Mirth-Connect 4.5.2 Nessus Finding: SSL certificate for this service cannot be trusted

[dabiermannmedicom]

Mirth-Connect 4.5.2 and Mirth Connect Administration Launcher 1.4.2

We upgraded to the latest versions in October of 2024. There were no issues since then until now.

We have identified a critical security vulnerability on a virtual machine through our recent Nessus scan. The scan has reported Plugin ID 51192 on port # 8443, indicating an untrusted SSL certificate.

Synopsis: The SSL certificate for this service cannot be trusted.
Description: The server's X.509 certificate is not trusted. This typically occurs when the top of the certificate chain is not issued by a known public certificate authority.

Is this cert something that I can update/fix?

[ab-mg-23]

https://docs.nextgen.com/bundle/Mirth_User_Guide_4_5_0/page/connect/connect/topics/c_web_server_certificate.html

[dabiermannmedicom]

@ab-mg-23 is there any way to disable this so that it will not automatically create a new certificate upon startup? We do not use the main web server for external access.

[pacmano1]

s there any way to disable this

You did not say with "this" is, however:

As per the documentation linked shared which says:

The certificate used for the main web server is stored in the keystore.jks file. If not present, Mirth® Connect will automatically create a new certificate upon startup. Since this auto-generated certificate is self-signed, you will see security warnings in your browser if you navigate to the HTTPS landing page.

The first paragraph seems clear to me - if the file exists, it doesn't create a new certificate.

[dabiermannmedicom]

I generated a local cert from the device Mirth was installed on. I used that to update the keystore file so the cert is now trusted.

https://youtu.be/JveEJuz0dPc

[pacmano1]

For Windows users, sure it is an answer. And thanks for reminding folks of that video.

Notes:

1. KeyStore Explorer is an altenate to Portecle.
2. Many folks run the engine on Linux and have no desktop
3. Containers are yet another conifguration with no desktop

So - using java's keytool is typically used in non-desktop environments.

[dabiermannmedicom]

@pacmano1 @ab-mg-23 I am trying to update the local cert that I had used to a cert created from AWS (AWS Private CA). However, when I follow the above video and process, the service will not start. The only difference is the cert was generated from AWS instead of from the local server. Are there any logs that I can look at to see the exact reason/error why?

[pacmano1]

AWS Private CA? Because AWS Certificate Manager certs can't be used on non-AWS services - they don't provide the key.

[dabiermannmedicom]

Yes, sorry, AWS Private CA

[pacmano1]

We upgraded to the latest versions in October of 2024. There were no issues since then until now.

If you never read the article @ab-mg-23 posted and thereby updated the certificate to a real one, you have always had this "problem" of a self signed certificate. It's also mostly irrelevant if you / your company are aware that it is self signed.