SSL Certificate Chain Contains RSA Keys Less Than 2048 bits (PCI DSS)

medium Nessus Plugin ID 73459

Synopsis

The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.

Description

At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

Note that Nessus will not flag root certificates with RSA keys less than 2048 bits if they were issued prior to December 31, 2010, as the standard considers them exempt.

Solution

Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate.

See Also

https://www.cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf

Plugin Details

Severity: Medium

ID: 73459

File Name: pci_dss_ssl_weak_rsa_keys_under_2048.nasl

Version: 1.4

Type: remote

Family: General

Published: 4/10/2014

Updated: 4/22/2020

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from an in depth analysis done by tenable

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

Required KB Items: Settings/PCI_DSS, SSL/Chain/WeakRSA_Under_2048

Excluded KB Items: Settings/PCI_DSS_local_checks