Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 1 subscriber
  • Views 17803 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom ROOT Ca

StefanoColombo

Which are the steps to set up the web appliance to use a custom CA as ROOT CA while enabling the HTTPS Scanning ?

I've read the only method to use a custom Root certificate is to configure it as subordinate of the enterprise CA .

But how do I generate the request file for a subordinate CA to be passed to the Root CA ?

thanks



This thread was automatically locked due to age.
  • 0

    In short, It is just not worth it.

    Https scanning peels off a new certificate for every connection it decrypts and scans.  The applaince has its own signing authority CA.. In theory you could go buy your own trusted signing authority .. but your talking a lot of $$..  You could always generate your own signing authority ..  but again .. it's still going to be self signed so there is not really any point.

    Best you can reasonably get away with is a 5$ cert for the UI.  In all honesty there is no point.

     

    the only networks your going to do https scanning are will be under the authority of AD .. and trying to decrypt and scan say a public wifi is futile as adding it to handhelds and getting people to accept it is not going to happen. 

    I would recomend https scanning on your wired network, push out the appliances root as a trusted root authority in the browser with GPO.  and have a completely separate appliance for your unsecured wifi or other networks that do not require decrypt and scan.

    unfortunately https scanning is either on or off, even with clustered appliances.   You can not toggle scanning for network X or network Y .  However the UTM can be set up to do so, but it does not have all the features of a web appliance. 

  • 0 in reply to Red_Warrior

    Hello Red_Warrior

    In short

    If there's an option to use  a custom  CA I think there should be a way to configure it

    Thanks

  • 0 in reply to StefanoColombo

    configuration / system / certificates

     

    certificate authority is for HTTPS scanning

    ui & Portal is for the admin ui and "block" pages etc.

     

    click on custom

    Paste in your files.  The applaince will reject anything that is incomplete, not chained correctly/out of order,  in pem format or invalid in any way.

  • 0 in reply to Red_Warrior

    You're not answering my question.

    I'm asking how to generate the CSR to be submitted to the ROOT CA to have the appliance being a SUB CA , that is how it is supposed to work

    best regards

  • 0 in reply to StefanoColombo

    You can use openssl to generate a CA and present that to a ca to be signed, or complete the entire process through a CA directly.

    The applaince can not initiate a CSR such as an email appliance can.

Unfiltered HTML