How to Manage a Custom Chain of Trusted CAs

Create a list of private certificate authorities (CAs) for SSL verification. During scans, we will use your custom list in addition to well known certificate authorities already used by Qualys whenever SSL verification is needed.

Important - Careful consideration should be paid to which CAs are added, as these will be used for all SSL channel authentication purposes. Consequently, improperly imported CA certificates may introduce the possibility of man-in-the-middle attacks and complete SSL compromise during a scan. In these cases, attackers would be able to recover passwords or other sensitive information used during the scan via both online and offline attacks.

Why add trusted certificate authorities

Here are some reasons:

1) Our scanner will verify SSL certificates presented to it when connecting to services used as part of scanning. For example, connecting over SSL to an authentication vault to obtain login/password information during authenticated scans. SSL verification is required to connect to the Thycotic Secret Server password vault. If the password vault is configured with a certificate issued by a private certificate authority, import the custom root CA to your subscription to ensure successful connectivity. This example also applies when SSL is used to connect to the Hitachi ID PAM password vault and for VMware authentication.

2) Another use during scanning is to validate the private certificate of an internal web server available over https.

3) If you don't import your trusted certificate authorities then our scanner may flag your valid, internally trusted SSL certificates and services as invalid.

How to add trusted certificate authorities

Go to Scans > Setup > Scanner Trusted CA.

Click the Browse button and import a trusted certificate authority. The certificate file must contain a single X509v3 signed certificate in PEM format enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". The certificate files typically have an extension ".pem".

Once imported, the authority will be listed at the top of the page. Click on any authority in the list to view details, including information about the issuer of the certificate, the time frame for when the certificate is considered valid and the MD5 and SHA1 fingerprints used by the scanner for SSL verification.

How to remove a certificate authority

Simply select the certificate authority in the list and click the Remove button. The certificate authority will be removed from the database and will no longer be used for SSL verification.

What if the CA certificate is expired?

CA certificates that are expired are highlighted in red for quick identification. If an expired CA certificate is used, the SSL verification will fail. QID 38167 "SSL Certificate - Expired" will be reported in your vulnerability scan results if an expired custom CA certificate is used during vulnerability assessment tests. (Note that this QID is not reported for failed connection to a password vault due to an expired certificate.)