This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection With Subordinate CA

I was researching the idea of using a subordinate CA in Web Protection for HTTPS decryption and scanning. The idea behind this is that, instead of trying to deploy/re-deploy a new certificate for this to function, that I would use a subordinate CA created using the root CA that is already trusted on my network. See the following links for details regarding other web appliances:

https://www.websense.com/content/support/library/web/v76/wcg_help/ssl_sub_ca.aspx

Here is a link from Godaddy regarding just for informational purposes:

https://www.godaddy.com/help/what-is-an-intermediate-certificate-868

In any event, I attempted this with generically named cert, a wildcard cert, and a cert with the fqdn of my utm. Unsuccessful. I still get certificate errors when browsing secure websites with SSL decrypt and scan enabled. Is the SSL decryption and scanning engine so fundamentally different in its implementation that this does not work or is that, actually, a bug?

It would be nice to get this working since it means not having to deploy/re-import another certificate through the network.

This thread was automatically locked due to age.

Parents

0 BAlfson over 8 years ago

If I understand what you want, have you tried to upload the trusted root CA - on the 'HTTPS CAs' tab?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Euphrates over 8 years ago in reply to BAlfson

Yes, the trusted root CA is uploaded to the UTM. One note, is that I have two, the old and the new one as I re-generated the trusted root certificate with a stronger signature. I tried disabling the old one as a test but, same result.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Euphrates over 8 years ago in reply to BAlfson

Yes, the trusted root CA is uploaded to the UTM. One note, is that I have two, the old and the new one as I re-generated the trusted root certificate with a stronger signature. I tried disabling the old one as a test but, same result.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Euphrates over 8 years ago in reply to Euphrates

So, I decided to follow up on this after some time and came across the following directly from Sophos:

https://community.sophos.com/kb/en-US/115592

Specifically, this:

"If your organization already has an internally trusted certificate authority established and distributed, then using your own CA certificate will remove the need to distribute the public signing cert to your users."

Now, in my above example, I had used a subordinate CA cert that was signed by my root CA but it "should" act in the same way, but doesn't. The imported PFX file also was created with a PEM file that had the chain in it so the chain wasn't missing. That brought me to this:

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/3044210-https-scanning-have-proxy-provide-certificate-cha

The above seems to indicate that this is not possible, yet, contradicts what is provided in the Sophos KB. Note that the more recent then the feature request mentioned above.

Now, just as a test, I followed this article:

https://social.technet.microsoft.com/Forums/office/en-US/41cf0b1c-a1b1-4d95-bddb-e677b69ed80c/exporting-private-keys?forum=winserversecurity

It notes to export the root CA cert and key and import it into the security device. I attempted that as a test since the root CA is trusted. Again. No dice.

It would be nice if Sophos could clarify if this is/isn't possible and update their documentation appropriately.
Cancel
Vote Up 0 Vote Down

Cancel