a vendor is setting up on-prem internal servers for us:
vendor told us he needs SSL certs for the 5 servers
not for users to access but for server to server comms.
Shall we use self-signed certs in this case & usually
for how long these certs should be valid (every 1-3
yearly or permanently)?
Should these servers sit behind the WAF (or suppose
these 5 URLs are not for users access but server to
server communications) or in front of the WAF?
If they sit behind the WAF, shd the self-signed certs
be installed in the WAF or in the servers? If they
sit in front of WAF, certainly the certs have to be
installed in the servers
For penetration tests, we should test the 5 URLs (
vendor said they're for server to server comms),
through the WAF or position the penetration
scanners directly on the servers without going
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.