Hello
Tenable scans are showing a vulnerability issue with the self signed certificates for in the Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage folder… Is there a way modify the process of creating these self signed certs with a trusted root certificate. Other aspects of BigFix allow for the replacement of the self signed certs such as in webreports and the webui. Hoping something exists for this use case.
You’re getting this message for each client?
The client certificates are issued by your Root Server, so they’re not going to be trusted (and normally shouldn’t be trusted) by anything other than the BES Client. They’re not used for any non-BigFix traffic or services, they’re used for authenticating the client and for encrypting secure parameters to the client.
I don’t think there’s a way to use custom, publicly-trusted certificates for this…but there may be a way to retrieve the root server’s issuing certificates and add it to Tenable’s trust list. Would that help in your situation?
(They’re also not issued to user accounts or DNS names, the ‘Subject’ of these certificates is the BigFix Client ID number…which leads me to think that even after trusting the BigFix Root Server CA, you may still just get a different warning from Tenable like the certificate Subject not matching the client hostname or something like that)
Please share any info you may have about trying to resolve this. The idea of adding the root server issue cert to Tenable’s trust list sounds promising. Yes we have seen the second issue you mentioned about the subject name.
If I need to open a support ticket to get the deatils please let me know and thank you for your quick reply
I would be interested in this as well.