This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS SSL CA deployment

Hi All,

 

I've decided to give HTTPS scanning ago, however, when deploying the certificate via GPO it's intermittently working. Sometimes gets removed etc or even though it's there, the websites still giving security alert page on chrome. 

 

I'm using Cyberoam CR50ing and many different client sites

 

Keen to understand how people with hundreds of computers are deploying the SSL CA to machines? What's the best way without manually importing it to every single computer?

 

Thanks



This thread was automatically locked due to age.
Parents
  • The CA gpo is a machine setting, and may not take effect until a reboot. At minimum, you need to verify whether the problem machines are in scope, using Results Modelling.

    It is a policy setting, so the cert goes away if the policy setting is disabled or the machine goes out of scope.

    Chrome and I E will both work welll if policy is deployed correctly.

    Firefox uses a per-user certificate chain, and the system certificate store is ugnored.   Policy Pak is an extra cost product which fixes the problem with Firefox, along with other nice features.

    Https inspection enforces certificate chains very strictly, so I recommend building a log parsing tool to find certificate failures.  (Look for action="block" with an empty string in the error="" clause)    Hopefully UTM will get smarter in v9.5

Reply
  • The CA gpo is a machine setting, and may not take effect until a reboot. At minimum, you need to verify whether the problem machines are in scope, using Results Modelling.

    It is a policy setting, so the cert goes away if the policy setting is disabled or the machine goes out of scope.

    Chrome and I E will both work welll if policy is deployed correctly.

    Firefox uses a per-user certificate chain, and the system certificate store is ugnored.   Policy Pak is an extra cost product which fixes the problem with Firefox, along with other nice features.

    Https inspection enforces certificate chains very strictly, so I recommend building a log parsing tool to find certificate failures.  (Look for action="block" with an empty string in the error="" clause)    Hopefully UTM will get smarter in v9.5

Children
No Data