How to Use Wildcard Certificate for URL Filtering Override Page Without SSL Decryption

This article explains how to serve a URL filtering admin override page over HTTPS to clients when a wildcard certificate issued by a third-party CA is present (without SSL decryptinon). This can't be used for SSL decryption.

Why does this matter?

Typically this is useful for clients which access from a Guest WiFi zone and use the URL Admin Override function to browse the internet. When this happens with a self-signed certificate, users will get a certificate error. These instructions resolve the certificate issue, where it's not possible to push certificates, since they wouldn't be part of the domain.

Assumptions:

• No SSL decryption is configured. If SSL decryption is configured, that is much easier to configure.
• A wildcard certificate obtained by a third-party CA is available. For example, *.domain.com.
• Internal DNS infrastructure is being used and the same is configured as the firewall's resolver under Device > Setup > Services > DNS servers. This is configured so that the firewall can resolve the internal domain.
• Wildcard certificate is obtained and is already imported into the firewall. It also has been configured into an SSL/TLS service profile.
• Firewall interfaces are in Layer 3 mode and URL admin override is in Redirect mode.
• The hosts should be using the internal DNS servers (or the DNS servers which are able to resolve queries for a specific host to the IP of the internal interface of the firewall.)

Steps

1. First, we need to add a domain to the DNS server so that it is resolved to the firewall's trust interface's IP. In our example, the domain is going to be internal.domain.com and the A record in DNS server should be internal.domain.com and IP should be 10.50.240.72. IP assigned to the Internal interface which will be used during the redirect.
2. After adding the record to the DNS server, try to ping internal.domain.com from internal host and see if it gets resolved to 10.50.240.72. If it does not work, try to use ipconfig/flushdns clear the information.
    
3. Next, The configure the redirect address as an FQDN, in our case internal.domain.com. Do this by going into Device > Setup > Content-ID > URL Admin Override section. Click Add to add or click the name of the existing override (if any) to edit. 
   
    
4. After this is configured for URL Admin Override pages and committed, the firewall will redirect to the internal.domain.com for entering the override password. This should no longer show any certificate warnings.