So I am trying to setup policies and of course almost all of them require SSL inspection enabled.
I did issue the cert from the domain controller which is self-signed and imported it to the firewall.
Of course it will throw an error saying that it is not a valid ssl cert unless I install that cert as Trusted Root on all PCs. If we get a cert from trusted CA then how would that work?
Would I be using any of the following information: Public IP: xx.xxx.xxx.xxx Domain Name: xyz.local (AD Domain) or xyz.com (A domain we own). Would SSL inspection still work if I get the CA signed cert for xyz.com domain?
I am pretty new to the SSL and certificates world so I have not much of an idea how things work.
Hello,
UP subject !!
I have a same problem.
An idea ?
1st no public CA is going to issue you a CA-root cert, that is not feasible nor a option to buy just a rootCA-cert
Your rootCA is that "your" root certificate, you just trust that in the OS or Firefox browser as a trusted rootCA and be done.
Ken Felix
PCNSE
NSE
StrongSwan
yeah but they do issue sub-ca certs Ken. Those can be used to sign certificates. The dark side is that this creates one more hop in certificate verification path that has to be covered :\
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
So who do you think is issuing subCA certificates for resigning ?
I think for example you can not go to geotrust , entrust, comodo and just flat out order a subCA off any of the higher roots/intermediates that they have in the chain.
The public CA is making money by the issuance of certificates. If they gave every tom dick or harry a subCA upon request, than he or she could become a signer and reseller and sign like god..... 1 billion certificate under than chain ;)
That's not a offering that is offered to the general end-user.
btw I 've worked with two major well known public CAs over the course of the last 8 years.
Ken Felix
PCNSE
NSE
StrongSwan
an intermediate to me is nothing else than a sub ca ;)
And intermediates are meanwhile common use for reselling. There meanwhile is a holy lot of smaller certificate sellers that issue certs based on intermediate. A win-win for the CA - they have two cannals for selling...
FGT SSL Deep Inspection e.g. needs a sub ca cert to work...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
FGT SSL Deep Inspection e.g. needs a sub ca cert to work...
Your not even 100% correct here and providing mis-leading information or confusion.
I've done SSL inspection with both a single rootCA or with a intermediate certificate ( aka subCA ) on fortigates and a host of other firewalls vendors fwiw. ( btw forcepoint NGFW seems not to work with intermediate from my experience and testing...keep that in mind if your doing a PoC or Bakeoff between vendors and have a heavy dependence of SSLvpn or SSL inspection and deep-chain, the support/development teams knows about this but I highly doubt the sale teams explain this limitation with the CA-depth, & yes this is me griping about this limitation )
in the SSL inspections, the certificate can be either a root-CA or intermediateCA certificate , the former is more ideal in the big organization, but I've seen various avenue and topology used by private-CA for SSL inspection.
Either way that you go , the chain has to be trusted by the end-user ( i.e OS , browser )
In most of the top orgs and fortune500s they using MicrosoftCA or generate it's own selfSignPKI infrastructure commonly by using openssl ( that's what I do ), when you go to a commercial CA for this, all they are doing is managing a "different chain" for you that is NOT the general public-chain that you see in the browser or the OS level.
They are NOT going to just give you a rootCA for SSL inspection or resigning of intermediates fwiw. You can't go as a individual and say I want you to give me a root-CA. Now if your a big business ( i.e fortune 500, mil,edu, NSA, etc...) they can build you "your" PKI-CA & can build you a PKI infrastructure and give you rights to issue example server certificates . I just did that recently with Entrust and Globalsign. They call this service typically a "custom-CA or custom-ICA ...IntermediateCertificateAuthority " . They manage a complete PKI down to OSCP and CRL.
But a generic user like you or me, is NOT going to get that nor would it be cost effective to buy into that program or design as a generic end-user. We are talking about the TOP organizations or business ( i.e millions of dollars ). These organization are signing thousands of CSR for various needs and reasons.
Keep this thought in mind , "all public CAs are really self-Signed" the only difference from your privateCA or let's say your custom-ICA if you went that route, is yours is NOT a publicly known or recognized ;).
The public CAs are paying the OS and browser vendor ( i.e firefox ) to be installed as a trust component in that systems. Technically speaking probably 100K public_CAs exists ( probably more ) but not all of them are in your window OS or Firefox browser as a accepted CA.
And finally, just guessing probably 1million+ CA existing ( public and private sector ) again not all of them are pre-installed into your end OS device or browser ;)
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.