This guide shows how to resolve the issue: "SSL certificate cannot be trusted" in MOXA EDS-4000/G4000 platform.
這篇文章說明如何解決MOXA EDS-4000/G4000交換機在弱點掃描時出現"SSL certificate cannot be trusted"的問題
As currently EDS-4000/G4000 platform compares the private key when import SSL certificate but you cannot replace the private key, you can only generate a csr file from device itself, sign the request then import to device.
由於目前EDS-4000/G4000交換機在匯入SSL憑證時會比對private key且設備無法修改或替換private key,你只能從設備匯出CSR、使用該CSR簽發憑證後再匯入設備
However, the csr generated by EDS-4000/G4000 is not include the domain in the common name, most CA will not sign the csr.
然而,透過EDS-4000/G4000交換機產出的CSR在Common Name欄位不帶有domain,大部分的憑證簽發單位都不會簽署這種CSR
The only way to resolve this issue is to custom CA in your VA scan engine.
要解決這個問題,只能在弱點掃描引擎上匯入自己的CA
This solution only suitable inside a cooperation which has its own internal CA.
這方法只適用在企業內部有自己的CA的情況
1. Before we start, we perform a scan, the result as below:
首先進行一次掃描,結果如下圖:
從交換機上匯出CSR
3. Sign the request by OpenSSL, here I use the free wildcard SSL provided by domain service provider, which is auto-generated by Let's Encrypted.
簽發憑證,這裡我用網域供應商提供的免費憑證作為CA
4. Import the certificate.
匯入憑證
5. Import the CA to scan engine, in this case, nessus.
設定Custom CA,這裡使用nessus作為範例
Settings > Custom CA > Certificate > Save
6. Scan again, the SSL issue will not shown.
再次掃描就看不到SSL的問題了
