Our company needs to have external PCI scans done on both our website and our company firewalls. The website is hosted by an external company and we have 3 firewalls at different sites witch are managed locally.
We are failing our PCI scan because the certificates on the firewalls are not trusted. We were originally using self-signed certificates but to get rid of this message I purchased one from GoDaddy for one of our sites.
I created the CSR on the firewall for fw1.MySite.org and installed in on the firewall. Since the scan is done by IP, I added an A record with our DNS provider so it would resolve correctly. However we are still failing our scan with "SSL Certificate Common Name Does Not Validate (External Scan)" and "Untrusted Certificate".
I have made sure that if I do a nslookup for fw1.MySite.org it resolves to 456.4457.458.459 which is the IP address of the firewall. However since the scan is done by IP and it is still failing. I tried doing a nslookup 456.4457.458.459 and it returns MySite.org and not fw1.MySite.org.
How is it resolving by IP address to the website and not the fw1.MySite.org? How do I get it to resolve to fw1.MySite.org?
A Records (IP Address)
Host TTL Numeric IP
www 3600 18.104.22.168
@ (None) 3600 22.214.171.124
* (All Others) 3600 126.96.36.199
ecommerce.MySite.org 7200 188.8.131.52
ftp.MySite.org 7200 345.346.347.348
mail.MySite.org 7200 345.346.347.349
pottery.MySite.org 7200 345.346.347.350
fw1.MySite.org 7200 456.4457.458.459
CNAME (Host Aliases)
autodiscover.MySite.org 3600 autodiscover.outlook.com.
k1._domainkey.MySite.org 3600 dkim.mcsv.net.
lyncdiscover.MySite.org 3600 webdir.online.lync.com.
msoid.MySite.org 3600 clientconfig.microsoftonline-p.net.
sip.MySite.org 3600 sipdir.online.lync.com.