Vulnerability Assessment (VA) scans report "invalid," "self-signed," or "untrusted" SSL/TLS certificates for the iga-appserver and iga-balancer components.

The reports may indicate that the certificate chain does not anchor to a trusted CA.

IGA Xpress v15

By default, Symantec IGA Xpress generates self-signed certificates during the initial deployment to ensure solution works smoothly.

Because these are self-signed and not issued by organization's trusted Certificate Authority (CA), internal security scanners will flag them as invalid.

Replace the default self-signed certificates with custom certificates signed by a trusted Certificate Authority.

1. Generate Custom Certificates: Obtain new certificates for both the appserver and the balancer from your internal or public trusted CA.
2. Include the Full Chain: When creating the certificates, ensure the full CA chain—including any intermediate CAs—is included. Scanners will continue to report errors if the path does not chain to a trust anchor.
3. Follow documentation Custom Server Certificates to import certificates into IGA Xpress.
4. Restart Services

   igactl restart {service_name* | all | xpress}

service_name* represents {balancer,imcs,idg,idm,idp,impd,impr,imps,suite,ustore,urouter,uproxy} where,
imcs=Connector Server;  idg=Identity Governance; idm=Identity Manager; idp=Identity Portal; impd=Provisioning Directory; impr=Provisioning Router; imps=Provisioning Server, ustore=User Store; urouter=User Store Router; uproxy=User Store Proxy

For detailed technical requirements on certificate formats and placement, refer to the Broadcom TechDocs: Custom Server Certificates.