The webserver is badly configured regarding revoked certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) make sure, that users can verify the integrity of a server certificate.

Security Assessment

Security Assessment Configure Trusted Certificates

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

The web server is badly configured regarding revoked certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) make sure, that users can verify the integrity of a server certificate. If your certificate is compromised, these techniques allow you respectively your certificate authority (CA) to revoke the compromised certificate. Therefore you can issue a new (valid) certificate and the compromised certificate (used by an attacker) will produce warnings when a user accesses their website.

OCSP is the newer method to revoke certificates, as it allows certificate authorities to revoke certificates much faster without the need to update complete revocation lists potentially containing thousands of certificates

Guides

Use one of the following guides to making sure that your certificates can be revoked properly:

Enable OCSP

Unfortunately, you cannot enable OCSP solely on your own. Your certificate authority needs to operate the OCSP server and store the certificate information there. If your CA does not offer OCSP, think of switching to a CA that supports this feature. If your CA supports OCSP, follow these guides to create a certificate with OCSP enabled.

OCSP Stapling

OCSP stapling is an addition to OSCP, where the webserver retrieves the OCSP answer from the OCSP server which contains a signed timestamp. This answer is sent to the client on the original request. Therefore the client does not need to send an additional request to the OCSP server. This increases the privacy of the users as the CA does not get requests from your users who are accessing your web application.

Let’s Encrypt

With Let’s Encrypt it is very easy to enable OCSP stapling. When creating a new certificate just add the –staple-ocsp flag. If your certificates are already generated by Let’s Encrypt, just run the same command and choose “Attempt to reinstall this existing certificate” as the first option. This will reuse your certificate and just enable OCSP stapling.

certbot run -d [DOMAIN] --staple-ocsp --hsts

Apache

On Apache, you need to get the full certificate chain from your certificate authority and store them in the file/etc/ssl/ca-certs.pem. Then update your SSL configuration to include theSSLStaplingCache,SSLCACertificateFileandSSLUseStapling directives:

<IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    <VirtualHost *:443>
            Header always set Strict-Transport-Security "max-age=31536000"

            ServerAdmin webmaster@localhost
            ServerName example.com
            DocumentRoot /var/www

            SSLEngine on

            SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
            SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key

            SSLCACertificateFile /etc/ssl/ca-certs.pem
            SSLUseStapling on
    </VirtualHost>
</IfModule>

Nginx

On Nginx you need to get the full certificate chain from your certificate authority and store them in the file /etc/ssl/ca-certs.pem. Then update your SSL configuration to include the ssl_stapling, ssl_stapling_verify and ssl_trusted_certificate directives:

server {
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

        listen   443;
        server_name example.org;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example.org/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

Scan for free now