During a penetration test, you have determined that the SSL certificates used on a company's web server are self-signed and have been expired for 6 months. What would be the most appropriate recommendation to include in your report to improve their certificate management practices?
Implement a web application firewall (WAF) to secure the server and mitigate the need for a trusted certificate.
Renew the self-signed certificates to extend their validity period so that users no longer receive security warnings.
Request an exception from browsers' certificate warning lists to avoid security warnings about the self-signed certificates.
Replace self-signed certificates with certificates issued by a trusted Certificate Authority (CA), and implement a process to check and renew certificates before they expire.
The presence of expired, self-signed certificates on a public-facing server is a significant security vulnerability as it exposes the server to man-in-the-middle attacks and can damage the organization's credibility with users due to security warnings presented by browsers. The correct recommendation is to replace the expired, self-signed certificates with valid certificates issued by a trusted Certificate Authority (CA). These certificates validated by third parties (CAs) increase the trustworthiness of the encryption and authentication process compared to self-signed certificates. Routine checks and a managed renewal process will help to prevent certificates from expiring unnoticed in the future.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Certificate Authority (CA)?
Open an interactive chat with Bash
What are the risks of using self-signed certificates?
Open an interactive chat with Bash
How can an organization implement a certificate management process?