Totally valid point.

One could also argue that CA is TECHNICALLY cert authority : - )

Good morning everyone,

Thank you very much for all the answers. I looked at them all and they have already helped me a lot.

For everyone's information, this certificate is being generated by the customer and I don't know how to describe to you how it is being done. I don't know the method used to generate the .p12 file and I don't know if the entire certificate chain is being imported.

So, to answer some questions, again, I don't know if the entire certificate chain is imported with the .p12 file and I don't know if there are basic restrictions on generating this certificate.

According to @the_rock , I also don't see any reason why it wouldn't work, but if you need more information like those mentioned by @PhoneBoy and @Ryan_Ryan , I understand that it really won't work correctly.

I also thanks for @oa_munich !

Guys, one last question, regarding the CA certificate chain, wouldn't this entire "base" of the certificate chain be present in the Manager?

Maybe wording might not be 100% correct, but here is example in my lab. Think of mgmt as actual CA,if you will (certificate authority) and the actual "gw" cert as sub-CA that generates on the fly cert for the clients. I attached screenshots of all this and more than happy to show you in my lab.

Andy

Thanks @the_rock 

Could you describe how did you generate the https certificate?

I think that you generated externally.

What time zone are you in? Im in Canada EST. Lets do remote and I can show you my lab, so you can see...let me know.

Andy

Hi @the_rock

Sorry, but yesterday was a holiday in Brazil.

I would be very welcome if we had a conference and you could show me your lab.

My timezone here is GMT-3 (Brazil time).

Today I will be available at 4pm GMT-3 or tomorrow at 10am GMT-3.

Please let me know if you are okay with it and don't mind my basic level of English.

Dont worry, we all try to do proper grammar and spelling, but in IT world, no offense, people are NOT known for those things LOL

Anyway, you can message me directly and we can set something up. I think you are 2 hours ahead of me, as its 8.43 am here now, so its gmt-5 I believe.

Andy

We can tell quite a bit from the .p12 file itself.
You're welcome to send it to me (zipped) in a PM and I can have a look at it.

Hi @PhoneBoy 

Yes, i can send you.

I´ll send you in couple minutes.

Hi @PhoneBoy 

I have been sent the file to you.

As expected, the certificate provided is NOT a Certificate Authority certificate, but a wildcard certificate for your domain.
This certificate cannot sign certificates for other domains, which is required for HTTPS Inspection to function.

You need a Certificate Authority key to use HTTPS Inspection.
This can be generated from SmartConsole itself:

Or can be generated from any PKI (even via an OpenSSL command line).
A public CA (like GlobalSign) will NOT issue you a CA key that is globally trusted for this purpose.
The CA key must be explicitly configured on the clients as trusted (can be done through GPO or similar). 

On Windows, there is a utility called certutil.exe

If you'd run this, 

certutil -v -dump C:\<your-ca-file>.p12 

and share the output, this will help troubleshoot further.

Specifically, there will be a section Certificate Extensions, and if you will find 1.3.6.1.4.1.311.20.2: Certificate Template Name (Certificate Type): CA or SubCA - it is a kind of a certificate you need.

If it is a server certificate (as I am suspecting), you will find a section 

2.5.29.37: Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)

or

Client Authentication (1.3.6.1.5.5.7.3.2)

then it is the wrong kind of certificate, and you'll need a CA-one.

Its been ages since I used that tool, but really glad you mentioned it, certainly may help in troubleshooting this.

Andy

Hi @oa_munich 

Thanks a lot. I´ll check this information and i let you know soon.