A few servers are getting picked up by security scans with the following message:
The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local
The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop cert store) are self-signed and still valid.
I think the issue comes down to the cert being self-signed and not being signed by a CA.
Would the following steps resolve this issue?
- Create an internal Certificate Authority
- Generate new CSR's for the vulnerable servers
- Sign newly created CSR's with the mentioned CA
- Replace current (existing) self-signed RDP certs in the Remote Desktop cert store with the CA signed certs on each vulnerable server
Is there any potential issue/problems with swapping out the existing cert with a CA signed cert?
I'd appreciate any help/guidance with resolving this, thanks.
Certificates issued by the internal CA will only be trusted by clients that have the certificate in their certificate store (your domain members and other infrastructure where you install the certificate), which the security scanner surely won't have.
To use a certificate that will be trusted by the security scanner, you'll surely need to purchase a commercial certificate.