SSL management for whole cluster to pass PCI DSS 4.0

Kosta

Hello, I am looking at https://www.sectigo.com/enterprise-solutions/certificate-manager/private-pki

To manage all SSL certificates for my cluster, but I am not sure really what I am doing…
All I need is to be able to secure all my servers in the cluster/s so all servers to be passing PCI DSS 4.0 etc.

Can I have some advice please

Thanks

ecknz

Kosta take a look at the Cloudflare docs on implementing PCI DSS at zone level or per hostname if your using their DNS. I'm not sure if you change ciphers and settings required in Enhance they will be overwritten with updates, for that you would need to check with support.

Would be great to see an option in the CLI to enable PCI compliance settings like in Plesk.

prismweb

PCI DSS 4.0 compliance is way more than just SSL/TLS management. Enhance already has SSL handling built-in, and the Sectigo Certificate Manager you linked to is really just an enterprise tool for centralizing SSL across multiple servers, it’s not required for PCI compliance, nor does it address the broader security requirements of PCI DSS.

PCI compliance involves securing the entire environment, including firewalls, network segmentation, intrusion detection, vulnerability management, access controls (MFA, least privilege), encrypted storage, logging, and real-time monitoring. SSL/TLS is just one piece of the puzzle.

If your goal is to meet PCI DSS 4.0, you really need a server administrator who understands PCI requirements to properly configure everything. It’s not just about having SSL certificates in place, it’s about securing the infrastructure as a whole.

Kosta

ecknz yeah will be nice to have toggle button to enable pci DSS compliance in enhance

Kosta

I couldn’t pass pci DSS only because I am using let’s encrypt ssls, all others requirements I pass but only ssl I fail because I need central manager for ssl for enterprise not only on main website but on servers too

prismweb

I don't think you understand why you failed PCI. Let's Encrypt SSLs are PCI compliant as long as:

TLS 1.2/1.3 is enforced.
Strong ciphers are used.
The certificate is monitored and renewed properly.

Kosta

prismweb how then to monitor and update automatically all server and enforce strong ciphers and enforce tls 1.2-1.3

webnestify

Kosta That is job for the webservers, not for the panel software.

You can do it easily in Litespeed admin dashboard (OLS or LSE).

https://media.webnestify.io/DeFe9/MicOLUQo11.png

You need to tell listeners to disable weak TLS and old cyphers.

Kosta

webnestify nice one, I added yesterday HsTS into htaccess file I do this today and. I think I should pass it now.
Well it be very nice to have this options at Security tab on enhance panel to enhance security let’s say at server level for all kind of web servers… anyway is empty tab now
Thank you

webnestify

Kosta Would be nice, indeed, but there are way more important things for Enhance to tackle 🙂

Kosta

webnestify why the settings for tls 1.2 1.3 doesn’t persist? I tick them then couple days later nothing ticket…
I’ve been restarting lse after each change in settings…
Any guess?

Kosta

Only 2 vulnerabilities left to be sorted so far XSS and web server LSE crashing… nearly there…

webnestify

Kosta Not sure tbh. On my servers it persist..Are you on v11/v12 ?

Kosta

webnestify only the boxes are not ticked however settings are persistent.. yh

Kosta

But I don’t know what to type onto chippers box … I’ve seen it somewhere and I lost the link there was like ! Symbols with: etc

Kosta

Any sysadmin playing dota ?

twest

Kosta haven't played in like 8 years lol... I'm currently enjoying supremacy1914. It's like Risk boardgame, but graphical and more detailed resource management.

Kosta

twest first time I hear about it. Not my type