Passthrough SSL Certificate Warning With Browser Authentication

Hi Michael,

The certificate error will splash up until the devices have UTM's CA installed. Even if you buy a third party certificate you must have the CA in the trusted roots.

Thanks

What Sachin is saying is that you need to obtain a certificate for which all Androids, iPhones and laptops will all already have the related CA already in their cert store.

Cheers - Bob

So there's no way around the warning, other than have all devices manually install the CA?  It's not a seamless approach for BYOD devices which is a bit disappointing.

So there's no way around the warning, other than have all devices manually install the CA?  It's not a seamless approach for BYOD devices which is a bit disappointing.

There is not really any way to avoid this.  You cannot get a public CA record that is globally trusted that can act on behalf of every domain you visit.  If you think about it a little bit, you can see why this would be a bad idea.  Every SSL scanning product I have used requires you to install a trusted CA of their own device in order to accomplish it.

Resurrecting this from a few months ago.  I've recently purchase a wildcard ssl cert and uploaded this to the UTM.  It's working well for some of my web apps with WAF.  I've been looking at the Customer Certificate for End User Pages option in Web Protection --> Filtering Options --> Misc and I've changed the default ssl to my wildcard one, then created forward lookup zones in my DNS for passthrough.basedomain and passthrough6.basedomain so they point to 213.144.15.19, as suggested in the help.  I now seem to be able to have BYOD devices that can authenticate, via the splash page, without any trust issues/insecure certificates.

Even though both Sachin and I said it would work, it's nice that you confirmed that for others here, Michael.  I marked your post as the answer - thanks!

Cheers - Bob