0

So, I've been dealing with a recurring problem with my workstations self-generating certificates. They're appearing in the "Personal" certificate store. Even after I manually delete them from the machines, they inevitably keep returning.

  • We do not use self-signed certificates for anything. All our certs come from a verified CA.
  • It's not the Splunk Heartbleed vulnerability.

This is a vulnerability that keeps popping up on our Nessus scans, and I'm trying to understand what causes the workstation to generate it's own certificate. Is there a particular event? Is there a way to stop it? I've been researching this to exhaustion, and I can't get a clear answer.

Have any of you ran into this problem?

Eric Gibson
  • 93
  • 1
  • 8
  • 1
    What OS is running on the workstations? What is your environment? A little more details would be helpful. – Gerald Schneider Jul 20 '18 at 05:10
  • To which Personal certificate store you refer to? The one for the User account, or the Computer account? You have to figure out what service is generating it and get rid of that service (if it's an unwanted one) or reconfigure it to disable the auto-generation. – bcs78 Jul 20 '18 at 08:43
  • We're running Windows 10 1607 workstations, and it's the Computer account certificates--not the user certs. As far as the service generating it, that's what I'm trying to figure out. The properties of the certificate don't appear to give any indication as to what exactly is causing the certificate to be generated. – Eric Gibson Jul 20 '18 at 22:34
  • 1
    What are the properties of the certificates? I have several system generated certs in my PC, and the issuer is "MS-Organization-P2P-Access" and similar. – OzPHB Jul 21 '18 at 02:56
  • 1
    Also, what exactly is the Nessus scan saying is wrong? Nessus will report incorrect chains of trust, but if that's what you are trying to troubleshoot the issue is almost certainly not arising because self-signed certs appear on your workstations – OzPHB Jul 21 '18 at 03:11
  • Here's the output from Nessus: "The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority: Subject: [computer name] | Issuer: [computer name]" – Eric Gibson Jul 23 '18 at 13:04
  • I can remote to the computer in question, and I see exactly what Nessus is referring to. Now, it's in the Remote Desktop folder. – Eric Gibson Jul 23 '18 at 13:06

2 Answers2

1

When you connect to a machine via Remote Desktop, it has to generate a certificate to use in authenticating that connection. By default, these certificates are self-signed.

(I am baffled as to why these certificates were initially showing up in the Personal store rather than the Remote Desktop store.)

Anyway, this isn't exactly a false positive. Using unsigned certificates does potentially expose you to MitM attacks against your Remote Desktop connections. You will need to consider whether or not this is an acceptable level of risk.

KB2001849 describes how to install a properly signed certificate.

This article from Let's Encrypt describes how to generate and install a Let's Encrypt certificate. (NB: this was written for Windows Server; I am not sure whether or not it will also work on a Windows 10 client.)

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
0

AFAIK all PCs will auto-generate their own certificates. This is so that they have a certificate they can use whenever certificates are required and haven't otherwise been configured. HTTPS for instance.

If you are not using self-signed certs for important authentication purposes, then they do no harm at all.

Your scans are giving you a false positive.

OzPHB
  • 239
  • 2
  • 8
  • Such certificates wouldn't show up as personal certificates. – Gerald Schneider Jul 20 '18 at 07:56
  • Well, I'm not sure if I think it's completely a false positive: I can literally SEE the certificate in the certificate store. For example, it's listed under the Personal certificate store for the workstation as the "Issued To" being the same value as "Issued By"...the workstation. It might not necessarily be something that could easily be exploited--granted--but I'd still like to understand what's causing it to be generated. – Eric Gibson Jul 20 '18 at 22:38
  • I know it has SOMETHING to do with SSL. Which would suggest that it's related to some kind of HTTPS function or setting, I just can't figure out what... – Eric Gibson Jul 20 '18 at 22:40