Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BlueGrass
Contributor

Is that possible to use Public CA to perform SSL Inspection for users?

Hello,

 

I have a question regarding SSL Inspection.

 

For most cases, we might use a Self-sign CA, and import the CA and its private Key to the checkpoint for SSL inspection.

 

However, the CA always needs to use GPO or even manual work to import it to the users' PC to perform SSL Inspection.

 

If the users lost connection to AD / the PC can't join Domain, they might suffer from SSL error and need IT helps to import the CA. 

 

I wonder if we can use a public CA like signed by Godaddy to perform the SSL Inspection so no longer SSL error comes up from the users side.

 

Thanks.

 

0 Kudos
9 Replies
Ruan_Kotze
Advisor

Consider what SSL inspection does - you are basically performing a man-in-the-middle attack by generating "fake" certificates and impersonating a website.

So the answer to our question would be no, because then you would need someone like GoDaddy or DigiCert to give you a signing certificate, which in turn will allow you to impersonate other websites.

 

0 Kudos
_Val_
Admin
Admin

This is not exactly correct. Depending on your GW TLS inspection settings, you can block sites with untrusted certificates. GW is performing certificate validation here, so security risks are manageable. 

Also, GW own CA or GODaddy, the concerns are exactly the same.

0 Kudos
Ruan_Kotze
Advisor

You are correct of course, but in the context of OP's question (use a public CA certificate as opposed to internal self-signed in order to prevent SSL errors on the client side browser) I believe my statement stands.

0 Kudos
_Val_
Admin
Admin

Not really. Part of the procedure for outbound HTTPS Inspection is to distribute your GW CA root to the clients and set it as trusted. Hence, when done, all sites will be showing trusted on the client's end, as they are signed by the trusted root.

0 Kudos
Ruan_Kotze
Advisor

Sure - but neither OP nor myself are referring to the GW's CA certificate - their question relates to getting a CA signing certificate from a Public CA such as GoDaddy, Verisign etc. to get around the requirement of having to distributing the CA to the client.

If they were to allow that, the whole chain of trust collapses.

0 Kudos
_Val_
Admin
Admin

OK, I see your point, and I do agree with that. The way I read the original question was "can I use a third-party CA for outbound HTTPSi", and the answer is yes. 

_Val_
Admin
Admin

Yes it is possible to use third-party CA for outbound inspection

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 
i think the question is more ...
would a Public CA would grant you to run a SUB CA of their Root CA on your enviroment?

if you have a  SUB CA of example Verisign, you could act as a Verisign CA and create certificates as much as u like ... i bet those folks at Verisign will not like it that much!

🙂

 

 

0 Kudos
_Val_
Admin
Admin

Very true. Hence the best practice is to use your organization/AD CA, if you need to deploy trusted certs for HTTPSi.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events