Questions[self-signed-certificate](server)

A few servers are getting picked up by security scans with the following message:

The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local

The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop cert store) are self-signed and still valid.

I think the issue comes down to the cert being self-signed and not being signed by a CA.

Would the following steps resolve this issue?

1. Create an internal Certificate Authority
2. Generate new CSR's for the vulnerable servers
3. Sign newly created CSR's with the mentioned CA
4. Replace current (existing) self-signed RDP certs in the Remote Desktop cert store with the CA signed certs on each vulnerable server

Is there any potential issue/problems with swapping out the existing cert with a CA signed cert?

I'd appreciate any help/guidance with resolving this, thanks.

We've been considering to make more use of DANE as a decentralised authority for our certificates.

Especially with S/MIME.

However, the key obstacle is... how widely are DANE treated as an authority with mail clients?

Is there a list with all the clients (mail, web, ftp, ssh and etc...) that support DANE?

Thanks,

Using Powershell, I'm attempting to create a self-signed ssl certificate with a private key that can be exported. I've read and followed various tutorials, however the end result is always that no private is exported. I'm using Powershell because the server is running Windows Server 2016 Core edition. I've tried using the Certificate MMC console from a remote computer, however it appears not all functionality is available when doing that remotely. In any case, the various tutorials I've follow speak about the ability to export the private key, however I have yet to find a concrete example of the code which makes this work. Here is the code I have been trying:

$todaydt = Get-Date
$5years = $todaydt.AddYears(5)
$selfSignedRootCA = New-SelfSignedCertificate -DnsName SelfSignedRootCA -notafter $5years -CertStoreLocation Cert:\LocalMachine\My\ -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeySpec KeyExchange -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "myserver.test" -notafter $5years -Signer $selfSignedRootCA -KeyUsage KeyEncipherment,DigitalSignature
$CertPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\REDACTED-THUMBPRINT -FilePath C:\test.pfx -Password $CertPassword

My research suggests that the most common reason for this is that the certificate template used in creating the certificate does not allow the private key to be exported, so following these suggestions I've copied an existing Certificate Template and ensured that it is configured to allow exporting the key. But, then I don't know how/where to specify that newly-created template in any of the above commands. And my review of the documentation for these cmdlets does not show any parameter for doing so. Really stuck on this so any advice is much appreciated.

I am finding all sorts of walkthroughs on how to add certificates to be used in the pods themselves, but I can't seem to find info on how to setup Kubernetes to allow a self-signed cert for pulling images from a Harbor instance running inside the cluster. I have the ca cert imported to the system's trusted certs (system is running Ubuntu 18.04), but I am guessing Kubernetes uses it's own trusted certs store somewhere, similar to how Java ignores the system's trusted certs and relies on keystore files?

Edit To be more specific, what I am trying to do is deploy a custom Docker image stored in my Harbor instance that is running in my Kubernetes cluster. I have the certs for Harbor imported into my host systems OS, and I can run:

docker login <url_to_harbor>
docker pull <url_to_harbor>/library/custom/image:latest

and it works fine from CLI, but if I try to create a deployment yaml like so:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: custom-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: custom
  template:
    metadata:
      labels:
        app: custom
    spec:
      containers:
      - name: custom
        image: <url_to_harbor>/library/custom/image:latest
...

and run kubectl apply -f custom-deploy.yaml I get the following error when I get pods:

custom-deployment-6ff68947f6-8jj2p            0/1     ImagePullBackOff   0          13s

And if I get a description on the failed pod I see:

  Warning  Failed          18s                kubelet, node3     Failed to pull image "<url_to_harbor>/library/custom/image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://<url_to_harbor>/v2/: x509: certificate signed by unknown authority
  Warning  Failed          18s                kubelet, node3     Error: ErrImagePull

I have restarted the host machine since I imported the CA certs. I added the certs by moving the root CA cert file into /usr/local/share/ca-certificates and then running sudo update-ca-certificates.

I would like to ask how to generate end entity certificate based on my own CA root certificate? I've generated root CA this way:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout example.key -out example.crt -subj /CN=MyCompany \
    -addext subjectAltName=IP:192.168.100.82

openssl pkcs12 -export -out cert.pfx -inkey example.key -in example.crt

I have imported cer file to Windows Trusted Root Certification Authorities and pfx file into IIS Server Certificates.

It works well with Chrome, IE and Edge, but Firefox reports a problem with my cert: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

I googled it and I learnt that I should have end-entity cert signed by my CA root cert. I was trying to generate end-entity cert with:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=MyCompanyEE -addext subjectAltName=IP:192.168.100.82
openssl x509 -req -in server.csr -CA cert.pem -CAkey example.key -CAcreateserial -out server.crt -days 3650 -sha256
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

OpenSSL response:

Signature ok
subject=CN = MyCompanyEE
Getting CA Private Key

I have imported server.pfx into IIS Server Certificates too, and changed bindings for my web app to use server cert, but now it doesn't work in either Firefox or Chrome.

Firefox says: SSL_ERROR_BAD_CERT_DOMAIN,

Chrome says: NET::ERR_CERT_COMMON_NAME_INVALID.

What I'm doing wrong?