Using 3rd party wildcard cert to pass PCI scans

Hello. Currently we have a client using a firecluster of M470s. They have a PCI scan of their external IP address that is coming back as failing due to self signing of the cert. I found the documentation that states to use a 3rd party signed cert and how to install said cert. No problem there, but I still have two questions.

  1. If we use a wildcard cert of *.domain.com, will the scan still come back as failing because its hitting the IP address not the domain?
  2. Will this break anything? They do not use any VPN but I do believe there is a tunnel from their firewall to another vendor's firewall (they have offsite servers at a datacenter managed by another company).

Thank you in advance.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative


    1. As far as I'm aware, the scans are checking for the presence of the cert and not that it matches the domain name. If they did fail you for this, the solution would be to have them use the domain name instead, as 3rd party CAs will generally not sign certs with IP addresses in them.

    2. This won't do anything to site to site VPNs -- even if they are using a certificate, it would be an IPSec cert vice a normal webserver cert. Most customers use a preshared key for site to site IPSec tunnels.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.