Is there a way to stop clients from creating a self-signed CA certificate. Problem is that they are not publically trusted so we are inundated with security vulnerabilties.
We use Tenable Nessus for vulnerability scanning, but I'd assume any scanner would detect a self-signed CA certificate as a vulnerability. Here are more details on the vulnerability:
The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities. This nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Thanks!