Using custom certificates on GSAD

pedro.m.reis · December 15, 2020, 12:18pm

Hi
Is it possible to use a custom certificate on gsad?
I have generated a custom one, using my internal CA/CA-intermediate, then concatenated all certificates (root+intermediate+server) into a single .pem file.
But I’m getting:
/opt/gvm/sbin/gsad --listen=0.0.0.0 --ssl-certificate=/opt/gvm/var/lib/gvm/CA/openvas.pem --ssl-private-key=/opt/gvm/var/lib/gvm/private/CA/openvas.key

Starting GSAD version 20.08.0~git-be7b41b78-gsa-20.08
gsad main:WARNING:2020-12-15 12h14.33 utc:1303295: MHD: GnuTLS failed to setup x509 certificate/key: Unknown Subject Alternative name in X.509 certificate.

The certificate is valid, and verifies:
openssl verify -CAfile openvas_server_cachain.pem openvas_server.pem
openvas_server.pem: OK

Is this a limitation of the GSE edition?

Using just the certificate, i.e. without the chain, I don’t get any error but then the certificate is not validated by the browsers.

Thanks.

cfi · December 15, 2020, 1:11pm

There are generally no limitation in the GSE in place.

Looks more like a problem in GnuTLS, possible also in the specific version in use on the scanning system:

A search for the second part of that message has lead to:

https://lists.gnupg.org/pipermail/gnutls-devel/2020-January/016946.html

which could give some insights.

Note that GVM is using GnuTLS and not openssl so a verification of the certificate could be done via gnutls-cli which is probably showing a similar (but also a more detailed) error.

pedro.m.reis · December 15, 2020, 1:25pm

Hi, tks.
I’ll look into that.

PR