A customer reported a weak SSL certificate from ControlUp (SHA1, wrong hostname, self-signed) and asked if any issues may surface when switching to a trusted, SHA256 certificate with the correct hostname. It was suggested that the certificate switch should work without any issues, but the current COP version, certificate name, and file were requested for confirmation. It was later established that the certificate deployed with Console, Monitor, and Agent was the culprit, and that the old certificate just needs to be replaced.
Read the entire ‘Replacing a Weak SSL Certificate from ControlUp’ thread below:
At a customer the security team made a vuln scan (Nessus) on the on-prem components.
The findings are that the COP SSL cert using weak hashing algorithm (sha1), have a wrong hostname, cannot be trusted and finally it’s a self-signed cert.
In our lab we switched to an trusted, sha256 cert, with the correct hostname without any hustle.
Can you think of issues I am overseeing at the moment?
Users are able to start CU Console without issues. Monitors seems also working fine after "reboot"…
Hi @member, I can’t think of any issue doing so… @member should be able to have a more official answer
Merci beacup monsieur!
Joyeux Noël à toi et à toute ta famille.
Thanks Markus! Enjoy the holidays
And see you soon 😉@member @member this sounds ok to me – just to verify – what is the COP version? What is the name of the certificate?
COP version is 8.6.5.14.
The friendly name of the certificate is "ControlUp Server"
Who created it?
The COP installer @member
It’s the default one that you need to trust at console launchI guess the COP Installer!?
Lod is wrong afair 😄It was 2015 maybe Avner created it back in the days 😄 (just kidding here)Lod was used to be right 🙂
I’d bet on @member 🙂😁
Or @member after a party 😉
But if I trust our HR @member was also there since he started 1/1/2015From r&d:
It can’t be the installer, there we have a new 256 hash algo. certificate: ControlUp_Inc_Code_Signing
for code signing.
I am pretty sure they are talking about a certificate we deploy with either console and/or the monitor and /or the agent.
We need more info. Can they send you the exported certificate file ?
This will help me investigate…
The COP server is nothing more than a IIS web server hosting web services. Everything works on HTTPS with a self-signed certificate. In fact the first time you launch the console you get this warning about the untrusted certificate. Most people ignore the message and never see it again.
That said, its just IIS. Install a new cert that is valid and switch over to it. I’ve had many customers do this.FYI, you’ll see the "Approved Certificate" here. HKEY_CURRENT_USER\Software\Smart-X\ControlUp\ApprovedCertificateClose the console, delete that key, relaunch it and you’ll get ☝️prompt again.You’ll also get that same prompt if using a proxy with SSL inspection from a machine that doesn’t have the proxy cert installed.What @member says!
Thanks.
Continue reading and comment on the thread ‘Replacing a Weak SSL Certificate in ControlUp’. Not a member? Join Here!
Categories: All Archives