HCHTech
Well-Known Member
- Reaction score
- 4,210
- Location
- Pittsburgh, PA - USA
I have an internet-connected credit card terminal, which means I have to endure quarterly penetration scans to get PCI compliance. This quarter, I failed the scan because I don't have a third-party SSL.
The failure message is pointing to the port I have open to allow me to VPN into my network from the field and says "SSL Certificate - Signature Verification Failed Vulnerability". Under "How to Remediate", it says "Please install a server certificate signed by a trusted third-party Certificate Authority."
Now, mind you, I don't have a domain or a server here. I have Static IP business internet, with a Sonicwall firewall. I have my cc terminal in it's own security zone, as well as separate zones for client computers and my own business computers.
I looked into obtaining an SSL for this purpose, but it seems I cannot obtain an SSL without a fully qualified domain name. Apparently, it used to be possible to get an SSL for an IP address, but some change in the rules must have stopped that. When browsing through the FAQs on two separate certificate vendors, it says something like "as of November 1, 2015, we no longer issue certificates without a FQDN."
First, I thought I could just use a NoIP or DynDNS address (pointing to my IP) as the FQDN, but that didn't work because the vendor requires that you be able to receive email to admin@domain.com on the FQDN you enter for the certificate to validate your order. I could purchase email forwarding for another few bucks, but before I go further down that rabbit hole, I thought I'd better stop and get the advice of folks who know more than I do about these things.
Am I missing something simple here?
The failure message is pointing to the port I have open to allow me to VPN into my network from the field and says "SSL Certificate - Signature Verification Failed Vulnerability". Under "How to Remediate", it says "Please install a server certificate signed by a trusted third-party Certificate Authority."
Now, mind you, I don't have a domain or a server here. I have Static IP business internet, with a Sonicwall firewall. I have my cc terminal in it's own security zone, as well as separate zones for client computers and my own business computers.
I looked into obtaining an SSL for this purpose, but it seems I cannot obtain an SSL without a fully qualified domain name. Apparently, it used to be possible to get an SSL for an IP address, but some change in the rules must have stopped that. When browsing through the FAQs on two separate certificate vendors, it says something like "as of November 1, 2015, we no longer issue certificates without a FQDN."
First, I thought I could just use a NoIP or DynDNS address (pointing to my IP) as the FQDN, but that didn't work because the vendor requires that you be able to receive email to admin@domain.com on the FQDN you enter for the certificate to validate your order. I could purchase email forwarding for another few bucks, but before I go further down that rabbit hole, I thought I'd better stop and get the advice of folks who know more than I do about these things.
Am I missing something simple here?
