I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate and present its own certificate for inspection purposes.
It almost seems as if the firewall vendor has direct access to the private keys or uses a special integration with CAs. How is it possible for these sites to maintain a valid chain of trust and not show appliance-generated certificates during TLS inspection? Is there a specific method or policy that allows this, or does it involve a direct integration with public CAs?
Added TAGs
[edited by: Raphael Alganes at 11:15 PM (GMT -7) on 29 Aug 2024]
