Resolving TLS Certificate Compliance Detections

Last updated: December 23, 2025

Cyrisma may report compliance failures related to TLS certificates even after a certificate has been installed on a firewall, server, or other network device. This article explains why these detections occur and how to address them appropriately.

Issue Description

A compliance scan may report a failure similar to:

FAILED Compliance: TLS – No Self-Signed Certificates
Ensure TLS certificates are signed by a separate issuer.

This indicates that the scanned device is using a TLS certificate that does not meet the compliance requirement for trusted certificate authorities.

Why This Detection Occurs

The compliance check evaluates whether TLS certificates are:

  • Signed by a publicly trusted Certificate Authority (CA), or

  • Self-signed or signed by an untrusted/internal issuer

If the certificate is self-signed or not chained to a trusted CA, the compliance check will fail—even if encryption is technically enabled and functioning.

How to Resolve the Detection

Option 1: Replace the Certificate (Recommended)

  1. Verify whether the installed TLS certificate is self-signed.

  2. If it is, replace it with a certificate issued by a publicly trusted CA.

  3. Ensure the certificate is correctly installed and assigned to the relevant service.

  4. Rerun the compliance or vulnerability scan to confirm resolution.

This approach resolves the underlying compliance issue and aligns with most security standards.

Option 2: Suppress the Compliance Detection (Optional)

If a self-signed certificate is intentionally used and acceptable for your environment, the compliance detection can be suppressed.

To suppress the detection:

  • Locate the relevant vulnerability or compliance finding in the scan results

  • Identify the failed TLS compliance entry for the affected IP or device

  • Use the Suppress option to prevent future detection of that specific issue

Note: Suppression hides the compliance warning but does not remediate the underlying configuration.

Important Considerations

  • Suppressing a TLS compliance detection should align with your internal security policies.

  • If a certificate is signed by a trusted CA and the detection persists, verify:

    • The certificate chain is complete

    • The correct certificate is bound to the service being scanned

  • Firewalls and network appliances may require service restarts after certificate changes.

Summary

TLS certificate compliance detections in Cyrisma typically indicate the use of self-signed or untrusted certificates. The preferred resolution is to replace the certificate with one issued by a trusted CA. If a self-signed certificate is required for operational reasons, the detection can be suppressed with the understanding that the underlying compliance requirement is not being met.