Mobile app version of vmapp.org
Login or Join
Shanna517

: Set Up Of Common Name Of SSL Certificate To Protect Plesk Panel A PCI Compliance scanner is balking that the self signed SSL certificate protecting secure access to Plesk Panel contains a name

@Shanna517

Posted in: #Plesk #SecurityCertificate

A PCI Compliance scanner is balking that the self signed SSL certificate protecting secure access to Plesk Panel contains a name mismatch between the location of the Plesk Panel and the name on the certificate, namely the self-signed cert's name is "Parallels" and the domain to reach Plesk is 'ip address:8443'.

So I figured I would go ahead and get a free SSL certificate to try to fiddle with this error. But when I generated the certificate I used my server domain name as the site name when I generated the certificate. So if I visit 'domain name:8443' all is fine, no ssl warning. But if I visit 'ip address:8443' (which I believe is what the scanner does) I get the certificate name mismatch error, Digicert's ssl checker says that the certificate name should be the ip address.

Can I even generate a certificate whose common name is the ip address? I am tempted to say I should just do what the PCI scanner accepts, but what is really the correct common name to use? Anybody run into this issue before?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Shanna517

1 Comments

Sorted by latest first Latest Oldest Best

 

@Kevin317

PCI scanning should be based on the domain name not the IP address.

You will need to examine the details in the PCI report to see precisely what is triggering the error. They should give you a specific error.

Most PCI vendors simply run port scans and will attempt to connect to:
www.domain.com:8443/

Plesk will respond on this domain triggering a failure if the certificate used is a self signed certificate or otherwise invalid.

To correct this issue you can:


Install a SSL certificate into the Plesk panel that matches (exactly) the domain being scanned.
Use a firewall to restrict port 8443 to specific IPs. You may need to submit a justification for this.
Use an alternate SSL certificate and submit results showing that it is valid and the site in question does not reside on port 8443 but that it is the control panel. I've seen a few PCI vendors accept this.
In tough cases, we've had to put in re-write rules to redirect port 8443 to a canonical name with a matching SSL certificate.


Note that most PCI vendors will not accept a self-signed certificate.

The simple solution is usually to just install your domain.com SSL certificate into the Plesk panel.

You may additionally need to do this for the SSL versions of POP/IMAP/SMTP. The latter must be done at the command line using PEM files. Locations vary depending on the OS and version of Plesk.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme