- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Import 2 Different Domain CA for outbound HTTP...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Import 2 Different Domain CA for outbound HTTPS inspection certificates
Hi All,
Current Environment Setup:
URL Filtering Enabled
HTTPS Inspection Enabled: Domain A (Signed by Third-Party CA)
There's scenario when customer is migrating to new active directory domains, so there would some existing users still in Domain A however some users is migrated to Domain B. Previously all the user's PC is already installed the certificate under domain A that export from the gateway for HTTPs Inspection. However, when migrating the users to new domain, those new users' domain is facing certificate authority invalid issue which cause them unable to browse internet. After checked found that the browser certificate is still using old domain A, that's why the connection is not trusted as different domain.
Customer concern if renew the HTTPs Inspection certificate to new Domain B, all the existing users that still in Domain A might have impact where's the gateway will not recognize for these users. However, if without renew the cert to new domain, those migrated users is impacted, and they couldn't browser internet.
Hence would like to know whether is that possible to import 2 different domain CA cert to the HTTPs Inspection as so the HTTPs Inspection can be applicable to two different Activity Directory domain users. Or is there any workaround for this situation? Kindly please advised. Thank you.
Best Regards,
Keon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it's a planned feature for R82 to support multiple outbound HTTPS certificates.
If you can't wait for that, you will have to look at (for example) deploying the domain B cert out to the domain A PCs as a trusted CA, and then importing that CA into the gateways. You could do it the other way around but then you have to maintain that for every new domain B PC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi emmap,
The example you mentioned is that means that we are taking the domain B cert to domain A to acknowledge as trusted CA and import to the gateway, so we have to renew the certificate, and export it out and install at all domain B PCs? Sorry that I'm not so familiar to the CA signed certificate flow.
By doing this will not interrupt existing users to install again the latest certificate once renewed?
Best Regards,
Keon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using the domain B CA cert, all the domain B PCs trust it already. That's the benefit of using your AD CA cert for HTTPS inspection. There's no cert renewing happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this functionality (allowing multiple outbound CAs for HTTPS Inspection) is in the R82 Public EA:
