SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions
billbowling said 1 year, 8 months ago:
Last week all our e-commerce sites failed for PCI compliance. Below is what they all failed for. We have not made any changes for many months on any of the sites. Is this a Go-Daddy SSL problem? We did reinstalled the cert on one server with no help. If you look at the cert/details it does show a yellow caution icon on both Basic Contraints and Key Usage. I have contacted go-daddy but have not hear back from them. Thanks. Bill
Vulnerability Detail
Device http://www.xxxxxx.com ()
Vulnerability SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions
Port 443/tcp
Scan Date 02-OCT-2011 22:24
Other
Synopsis :
An X.509 certificate in the chain used by this service fails to
adhere to all of its basic constraints and key usage extensions.
Description :
An X.509 certificate sent by the remote host contains one or more
violations of the restrictions imposed on it by RFC 3280. This means
that either a root or intermediate Certificate Authority signed a
certificate incorrectly.
Certificates that fail to adhere to the restrictions in their
extensions may be rejected by certain software. The existence of such
certificates indicates either an oversight in the signing process, or
malicious intent.
See also :
http://www.ietf.org/rfc/rfc3280.txt
Solution :
Alter the offending certificate’s extensions and have it signed
again.
Risk factor :
Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin output :
|-Country: US
|-Organization: The Go Daddy Group, Inc.
|-Organization Unit: Go Daddy Class 2 Certification Authority
|-
|-Basic Constraints: CA:TRUE
|
|– *** ERROR:
|– *** The issuing certificate is missing the key usage extension,
|– *** which is required for all certificates that sign others.
|–Country: US
|–State/Province: Arizona
|–Locality: Scottsdale
|–Organization: GoDaddy.com, Inc.
|–Organization Unit: http://certificates.godaddy.com/repository
|–Common Name: Go Daddy Secure Certification Authority
|–2.5.4.5: 07969287
|–
|–Basic Constraints: CA:TRUE, pathlen:0
|–Key Usage: Key Cert Signature, CRL Signature
|
|—1.3.6.1.4.1.311.60.2.1.3: US
|—1.3.6.1.4.1.311.60.2.1.2: Georgia
|—2.5.4.15: V1.0, Clause 5.(b)
|—2.5.4.5: J106499
|—Country: US
|—State/Province: GA
|—Locality: Braselton
|—Organization: , Inc.
|—Common Name: www.
|—
|—Basic Constraints: CA:FALSE
|—Key Usage: Digital Signature, Key Encipherment
christianh said 1 year, 8 months ago:
@billbowling
This is currently a known issue that we are aware of and are working to resolve. We appreciate your patience and understanding in this matter and apologize for the inconvenience.
–Christian
oaxlin said 1 year, 8 months ago:
I am receiving this same error. I contacted Go Daddy via phone and they had no clue as to what this was. I referred the support rep to this page (which I found via Google) and he assured me that the certificates were fine.
I then called McAfee for additional details. They sent me this.
————————-
PCI recently raised the severity for ‘SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions’ to 3.This is now ‘Critical’. McAfee does not rate or rank PCI vulnerabilities. The PCI Council using the industry standard CVSS2 rates and ranks all vulnerabilities as they pertain to PCI.
This is a ‘Man in the Middle’ (MitM). This vulnerability only affects ‘Internet Explorer’ (IE) and some minor browsers. This vuln does not affect Mozilla, Chrome, or Safari at this time.
General Description:
An X.509 certificate sent by the remote host contains one or more violations of the restrictions imposed on it by RFC 3280. This means that either a root or intermediate Certificate Authority signed a certificate incorrectly. Certificates that fail to adhere to the restrictions in their extensions may be rejected by certain software. The existence of such certificates indicates either an oversight in the signing process, or malicious intent.
Solution:
Alter the offending certificate’s extensions and have it signed again.
Please follow the below steps to test the vulnerability manually:
Use Internet Explorer.
Enter the URL using ‘https://’.
Click on the Browser tab: View
Click Security Report
Click on the Pop-Up ‘View Certificates’.
Click on the Details tab.
Cursor ‘Field’ to ‘Basic Constraints’
You may view the ‘Path Length Constraint=’
If the ‘Certificate Basic Constraints’ is set to False, Internet Explorer will not properly check the Certificate Authority.
‘Certificate Basic Constraints’ indicates ‘Path Length Constraint=’. This indicates how deep the Certificate Authority will be checked. If the ‘Path….’ Is set for ’1′, then the Certificate Authority above will be checked. However, if the browser checks and finds five Certificate Authority’s, but ‘Path….’ Is set for ’1′, then there is a mismatch. Internet Explorer will accept the error and not warn, but other browsers will check and warn of the mismatch.
Please review the follow the below link for more information :
manuka said 1 year, 8 months ago:
Christian & GoDaddy,
I am experiencing this issue on all my SSL’s as well. Will information regarding a resolution be posted here once available? Is there an ETA? Thanks!
Craig
adamr said 1 year, 8 months ago:
@oaxlin @manuka
I’ve checked with our SSL team and they are still working towards a resolution. Unfortunately, we do not have an ETA for when the issue will be resolved. We appreciate your patience.
-Adam
opsauditsdm said 1 year, 8 months ago:
Is there an update to this issue? I also have multiple domains failing PCI compliance due to this issue.
I have walked up the certificate issuer chain, and can see (or rather not see) the required Key Usage extensions at the gd-class2-root.crt level.
I have just again checked the Godaddy Certificate Chain Repository, and there have been no updates.
chrisg said 1 year, 8 months ago:
@opsauditsdm,
Currently we have had no further updates from our SSL team in regard to this matter. If we have any new information, we will be sure to share this over the Go Daddy Community.
Christopher G.
peterf said 1 year, 7 months ago:
It has been over a month now. Any updates on this? Thanks.
manuka said 1 year, 7 months ago:
How serious is this? Should I be purchasing SSL’s from somewhere else for now? If this is a big deal, I am surprised I have not seen more press on it.
peterf said 1 year, 7 months ago:
@manuka: Some PCI compliance scanner ignore this, and your Godaddy SSL would pass just fine, others, like McAfee, require you to have a certificate that abides by these new rules. So, right now it depends on who is scanning your servers. In our case, if Godaddy doesn’t move fast enough to fix this issue we would be forced to get an SSL from somewhere else.
adamr said 1 year, 7 months ago:
@Everyone
This error appears to be caused by some PCI scanners misinterpreting the standards for SSL certificates (specifically ones using our Valicert root certificate). One workaround you may want to try, to avoid this error, is to remove the Valicert cross-certificate from your web servers. In some cases, it might require that the certificate be re-keyed to one of our newer roots.
Please contact our SSL team directly at RA@GoDaddy.com or 480-505-8852 if you need additional assistance. Thanks!
-Adam
adamr said 1 year, 7 months ago:
@Everyone
UPDATE:
We’ve been in contact with PCI scanning vendors and have been informed that the problem has been fixed on their end. New scans performed on sites using our SSL certificates should not fail with this problem.
You will not need to do anything with your SSL certificates to work around the referenced error. If you are still receiving this error, please contact our SSL team at RA@GoDaddy.com or 480-505-8852.
Thanks!
-Adam
This topic is closed, replies are no longer accepted.
3 min expected wait time