Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 3994 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS SSL CA deployment

Nicola S

Hi All,

 

I've decided to give HTTPS scanning ago, however, when deploying the certificate via GPO it's intermittently working. Sometimes gets removed etc or even though it's there, the websites still giving security alert page on chrome. 

 

I'm using Cyberoam CR50ing and many different client sites

 

Keen to understand how people with hundreds of computers are deploying the SSL CA to machines? What's the best way without manually importing it to every single computer?

 

Thanks



This thread was automatically locked due to age.
  • 0

    to distribute the proxy-CA to default windows cert-store we use GPO.

    never seen a ca-error with IE.

    Firefox would be able to use MS-cert-store soon.

    Don#t know how reliable chrome works.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Hi, Nicola, and welcome to the UTM Community!

    Although it doesn't answer this question directly, you might see something in Configuring HTTP/S proxy access with AD SSO that gives you an idea.  The article is aimed at Standard mode but 98% of it applies to Transparent mode, too.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    The CA gpo is a machine setting, and may not take effect until a reboot. At minimum, you need to verify whether the problem machines are in scope, using Results Modelling.

    It is a policy setting, so the cert goes away if the policy setting is disabled or the machine goes out of scope.

    Chrome and I E will both work welll if policy is deployed correctly.

    Firefox uses a per-user certificate chain, and the system certificate store is ugnored.   Policy Pak is an extra cost product which fixes the problem with Firefox, along with other nice features.

    Https inspection enforces certificate chains very strictly, so I recommend building a log parsing tool to find certificate failures.  (Look for action="block" with an empty string in the error="" clause)    Hopefully UTM will get smarter in v9.5

Unfiltered HTML