Create a list of private certificate authorities (CAs) for SSL verification. During scans, we will use your custom list in addition to well known certificate authorities already used by Qualys whenever SSL verification is needed.
Important -
-This custom list of private certificate authorities (CAs) that you create is exclusive to your subscription and is not accessible to others.
-Careful consideration should be paid to which CAs are added, as these will be used for all SSL channel authentication purposes. Consequently, improperly imported CA certificates may introduce the possibility of man-in-the-middle attacks and complete SSL compromise during a scan. In these cases, attackers would be able to recover passwords or other sensitive information used during the scan via both online and offline attacks.
-The common name of a certificate is typically displayed as the Name for that certificate in the Scanner Trusted CA list. However, if a certificate data contains an organizational unit and not the common name in the certificate data, then the organization unit is displayed as the Name in the Scanner Trusted CA list.
Here are some reasons:
1) Our scanner will verify SSL certificates presented to it when connecting to services used as part of scanning. For example, connecting over SSL to an authentication vault to obtain login/password information during authenticated scans. SSL verification is required to connect to the Thycotic Secret Server password vault. If the password vault is configured with a certificate issued by a private certificate authority, import the custom root CA to your subscription to ensure successful connectivity. This example also applies when SSL is used to connect to the Hitachi ID PAM password vault and for VMware authentication.
2) Another use during scanning is to validate the private certificate of an internal web server available over https.
3) If you don't import your trusted certificate authorities then our scanner may flag your valid, internally trusted SSL certificates and services as invalid.
1. Go to Scans > Setup > Scanner Trusted CA.
The Scanner Trusted CA window is displayed.
2. Click Choose file from Import Authority to import a trusted certificate authority.
Once imported, the authority will be listed at the top of the page. Click on any authority in the list to view details, including information about the issuer of the certificate, the time frame for when the certificate is considered valid, and the MD5 and SHA1 fingerprints used by the scanner for SSL verification.
The certificate file must contain a single X509v3 signed certificate in PEM format enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". The certificate files typically have an extension ".pem".
Select the certificate authority in the list and click the Remove button. The certificate authority will be removed from the database and not be used for SSL verification.
CA certificates that are expired are highlighted in red for quick identification. If an expired CA certificate is used, the SSL verification will fail. QID 38167 "SSL Certificate - Expired" will be reported in your vulnerability scan results if an expired custom CA certificate is used during vulnerability assessment tests.
Note: This QID is not reported for failed connection to a password vault due to an expired certificate.