SSL Certs. Do I need to pay for them?

DanaMacomber · ‎12-30-2016

Hi,

I have penetration testing done for PCI and the results come back with SSL certificate expired. It's only a small office with 1 FGT-60D with no website or anything. Do I really need to pay $300+ for a certificate? Any other options to remedy this little problem?

Thanks,

DM

emnoc · ‎12-30-2016

What are you using it for ( business app, a hosted-mangement interface, sslvpn portal,etc....)?

if it's the 1st one just pay the 183usd for a Domain-Validate certificate the cost is minimum for 1 year. if your open to doing a lot of renewal, look at letsencrypt or cacert ( the latter is not fully included in most common browser ca-trust list, letsencrypt is btw )

if it's sslvpn portal, just have the end-user trust the certificate or use a self-signed with client-certificate required.

Either one of these above ( CertAuthorities ) allows for free SSL certificates, but what you get is what you pay for ( basically you get nothing for free ) YMMV

btw: godaddy offers 3months certificate Domain Vadlidated but it's a struggle to keep renewal. There thought process is to give you a free certificate for domain XYZ and then after you ran it for 3months you purchase a true godaddy ssl-cert.

Again , "nothing is ever free" ;)

YMMV

PCNSE

NSE

StrongSwan

FortiBoris_FTNT · ‎12-30-2016

Well it all depends on what you want to do really. If your concern is about the FortiGate certs defaults, you can generate your own. Check this and adapt for todays openssl possibilities maybe?

https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

DanaMacomber · ‎01-01-2017

Thanks for the responses. I think all I need is so when you HTTPS access to the FGT you don't get a "Problem with this websites security certificate". There is no website, SSL VPN, or anything else behind the FGT that needs a cert.

I see online some SSL Certificates for $5 and some for $400. I just don't want to spend lots if the is a simple or cheap remedy.

DM.

FortiBoris_FTNT · ‎01-02-2017

So really all it takes is running these 3 commands from your Kali box (and answering a few questions on the process plus password):

openssl genrsa -out rootCA.key 2048 openssl genrsa -des3 -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

And import the cert .pem & .key on your FGT device and configure your admin settings to use this certificate. Your cert should be build with the FQDN from your FGT as the CN attribute.

Also as said, check the cypher used in the commands and adapt to your needs if mods are needed/wanted.

Regards,

Boris

tinyadmin · ‎01-02-2017

Hi DanaMacomber

in my eyes the question is: it this a security issue or just a notification? And which service requires the certificate?

If you GUI for configuring the Fortigate is the service, switch off the https admin access for this interface, if possible. Or restrict the IP-source range for the admin accounts.

If SSLVPN of IPsecDialIn is the service and you do not use SSLVPN or IPsec, deconfigure SSLVPN or IPsec (or both?).

If you really need the certificate sign one yourself as described by Boris, maybe you increase the -days option to (3*365=) 1095 days. If you want to have a public trusted certificate, use your prefered search engine and look for cheap ssl certificates.

Last time I payed less than EUR 15,-/year for a simple domain validated certificate.

The encryption is always the same, AES128 is AES128 for example. Only the trust to the signed certificate is another one...

Regards,

Tiny Admin

Toshi_Esumi · ‎01-03-2017

If you could shut down https on the outsdie interface (with the public IP the PEN test is using, and limit admin access from outside to over VPN only, you might be able to avoid all of this.

redbaron78 · ‎01-06-2017

Pen testing for PCI compliance must be done on the inside and outside.

emnoc · ‎01-06-2017

For restricting remote-access management take a look at his blog post of mine. It was draft due to just this ,

" failed PCI audits on public interfaces "

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

here, nobody will ever see the HTTPS management interface and you only need one certificate on the SSLVPN portal. This could be selfSign or CAsigned.

One more cool approach is to require client-side certificates for access the ssl_vpn-portal. You can draft and stroke client ( end user ) certificate for your remote-administrators that uses the sslvpn. This along with SMS/Email MFA would give you a stronger secured lockdown.

Ken

PCNSE

NSE

StrongSwan

redbaron78 · ‎01-06-2017

Probably not. You didn't offer enough information to be sure, but if the SSL cert that's expired is the one presented by the FortiGate for administrative access, A compensating control could be restricting administrative logins to a management VLAN or specific host(s). Administrative interfaces should never be in a cardholder data environment; it's pretty easy to separate them and put them in their own VLAN.