How to resolve SSL Certificate Cannot Be Trusted

Nanzhi 20 Reputation points
2024-10-12T09:39:29.3733333+00:00

I am running a vulnerability scan on my Windows host using Tenable, and it has detected a vulnerability called "SSL Certificate Cannot Be Trusted." How can I fix it?

Windows for business Windows Client for IT Pros User experience Other
{count} votes

Accepted answer
  1. MotoX80 36,291 Reputation points
    2024-10-14T14:09:33.45+00:00

    It reports on these ports/certs.

    Port 8640 CN=127.0.0.1 (Localhost)

    Port 8834 Nessus Server (Tenable Nessus!)

    Port 9527 Hikvision CN=127.0.0.1 (Localhost, security camera?)

    It looks like you are running the scanner software against the machine that hosts the software. That is not a valid network scan. The Windows firewall will not block access to localhost, 127.0.0.1.

    I do not have any experience with Tenable but it appears that it's function is to scan your network to see what machines have open, vulnerable, ports exposed to the network. You should install the Tenable software on a machine whose sole purpose is to scan the other machines on your network.

    You can test to see if those ports are exposed to the network by running Powershell from another PC.

    Test-NetConnection -ComputerName YourPCname -port 8640 
    Test-NetConnection -ComputerName YourPCname -port 8834 
    Test-NetConnection -ComputerName YourPCname -port 9527 
    

    Even if the ports are open, then that is not necessarily a vulnerability. If you have a test web site defined to IIS on port 8640, well, so what? At least it has a self signed certificate.

    If you have camera security software installed and it offers a user interface on port 9527, that is not necessarily a vulnerability. If the ports are open and you don't want that software accessed by other machines on your network, then you can run "wf.msc" and modify the rules in the firewall to block access.

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Yanhong Liu 14,195 Reputation points Microsoft External Staff
    2024-10-14T08:55:53.47+00:00

    Hello,

    Here are some troubleshooting steps:

    1. Check the Certificate:

    Confirm that the SSL certificate used is issued by a trusted Certificate Authority (CA).

    If it's a self-signed certificate, consider replacing it with one issued by a trusted CA.

    1. Update the chain of trust:

    Ensure that all necessary intermediate certificates are installed on the server to form a complete chain of trust.

    1. Configure the server:

    Check the SSL/TLS configuration of the server to ensure that the certificate and private key are configured correctly.

    Test your SSL configuration with a tool such as SSL Labs to ensure it complies with best practices.

    1. Update the client trust store:

    If the client application is using an untrusted certificate, consider adding the certificate to its trust store.

    1. Monitoring and Maintenance:

    Regularly check and renew your SSL certificate to ensure it doesn't expire.

    Monitor SSL configurations to ensure compliance with the latest security standards.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    2 people found this answer helpful.
    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  3. C_Padiya 0 Reputation points
    2024-10-15T06:58:53.4833333+00:00

    This can be due to

    If your SSL certificate expired

    If you are using a self-signed certificate

    If there is any misconfiguration in your SSL/TLS

    If something is missing in your certificate chain

    You can check your SSL status to find out the cause and fix it as needed.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.