DescriptionMany devices are pre-installed with a default SSL certificate. Generally, it's good practice to replace these to ensure security when accessing these devices. Indeni will alert of a default certificate it used.
Remediation StepsInstall a non-default certificate.Review https://support.f5.com/csp/article/K15664
How does this work?This indeni script logs into the device through SSH and executes the command "openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout".
Why is this important?Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This indeni alert checks if the default management certificate is used.
Without Indeni how would you find this?An administrator can verify if the default management certificate is used by logging into the device via the web interface, clicking on "System" -> "Device Certficates". If "Certificate subject(s)" contains "localhost" the default certificate is used. While performing this check it would also be prudent to check if the certificate used in trusted by looking at the address bar of the browser.
View Source Code