Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Understanding TLS Inspection and Valid Certificate Presentation: How Do Some Sites Avoid Appliance-Generated Certificates?

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate and present its own certificate for inspection purposes.

It almost seems as if the firewall vendor has direct access to the private keys or uses a special integration with CAs. How is it possible for these sites to maintain a valid chain of trust and not show appliance-generated certificates during TLS inspection? Is there a specific method or policy that allows this, or does it involve a direct integration with public CAs?



Added TAGs
[edited by: Raphael Alganes at 11:15 PM (GMT -7) on 29 Aug 2024]
Parents Reply Children
No Data