AnsweredAssumed Answered

InsightVM and Wildcard Certs (X.509 Validation)

Question asked by Peter David on Jun 18, 2017

We're currently using wildcard certs for our external servers (DMZ).  These are being scanned via our internal IP ranges (due to using the AWS pre-authed scanner), and so in doing, they are failing the comparison of the subject common name check.  This is because AWS by default generates ip-X-X-X-X.ec2.internal for all reverse DNS names, which in our case does not match our *.domain.com certificates.

 

I can see that we can flag these findings as exceptions for False Positives, but I would like to ensure that the exception only applies if the wildcard is found (as opposed to all mismatched SCN certificates).  Is there a good way to apply this exception dynamically based on the results of the test, or is it a manual, host by host, service by service, exception task?

Outcomes