topic Re: Inbound HTTPS Inspection - Importing Certificate in General Topics

Inbound HTTPS Inspection - Importing Certificate

Digo11 — Mon, 27 Mar 2023 06:42:55 GMT

Hello Experts.

I am trying to perform inbound HTTPS inspection; I do not have any private key password assigned to the certificate (wildcard certificate). While trying to import the internal server certificate for the inbound rules, I cannot import the certificate without providing the password.

Is there a way to skip/bypass the private key password section? It shows an error when I try to skip the password section.

*Note: When I provide the export password of the certificate in the private key password section, it accepts and imports the certificate.

Thanks in advance!!

Regards,

Digo.

Re: Inbound HTTPS Inspection - Importing Certificate

Sorin_Gogean — Mon, 27 Mar 2023 19:34:30 GMT

Hello @Digo11 ,

Not sure if you were kidding when you asked for "a way to skip/bypass the private key " 🙂.

From CKP HTTPS Inspection documentation, we have the below paragraph explaining what is need:

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

Inbound HTTPS Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Now on your problem, you can't, because when we do INBOUND HTTP Inspection , meaning we decrypt traffic that comes from outside to our DMZ servers, the CKP HAS TO Present itself as the "original server", therefore, in order to do that, the server SSL certificate and the private key, needs to be installed to he can substitute itself into the communication.

As example:

Hopefully is clearer for you now.

Ty,

Re: Inbound HTTPS Inspection - Importing Certificate

the_rock — Mon, 27 Mar 2023 22:51:06 GMT

What @Sorin_Gogean gave pretty much explains it all. Sadly, there is NO way to skip private key portion, thats the whole point actually of this process, otherwise, it would not be secure.

Re: Inbound HTTPS Inspection - Importing Certificate

Digo11 — Tue, 28 Mar 2023 16:07:51 GMT

Hi Sorin_Gogean,

Good day!!

Thanks a lot for explaining the connection flow. Somehow, I was able to import the certificate by entering the "export" password that I had created at the time of exporting the certificate. I had to convert the certificate to .P12 format as it was originally in .PEM format.

I used the certificate for inbound inspection and the traffic is getting inspected as seen in the logs. I will check further and post here if assistance is required.

Thanks!!

Re: Inbound HTTPS Inspection - Importing Certificate

the_rock — Tue, 28 Mar 2023 16:42:09 GMT

Good job! 👍

Re: Inbound HTTPS Inspection - Importing Certificate

the_rock — Tue, 28 Mar 2023 16:47:26 GMT

Here is also a very good reference doc for you. This was given to me by TAC couple of years back, but it explains inspection very well.

Andy

Re: Inbound HTTPS Inspection - Importing Certificate

Sorin_Gogean — Tue, 28 Mar 2023 18:37:05 GMT

Glad it helped @Digo11 😊