https Inspection

Discussion created by Libin Thomas on Jul 17, 2017
Latest reply on Jul 21, 2017 by Anthony Joubaire

Like • Show 0 Likes0
Comment • 4

Folks,

we are trying to do Https inspection on firewall , created CSR from firewall and got signed from 3rd party root CA.

but still https logs shows that client doent have root ca installed.

In client browser the 3rd party root ca is already there in trusted root ca .

do we need to import the certificate on client ?

as per my understanding if the CSR is signed from 3rd party trusted root CA then there is no need to import the certificate on client as the client already have the root ca in browser store.

Any thoughts

Outcomes

4 Replies

Christian Stueckrath Jul 17, 2017 7:51 AM
the firewall itself needs to be the root ca (or sub ca), and all your clients need to trust this root ca (or sub ca) certificate of your firewall.
You won't get a ca certificate from a 3rd party provider.
1 person found this helpful
Like • Show 0 Likes0
Actions
Dameon Welch Abernathy Jul 17, 2017 9:50 AM
Your firewall will need a certificate authority key that is able to generate a certificate for any site a user tries to access.
It can either be the one that is created through SmartConsole or a sub-CA created through your enterprise CA.
No globally trusted certificate authority will grant you a CA key for this purpose--it's against the terms of service.
The relevant CA key must be configured as "trusted" in your end users browsers.
1 person found this helpful
Like • Show 0 Likes0
Actions
Libin Thomas Jul 18, 2017 11:18 AM

To avoid installing a certificate on every browser, we need to generate a CSR from thecheckpoint and have it signed by a third-party, trusted CA that most major browsers will recognize and accept without a warning automatically.
this is what i am trying to do , after this step also we are seeing the certificate error from the client side
Like • Show 0 Likes0
Actions
Anthony Joubaire Jul 21, 2017 10:01 AM
Dear Thomas,

I'm facing the same issue as you.
I was looking for the same solution.
Generating CSR, get a Signed CRT from a CA already known by clients.

The point is, no article/sk even mention that option.
Using Threat Prevention with HTTPS Traffic

On the Documentation, it's mention how to generate the CA certificate and how to deploy.
Dameon Welch Abernathy

Dameon Welch Abernathy is right.

For that https inspection features, we need to CA feature and key, because we need to resign cert. A simple CRT is not enought for doing the job.
If an organization is providing your the sub CA key for the CheckPoint features, they could lose they CA aggrement.

I hope my clarification about Dameon's answer have clarified the issue.

regards,
Anthony Joubaire
Like • Show 0 Likes0
Actions

https Inspection

Outcomes

Related Content

Recommended Content