Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Digo11
Contributor
Jump to solution

Inbound HTTPS Inspection - Importing Certificate

Hello Experts.

I am trying to perform inbound HTTPS inspection; I do not have any private key password assigned to the certificate (wildcard certificate). While trying to import the internal server certificate for the inbound rules, I cannot import the certificate without providing the password.

Is there a way to skip/bypass the private key password section? It shows an error when I try to skip the password section.

*Note: When I provide the export password of the certificate in the private key password section, it accepts and imports the certificate. 

Thanks in advance!!

 

Regards,

Digo.

0 Kudos
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor

Hello @Digo11 ,

Not sure if you were kidding when you asked for "a way to skip/bypass the private key 🙂.

From CKP HTTPS Inspection documentation, we have the below paragraph explaining what is need:

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

Inbound HTTPS Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

 

Now on your problem, you can't, because when we do INBOUND HTTP Inspection , meaning we decrypt traffic that comes from outside to our DMZ servers, the CKP HAS TO Present itself as the "original server", therefore, in order to do that, the server SSL certificate and the private key, needs to be installed to he can substitute itself into the communication.

As example:

SSL%20Decryption_Fig9

 

Hopefully is clearer for you now.

 

Ty,

View solution in original post

6 Replies
Sorin_Gogean
Advisor

Hello @Digo11 ,

Not sure if you were kidding when you asked for "a way to skip/bypass the private key 🙂.

From CKP HTTPS Inspection documentation, we have the below paragraph explaining what is need:

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

Inbound HTTPS Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

 

Now on your problem, you can't, because when we do INBOUND HTTP Inspection , meaning we decrypt traffic that comes from outside to our DMZ servers, the CKP HAS TO Present itself as the "original server", therefore, in order to do that, the server SSL certificate and the private key, needs to be installed to he can substitute itself into the communication.

As example:

SSL%20Decryption_Fig9

 

Hopefully is clearer for you now.

 

Ty,

Digo11
Contributor

Hi Sorin_Gogean,

Good day!!

Thanks a lot for explaining the connection flow. Somehow, I was able to import the certificate by entering the "export" password that I had created at the time of exporting the certificate. I had to convert the certificate to .P12 format as it was originally in .PEM format.

I used the certificate for inbound inspection and the traffic is getting inspected as seen in the logs. I will check further and post here if assistance is required.

Thanks!!

the_rock
Legend
Legend

Good job! 👍

0 Kudos
the_rock
Legend
Legend

Here is also a very good reference doc for you. This was given to me by TAC couple of years back, but it explains inspection very well.

Andy

0 Kudos
Sorin_Gogean
Advisor

Glad it helped @Digo11 😊

0 Kudos
the_rock
Legend
Legend

What @Sorin_Gogean gave pretty much explains it all. Sadly, there is NO way to skip private key portion, thats the whole point actually of this process, otherwise, it would not be secure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events