One of the requirements that I have for my work is to run vulnerability scans for our environment. For this specific requirement, I use Burp Suite to perform web scans. One issue that we’ve had since before I got here was our SSL Certificates were not valid (even though they were). This was very frustrating, but we were able to explain to the people viewing them that they we actually valid so we got them to sign off on the scans.
I don’t have a link to the article, but we originally referenced an issue with Burp Suite that said that there was a bug regarding the validation of SSL Certificates. We would reference this when saying that there was a problem with the certificate chain. Without getting into too much detail, it was the worst offender in our report and even though it had a pass, we’d have to explain it to a new auditor and hope that he was able to understand why it was actually valid.
In scanning one of the development sites, it was discovered that one site didn’t have the issue with the SSL Certificate. So we compared it to the others, and turns out that it was in the correct order. The root cert needed to be a the bottom (which I guess makes sense, but putting the root cert first also makes sense) and once we changed that in pre-prod the issue was gone. So we went into pre-prod and changed it and it to what the development environment was and it worked.
This had been an issue that persisted before I started here, and it was great to be a part of the solution.