This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection With Subordinate CA

I was researching the idea of using a subordinate CA in Web Protection for HTTPS decryption and scanning.  The idea behind this is that, instead of trying to deploy/re-deploy a new certificate for this to function, that I would use a subordinate CA created using the root CA that is already trusted on my network.  See the following links for details regarding other web appliances:

https://www.websense.com/content/support/library/web/v76/wcg_help/ssl_sub_ca.aspx

Here is a link from Godaddy regarding just for informational purposes:

https://www.godaddy.com/help/what-is-an-intermediate-certificate-868

In any event, I attempted this with generically named cert, a wildcard cert, and a cert with the fqdn of my utm.  Unsuccessful.  I still get certificate errors when browsing secure websites with SSL decrypt and scan enabled.  Is the SSL decryption and scanning engine so fundamentally different in its implementation that this does not work or is that, actually, a bug?


It would be nice to get this working since it means not having to deploy/re-import another certificate through the network.



This thread was automatically locked due to age.
Parents Reply Children
  • I pem file I used to create the pfx I uploaded into the Sophos UTM contains both the subordinate CA and the root CA. 

    On a lark, I uploaded the certificate to the "Local verification CAs" as well, just for giggles.  No change. 

  • Ok.  I do remember that the cat order is important,as well as doing it in either linux natively or making sure you are not using windows mode rather than unix mode when doing it in Windows.  I assume you probably used linux, though.  Good luck with it.  I am out of ideas for now.

  • I did swap the CA and the subordinate cert order in the pem file to see if that would work but it did not.  I'm using Windows but I used OpenSSL for Windows to perform all the certificate work, save the actual signing which is done with a Windows CA.  Everything else from the pem, f12, pfx, keys, etc was done with OpenSSL.

    I honestly don't know what you mean by Windows Mode rather than Unix Mode.

    I'm curious if anyone has gotten this to work?  If anyone has a support contract, it would be nice to bring this to the attention of Sophos.  Other web appliances support this method so that you don't have to go around re-doubling your efforts to import ANOTHER certificate to computers and devices on your network.

  • It means if you just cat the files using notepad or something, linux will not like the file due to the crlf codes windows uses that linux does not.

    Copy the pem files (individually) to the UTM and then cat file.pem >> file2.pem and then use the resulting file2.pem as the certificate to load.