users may lose trust in a website or service that presents security warnings, potentially reducing traffic and business reputation.

Cause

SSL certificates may not be trusted due to several reasons:

  • Certificate is self-signed: The certificate is not issued by a recognized Certificate Authority.
  • Certificate has expired: The validity period of the certificate has ended.
  • Chain of trust is broken: Intermediate or root certificates are missing, expired, or invalid.
  • Certificate is issued to a different domain name: The name on the certificate does not match the domain it is used on.

Solution

Obtaining and Installing a Trusted SSL Certificate: To resolve issues with untrusted SSL certificates, obtain and install a certificate from a trusted Certificate Authority (CA).

  1. Choose a reputable Certificate Authority (CA): Consider CAs like Let's Encrypt (free), Comodo, DigiCert, GoDaddy, etc.
  2. Generate a Certificate Signing Request (CSR) in bash:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  1. Submit the CSR to a CA: Follow the CA’s process for submitting a CSR and undergo the validation process required by the CA.
  2. Install the certificate on your server: Follow your server’s documentation for installing SSL certificates (Apache, Nginx, IIS, etc.).
  3. Configure your server to use HTTPS: Redirect all HTTP traffic to HTTPS to ensure secure connections.
  4. Test your SSL configuration: Use tools like SSL Labs' SSL Test to check your certificate status and configuration.

Examples

Redirect HTTP to HTTPS in Apache:

<VirtualHost *:80>
    ServerName www.yourdomain.com
    Redirect permanent / https://www.yourdomain.com/
</VirtualHost>

SSL test command in bash:

openssl s_client -connect yourdomain.com:443

References

Additional Resources

Microsoft Related Vulnerabilities

SSL/TLS Related

OpenSSL Related Vulnerabilities

Apache Related Vulnerabilities

Java/Oracle Related Vulnerabilities

Miscellaneous Vulnerabilities

Miscellaneous

  • Template -> Use this template for new vulnerabilities
Clone this wiki locally