HTTPS decrypt and scan using Letsencrypt wildcard cert?

Question

Does anyone know how i can use my Letsencrypt wildcard cert for XG HTTPS scanning?? Ive got the cert installed and it works for everything but HTTPS scanning, I cant see how i can get the cert to show in the HTTPS scanning dropdown? 
 Can someone point me in the right direction please?? 
 basically i want to use a cert that for HTTPS scanning that wont require a cert install on my clients. 
 JK

LuCar Toni · Accepted Answer

I am quite sure. This is a common question, because everybody wants it. You could do https scanning without need to push a cert to clients and you could scan guest networks.

Michael Dunn · Answer

How it works: If HTTPS scanning is off, the XG can see the domain name that you are connecting to and do categorization on it. If it is allowed then the everything else is inside an encrypted tunnel and the XG knows nothing and can do nothing. If HTTPS scanning is on, then the XG does man-in-the-middle to decrypt all traffic. Clients will throw up warnings unless the Certificate Authority is installed on them (they warn because someone can man-in-the-middle, exactly what we are doing). Doing HTTPS scanning does not make you more vulnerable to other MITM attacks - though in theory if the XG was insecure (you didn't have strong passwords and someone logged in as admin) then an attacker could leverage the XG. But at that point you have bigger issues than the fact they can see inside the https traffic. 
 
 If you have AV scanning on your endpoint, it is perfectly fine so also scan on the XG. There is no problem with scanning twice (aside it taking longer), and in fact you can specifically turn on a second independant AV scanner within the XG. Some people like to have Single Scan with the Avira engine on the XG and then Sophos AV on the endpoint, with the concept that two different scan vendors are better. 
 If your concern is blocking access to categories of websites, then in general HTTPS scanning is not required. With no HTTPS scanning, the XG can do categorization of the domain name but not of the full URL, which is good enough for most. 
 
 If your concern is malware and you don't have an anti-virus scanner on every computer, then you should have HTTPS decryption so that the XG can run AV scanning on everything. 
 
 If your concern is blocking the download of certain file types, you will need HTTPS scanning. 
 
 If your concern is application control, you will be able to control much more with HTTPS scanning. 
 
 If you control every computer that connects to your network then it is easy to deploy a CA to them all. If you control every phone and use a corporate phone management you can deploy a CA as well. If you have guest networks it is harder. But then if you have guest networks that means you may have endpoints without AV and therefore want the scanning on. 
 
 Everything is a trade off.

LuCar Toni · Answer

https://community.sophos.com/kb/en-us/132997 
 Should be here for everybody. 
 Must Read!

LuCar Toni · Answer

Hi, 
 simple answer: It is not possible to use a public wildcard ca for https. 
 detailed answer: https://community.letsencrypt.org/t/has-anyone-ever-set-up-a-transparent-https-proxy-with-lets-encrypt/47020 
 You would need a CA with privat key to create a certificate for every domain on earth. 
 Basically you would be possible to do man-in-the-middle inspection for every client, cause every client trust you. And at this point, we can stop using TLS/SSL at all.

LuCar Toni · Answer

Funny point: You are not able to get any CA to do https scanning, even if you Pay X million dollar. 
 
 To take a closer look into this: You need to buy a public CA! You would have to go to a root ca and ask them to give you their privat key. I think, they won&acute;t do it, isnt it? 
 You need to have a CA, which can create a certificate for google.com for example. And every client on earth would trust you. 
 
 You can only use "self signed" CAs(like from your microsoft domain) or the onboard SSL CA.