This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom ROOT Ca

Which are the steps to set up the web appliance to use a custom CA as ROOT CA while enabling the HTTPS Scanning ?

I've read the only method to use a custom Root certificate is to configure it as subordinate of the enterprise CA .

But how do I generate the request file for a subordinate CA to be passed to the Root CA ?

thanks



This thread was automatically locked due to age.
Parents
  • In short, It is just not worth it.

    Https scanning peels off a new certificate for every connection it decrypts and scans.  The applaince has its own signing authority CA.. In theory you could go buy your own trusted signing authority .. but your talking a lot of $$..  You could always generate your own signing authority ..  but again .. it's still going to be self signed so there is not really any point.

    Best you can reasonably get away with is a 5$ cert for the UI.  In all honesty there is no point.

     

    the only networks your going to do https scanning are will be under the authority of AD .. and trying to decrypt and scan say a public wifi is futile as adding it to handhelds and getting people to accept it is not going to happen. 

    I would recomend https scanning on your wired network, push out the appliances root as a trusted root authority in the browser with GPO.  and have a completely separate appliance for your unsecured wifi or other networks that do not require decrypt and scan.

    unfortunately https scanning is either on or off, even with clustered appliances.   You can not toggle scanning for network X or network Y .  However the UTM can be set up to do so, but it does not have all the features of a web appliance. 

  • Hello Red_Warrior

    In short

    If there's an option to use  a custom  CA I think there should be a way to configure it

    Thanks

Reply Children