Forum Discussion

khiali_130513's avatar
khiali_130513
Icon for Nimbostratus rankNimbostratus
Mar 07, 2014

The remote server's SSL certificate has already expired - Plugin ID 15901

Hi Experts

 

We are running Nessus Scan against our F5 BIG-IP LTM devices and getting following alert:-

 

The remote server's SSL certificate has already expired - Plugin ID 15901

 

Now problem is that we are using IP address to logon to these devices instead of a common name (CN) which is used by SSL certs. We can`t remove it for sure. Now how to regenerate it without a common name (CN) is a concern for us ?

 

Some of the information from F5:-

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_device_certif_config.html1019303

 

Here is our cert information:-

 

General Properties Name server Certificate Subject(s) My Company Ltd

 

Certificate Properties Expires Jan 16, 2013 Version 3 Serial Number XXXX Subject Common Name:

 

Organization: My Company Ltd Division:

 

Locality: Yes State Or Province: No Country: YO Issuer Self

 

Any advice will be highly appreciated.

 

Thanks

 

application delivery
ibm
LTM
security
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 07, 2014

    It may be that Nessus is assuming an expired certificate if it receives a mismatch between the CN of the certificate and the URL it used to access the LTM. As long as your certificate on the interface is still valid (whether it's a custom certificate or a self-signed should not matter), then this is a false positive finding.

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Mar 10, 2014
      You got a permission denied error because your syntax was trying to execute it. Your cat should be fine, except grep for HTTPD (all caps). It is case sensitive.
    • khiali_130513's avatar
      khiali_130513
      Icon for Nimbostratus rankNimbostratus
      Mar 10, 2014
      I mised up 2 questions, just updated the relevant one. Regardding this, we are accessing LTM via IP address only. No CN. How will I know if th ecertificate is valid on the interface or not. All I know that its expired.
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Mar 10, 2014
      Correct. So the Nessus finding should only be a real finding if the certificate you have loaded on the management interface is actually expired. Otherwise, it's a false positive. Doesn't matter which CA (or self signed), since you accessing by IP address.
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Mar 07, 2014

    it should not matter if the certificate has a common name or not, i dont believe you cant create one without even. if the nessus scan only mentions the expired part and if you want to fix this, you could also just say we know. then just a new certificate with any common name should be fine. do keep in mind this certificate might also be used for the HA device trust. and with GTM it might be even more important.

     

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Mar 12, 2014

    Using of fqdn for accessing LTM devices is not depends on CN in certificates. For this you need appropriate dns records, ideally it must match with CN.

     

    • khiali_130513's avatar
      khiali_130513
      Icon for Nimbostratus rankNimbostratus
      Mar 25, 2014
      I have checked and the management IP addresses doesn`t resolve to any DNS records. Now I could be wrong here.