Issue

After installing an SSL certificate on a firewall, scans still detect the compliance failure:
"FAILED Compliance: TLS: No Self-Signed Certificates. Description: Ensure TLS certificates are signed by a separate issuer."

Cause

The scan is detecting that the certificate is self-signed or not signed by a publicly trusted certificate authority (CA). Compliance standards require the certificate to be signed by a CA to ensure authenticity and security.

Solution

Verify the Certificate

• Confirm whether the SSL certificate installed on the firewall is signed by a publicly trusted CA.
• If it is a self-signed certificate, replace it with one issued by a trusted CA.

Suppress the Compliance Detection (Optional)

• If the certificate is intentionally self-signed and acceptable for your environment, you can suppress the CVE detection in the vulnerability scan.

1. Navigate to Instance > Vulnerability Scan History in your CYRISMA dashboard.
2. Locate and select the scan named 'One Time Firewall~202410101415'.
3. Expand the scan results and review the bar graph. Select the affected IP address (e.g., 12.179.39.242) in the graph.
4. Under the Root Cause section, locate the failed compliance entry for the CVE.
5. Click the three dots under the "Action" column, and select Suppress to disable further detection of the issue.

Notes

• Suppressing the CVE may bypass compliance warnings but does not resolve the underlying issue. Ensure this action aligns with your security policies.
• If your certificate is signed by a CA and the issue persists, verify the certificate’s installation and configuration on the firewall.