SSL Certificate for SUM

Hi, Scott, and welcome to the UTM Community!

The only thing a human from a  vulnerability assessment service does is write a note that you have issues.  No one in their business evaluates the automated assessment report beyond that.  This sounds like a lot of false positives I see discussed here.  If you can share exactly what they said, we probably can give you information that will let them ignore that issue and give you a pass.

For instance, sometimes they grip about there being a self-signed cert.  In fact, in some instances, that's safer than a public cert.

Cheers - Bob

Bob,

           Hi. Your response cracked me up! The scan was not a third party scan, but rather my own scan! Yes, the issue is self-signed certificates. I have a CA; I just need to know how to generate a CSR from the SUM to get a proper certificate. I know, I know... You are asking, "Don't you have anything better to do with your time?". Regardless, it has to get done. Thanks for the post!

Scott

Bob,

           Hi. Your response cracked me up! The scan was not a third party scan, but rather my own scan! Yes, the issue is self-signed certificates. I have a CA; I just need to know how to generate a CSR from the SUM to get a proper certificate. I know, I know... You are asking, "Don't you have anything better to do with your time?". Regardless, it has to get done. Thanks for the post!

Scott

For self signed certificate, I am also agree with you because this type of certificate creates browser warning issue so it will be the best if people will avoid self signed ssl certificate.

In this case, we're not dealing with ecommerce, but with a tool to which there should be very limited access.  There should only be a few IPs allowed to reach WebAdmin or SUM and the small number of devices can easily have the CA added to the Trusted Root Certification Authorities store.  For this use, the self-signed certificate is actually more secure against mitm attacks than one signed by Thawte, etc.

Cheers - Bob