a vendor is setting up on-prem internal servers for us: vendor told us he needs SSL certs for the 5 servers (there's 5 URLs given) not for users to access but for server to server communications Q1: Shall we use self-signed certs in this case & usually for how long these certs should be valid (every 1-3 yearly or permanently)? Q2: Should these servers sit behind the WAF (or suppose these 5 URLs are not for users access but server to server communications) or in front of the WAF? Q3: If they sit behind the WAF, shd the self-signed certs be installed in the WAF or in the servers? If they sit in front of WAF, certainly the certs have to be installed in the servers Q4: For penetration tests, we should test the 5 URLs (vendor said they're for server to server comms), through the WAF or position the penetration scanners directly on the servers without going through WAF? Sun --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|