← Back to Security Blog
연구 9분 읽기

자체 서명 인증서 — 기업 VPN 인프라의 숨겨진 위험

KENSAI research reveals that 41% of enterprise VPN gateways use self-signed or expired certificates. This creates blind spots for MITM attacks and undermines the entire security posture of remote access infrastructure.


간과된 위험

While organizations invest millions in next-generation firewalls and zero-trust architectures, a fundamental security gap persists: 41% of enterprise VPN gateways still use self-signed or expired TLS certificates. KENSAI's scan of 12,000+ VPN endpoints across DACH region enterprises reveals this hidden risk that most security audits overlook.

Key Finding: 41% of VPN Gateways Have Certificate Issues

Self-signed: 28% | Expired: 9% | Weak algorithms (SHA-1): 4% | Total at risk: 41%


자체 서명 VPN 인증서가 위험한 이유

1. 중간자 공격(MITM) Attacks

When a VPN client encounters a self-signed certificate, it either rejects the connection (breaking access) or users are trained to accept warnings. This "click through" behavior eliminates the primary defense against MITM attacks — certificate validation.

2. 아니오 Revocation Capability

Self-signed certificates cannot be revoked through standard CRL or OCSP mechanisms. If a private key is compromised, there's no way to invalidate the certificate across all clients without manual intervention on every device.

3. Compliance Violations

NIS2 Article 21 requires "appropriate and proportionate technical measures" for network security. Self-signed certificates on critical infrastructure fail this requirement. ISO 27001 control A.10.1 specifically addresses cryptographic controls and certificate management.

4. Supply Chain Risk

When third-party vendors connect to your VPN with self-signed certificates, they create an unverifiable trust chain. An attacker who compromises the vendor can present their own self-signed certificate without detection.


연구 데이터

Certificate IssuePrevalence위험 수준
Self-signed (no CA chain)28%치명적
Expired certificates9%높음
SHA-1 signatures4%높음
Wildcard on VPN endpoints12%중간
Missing OCSP stapling67%중간
Proper CA-signed, current59%낮음

복구 로드맵

  1. Inventory: Catalog all VPN endpoints and their certificate status using KENSAI scans
  2. Deploy PKI: Set up an internal PKI or use a trusted public CA for VPN certificates
  3. Automate renewal: Implement ACME protocol or certificate management tools for automatic renewal
  4. Enforce validation: Configure VPN clients to reject self-signed certificates — no exceptions
  5. 모니터링 continuously: Set up alerts for certificates expiring within 30 days
  6. Vendor requirements: Mandate CA-signed certificates for all third-party VPN connections

NIS2 영향

Under NIS2, self-signed certificates on critical VPN infrastructure could constitute a failure to implement appropriate technical measures (Article 21). Organizations found non-compliant face fines up to €10 million. More critically, if a breach occurs through a self-signed certificate 취약점, the organization may face additional 벌금 for negligence.

Protect Your Organization with Kensai

AI-powered 취약점 management with 331,910+ CVEs indexed.

Start Free Trial

안전하게. 경계하며.

🗡️ KENSAI 보안팀