Recommended SSL cert for SSL inspection

Forum|Forum|6 years ago
June 27, 2019
1 reply
2293 views

We are about to install HA 600E's and will be doing web filtering (including SSL inspection), and we will also use the 600E's for SSL VPN. We will buy certs rather than relying on the default self signed. Most internal devices will be domain joined and so have the cert deployed via GPO with the exception of BYOD devices.

I'm wondering what level of validation is recommended -DV, OV, or EV?

Given past experience I'd like to avoid the need for intermediate certs so has anyone had experience with a CA/cert that doesn't have a requirement for intermediate certs?

sw2090

SuperUser

yes this is because SSL inspection (DPI) is a "man-in-the-middle". This means the FGT will take incoming/outgoing encrypted traffic, decrypt it, analyze it. To ship the traffic on to the original receiver it will have to be encrypted again. Since the FGT don't have the private key of the original cert it cannot encrypt using the original cert. So it has to use a cert it has the private key of for this. Since additionally it needs to still deliver the original CN/SAN of the original cert it needs to create a new cert for the encryption. To do this the cert used for DPI musst be of type CA or SUBCA. One can not afford an official CA and one cannot buy a subca. So you wil indeed have to use your own one.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded