locked
vulnerability with certificates RRS feed

  • Question

  • Hi, We have configured symantec manager on sql database and scanned server with nessus scan and founfd below vulnerability,Please support to fix the vulnerability.

    56531 SSL Certificate Cannot Be Trusted - I
    52241 SSL Self-Signed Certificate - I
    52241 SSL Certificate Signed Using Weak Hashing Algorithm
    56770 SSL Certificate with Wrong Hostname
    56770 SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

    Kiran

    Thursday, January 9, 2020 8:48 AM

Answers

  • Hi Kiran,

    You can find the certificate in the following way.

    1.Open the Sql Server Configuration Manager ,click and expand the Sql Server Network Configuration , select the instance you want, right click and choose Properties, click the Certificate, and if exists the certificate , you can select and click view.

    2.

    • Run the MMC command from the command line.
    • On the File menu of the MMC console, click Add / Remove Snap-ins.
    • In the Add / Remove Snap-ins dialog box, choose the Certificates and click Add.
    • In the Certificate Snap-in dialog box, click Computer Account, and then click Finish.
    • In the Add / Remove Snap-in dialog box, click OK.

    Then you can find the Certificates in Certificates(Local Computer )/Personal /Certificates

    In addition, following is the steps that SQL Server how load a certificate.

    1. Go to the certificate store of the operating system through the thumbprint of the certificate recorded in the Certificate key(Registry) to find the corresponding certificate.

    2. If the Certificate key value is empty, then SQL Server goes to the certificate store to find the certificate where the subject CN is the same as the FQDN of the SQL Server server host.

    3. If the certificate is still not found, SQL Server will automatically generate a self-signed certificate and install it in this certificate.

    Best regards,
    Cris


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.





    Thursday, January 16, 2020 3:30 AM

All replies

  • What does Symantec manager say?

    https://www.sslsupportdesk.com/understanding-symantecs-vulnerability-assessment-scan/

    https://www.sslshopper.com/ssl-certificate-installation.html


    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence


    Thursday, January 9, 2020 9:29 AM
  • It really depends on who you talk to whether it's an issue or not. I personally don't find it an issue... 

    https://www.seangallardy.com/sql-server-self-signed-certificate-vulnerabilities-ffs-get-off-my-lawn/


    The views, opinions, and posts do not reflect those of my company and are solely my own. No warranty, service, or results are expressed or implied.

    Friday, January 10, 2020 12:04 AM
  • Hi kiran,

    If you don't have a certificate generated from a public certificate authority, but this is part of a Nessus scan, then it will alert you. However, if you know that you don't need a  public certificate in your organization because you don't have a service that requires it, you can simply ignore this "vulnerability".

    Best regards,

    Cris


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.




    Friday, January 10, 2020 8:01 AM
  • Hi Kiran,

    If you have resolved your issue, please mark the useful reply as answer. This can be beneficial to other community members reading the thread.

    In addition, if you have another questions, please feel free to ask.

    Thanks for your contribution.

    Best regards,
    Cris


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, January 13, 2020 1:19 AM
  • Can you please provide the location where sql  ssl certificate is located.


    Kiran

    Wednesday, January 15, 2020 7:09 AM
  • Hi Kiran,

    you can refer to:

    https://serverfault.com/questions/562272/what-is-the-location-of-the-sql-server-fallback-certificate

    Best regards,

    Cris


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, January 15, 2020 8:43 AM
  • We  require the ssl certificate path for sql server. Certificate name and the folder where it exist?


    Kiran

    Wednesday, January 15, 2020 10:04 AM
  • Please find the screenshot certificate value data is blank.



    Kiran

    Wednesday, January 15, 2020 1:23 PM
  • If you're using your own certificate it'll be in one of the certificate stores.

    If you're relying on the fallback certificate which is what you posted about, then it only lived in memory for the lifetime of the instance. There is no physical location for it, even if there were it wouldn't matter and there'd be nothing useful to gain from it.


    The views, opinions, and posts do not reflect those of my company and are solely my own. No warranty, service, or results are expressed or implied.

    Wednesday, January 15, 2020 2:12 PM
  • Hi Kiran,

    You can find the certificate in the following way.

    1.Open the Sql Server Configuration Manager ,click and expand the Sql Server Network Configuration , select the instance you want, right click and choose Properties, click the Certificate, and if exists the certificate , you can select and click view.

    2.

    • Run the MMC command from the command line.
    • On the File menu of the MMC console, click Add / Remove Snap-ins.
    • In the Add / Remove Snap-ins dialog box, choose the Certificates and click Add.
    • In the Certificate Snap-in dialog box, click Computer Account, and then click Finish.
    • In the Add / Remove Snap-in dialog box, click OK.

    Then you can find the Certificates in Certificates(Local Computer )/Personal /Certificates

    In addition, following is the steps that SQL Server how load a certificate.

    1. Go to the certificate store of the operating system through the thumbprint of the certificate recorded in the Certificate key(Registry) to find the corresponding certificate.

    2. If the Certificate key value is empty, then SQL Server goes to the certificate store to find the certificate where the subject CN is the same as the FQDN of the SQL Server server host.

    3. If the certificate is still not found, SQL Server will automatically generate a self-signed certificate and install it in this certificate.

    Best regards,
    Cris


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.





    Thursday, January 16, 2020 3:30 AM