Follow

Info: Using Director to Detect Problems with Certificate Root Chains

Info: 

Director has five events that get logged during Network Discovery or Network Validation that can be used to inform product Administrators when Director detects problems with root chains for certificates.

Events:

Hexadecimal 
Event ID

Event Name

0007000F Discovery - Discovery Analysis
00070041 Discovery - Certificate Trust Chain Error
00070042 Discovery - Certificate Chain Error
0009005A Certificate Manager - Validation Scan Certificate Trust Chain Error
0009005B Certificate Manager - Validation Scan Certificate Chain Error
00090074 Certificate Manager - Validation Scan Certificate Chain Missing

Discovery - Discovery Analysis

This event is logged for every certificate found during a network discovery scan.

Sample Event Description:
The discovery service module received a response on 192.168.1.25:443 with the protocol HTTPS (Secure Hypertext Transfer Protocol) and a certificate count of 3, for Discovery \VED\Discovery\Network Scan.

Event Explanation
This event logs how many certificates we receive in the trust chain for every certificate that Director discovers.  If the certificate count is equal to 1, then no root chain was provided by the server hosting the certificate. A notification rule can be created to notify the System Administrator and/or Discovery Job Contact so that corrective action can be taken to ensure that SSL certificates are installed properly on servers within an organization's environment.

 

Discovery - Certificate Trust Chain Error

This event is logged during a Network Discovery Job and the following two conditions are true:

  • The server hosting the certificate includes a trust chain with the certificate.
  • Director's inspection of the validity of the trust chain fails for one or more reasons.

Sample event description
The Certificate Trust Chain found during a Network Scan of Host: 192.168.1.25 on Port: 443, could not be verified. Certificate Subject: CN=sample.contoso.com, OU=Contoso, Inc. Signing Certificate Details: [Certificate Details Included in Event Log]

Event Explanation
Director will place the certificates in the chain in the proper order and will attempt to validate the chain.  Director performs two primary checks.  The first check is to verify that the digital signature on each certificate is signed by the private key of the issuing certificate.  The second check is to validate that the Issuer matches the common name of the signing certificate.  If either of these tests fail, then the event is logged.

Discovery - Certificate Chain Error

This event is logged during a Network Discovery Job and the following two conditions are true:

  • The server hosting the certificate includes a trust chain with the certificate.
  • One of the certificates in the trust chain expires before the end entity certificate.

Sample event description
Certificate found during a Network Scan of Host: 192.168.1.25 on Port: 443, has an expiration date greater than the expiration of one of the signing certificates presented in the certificate chain.  Certificate: CN=sample.contoso.com, OU=Contoso, Inc.  Signing Certificate Details: [Certificate Details Included in Event Log]

Event Explanation
This event will log if any certificate in the certificate chain expires before the end entity certificate discovered during the network scan.  The certificate details of the root certificate that expires early is included in the event details.

See Also
https://support.venafi.com/entries/40894328-How-To-Create-Notification-for-Chain-Expiration-Problems

Certificate Manager - Validation Scan Certificate Trust Chain Error

This event is logged during a Network Validation check and the following two conditions are true:

  • The server hosting the certificate includes a trust chain with the certificate.
  • Director's inspection of the validity of the trust chain fails for one or more reasons.

Sample Event Description
The Certificate Trust Chain found during a Network Validation Scan of Host: 192.168.1.25 on Port: 443, could not be verified. Certificate Subject: CN=sample.contoso.com, OU=Contoso, Inc. Signing Certificate Details: [Certificate Details Included in Event Log]

Event Explanation
Director will place the certificates in the chain in the proper order and will attempt to validate the chain.  Director performs two primary checks.  The first check is to verify that the digital signature on each certificate is signed by the private key of the issuing certificate.  The second check is to validate that the Issuer matches the common name of the signing certificate.  If either of these tests fail, then the event is logged.

Certificate Manager - Validation Scan Certificate Chain Error

This event is logged during a Network Validation check and the following two conditions are true:

  • The server hosting the certificate includes a trust chain with the certificate.
  • One of the certificates in the trust chain expires before the end entity certificate.

Sample event description
Certificate found during a Network Validation Scan of Host: 192.168.1.25 on Port: 443, has an expiration date greater than the expiration of one of the signing certificates presented in the certificate chain.  Certificate: CN=sample.contoso.com, OU=Contoso, Inc.  Signing Certificate Details: [Certificate Details Included in Event Log]

Event Explanation
This event will log if any certificate in the certificate chain expires before the end entity certificate checked during the network validation of a managed certificate in Director.  The certificate details of the root certificate that expires early is included in the event details.

See Also
https://support.venafi.com/entries/40894328-How-To-Create-Notification-for-Chain-Expiration-Problems

Certificate Manager - Validation Scan Certificate Chain Missing

This event is logged during a Network Validation check and the following two conditions are true:

  • The server does not provide a trust chain with the certificate.
  • The certificate is not a self-signed certificate.

Sample event description
No Certificate Trust Chain was found during a Network Validation of Host: 192.168.1.25 on Port: 443. Certificate Details: [Certificate Details Included in Event Log]

Event Explanation
This event will get logged if during network validation, the server does not include a root chain with the certificate during the SSL handshake.  This can occur if the certificate is misconfigured on the server or if the certificate was issued directly from a Root Certificate Authority (bad PKI practice) instead of an Intermediate Root Authority (best practice).

 

Was this article helpful?
1 out of 1 found this helpful

Comments