Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 34724 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection With Subordinate CA

Euphrates

I was researching the idea of using a subordinate CA in Web Protection for HTTPS decryption and scanning.  The idea behind this is that, instead of trying to deploy/re-deploy a new certificate for this to function, that I would use a subordinate CA created using the root CA that is already trusted on my network.  See the following links for details regarding other web appliances:

https://www.websense.com/content/support/library/web/v76/wcg_help/ssl_sub_ca.aspx

Here is a link from Godaddy regarding just for informational purposes:

https://www.godaddy.com/help/what-is-an-intermediate-certificate-868

In any event, I attempted this with generically named cert, a wildcard cert, and a cert with the fqdn of my utm.  Unsuccessful.  I still get certificate errors when browsing secure websites with SSL decrypt and scan enabled.  Is the SSL decryption and scanning engine so fundamentally different in its implementation that this does not work or is that, actually, a bug?


It would be nice to get this working since it means not having to deploy/re-import another certificate through the network.



This thread was automatically locked due to age.
Parents
  • 0

    Hey, Euphrates.

    I had a similar setup running, and I used the very same document you pointed out to created a intermediate CA. I also had issues due to a misconception that my Windows clients would automatically trust any certificates issued by my Intermediate CA because they already trust Windows Root CA, but that's not the case. You will have to import the intermediate certificate issued to the UTM as a "Intermediate Certification Authorities" to every client for this to work. You can do this by using GPO:

    All in all, the only way to use HTTPS scan and avoid importing a new certificate to your clients is to export your Windows Root CA, import it into UTM and use it as a HTTPS CA. That is, assuming you are using an Enterprise CA and your clients are automatically receiving your Windows Root CA through AD. If you use a Standalone CA, you will also need to import your Root CA as a "Trusted Root Certification Authorities" in any of the cases.

    Regards - Giovani

Reply
  • 0

    Hey, Euphrates.

    I had a similar setup running, and I used the very same document you pointed out to created a intermediate CA. I also had issues due to a misconception that my Windows clients would automatically trust any certificates issued by my Intermediate CA because they already trust Windows Root CA, but that's not the case. You will have to import the intermediate certificate issued to the UTM as a "Intermediate Certification Authorities" to every client for this to work. You can do this by using GPO:

    All in all, the only way to use HTTPS scan and avoid importing a new certificate to your clients is to export your Windows Root CA, import it into UTM and use it as a HTTPS CA. That is, assuming you are using an Enterprise CA and your clients are automatically receiving your Windows Root CA through AD. If you use a Standalone CA, you will also need to import your Root CA as a "Trusted Root Certification Authorities" in any of the cases.

    Regards - Giovani

Children
No Data
Unfiltered HTML