topic Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA in General Topics

SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Fri, 25 Aug 2023 12:44:38 GMT

Hi,

I searched and read a lot about it, but the more I read the more I get confused. I would appreciate, if someone explain me the difference between self-signed and public trusted certificates for SSL Decryption. As I understand, I need to import it into endpoints machines anyway to make decryption work. Then what is the point of public trusted certificate then?

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Claw4609 — Fri, 25 Aug 2023 13:31:03 GMT

Are you referring to inbound or outbound ssl inspection? For forward proxy (outbound) I dont believe you can use a public certificate, you can use either a self-signed certificate or a cert signed by your internal CA (if applicable). Clients would need to trust the forward trust certificate.

Configure SSL Forward Proxy (paloaltonetworks.com)

Configure SSL Inbound Inspection (paloaltonetworks.com)

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Fri, 25 Aug 2023 13:42:46 GMT

I am talking about outbound inspection. But I can buy and install third party issued certificate. Like in this article: Difference Between SSL Forward-Proxy and Inbound Inspection Dec... - Knowledge Base - Palo Alto Networks

Here is the quote:

""Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair). ""

Plus, we just obtained CA certificate for SSL decryption for testing purposes. The point of this was to avoid manual import to any device/software but seems like even in this case we still need manual import.

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Claw4609 — Fri, 25 Aug 2023 14:04:09 GMT

You would effectively just need a certificate that your clients trust and can sign certificates on the fly.

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

OtakarKlier — Fri, 25 Aug 2023 14:05:54 GMT

Hello,

Its how the clients behind the firewall with their traffic flowing out through the firewall see the certificate. If its 'self-signed', then the client will not trust the certificate and the end user will get the "This is not a trusted site" warning.

In order to get the client to trust the certificate, you have to install the root certificate onto all the clients.

Hope this helps.

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Fri, 25 Aug 2023 14:16:37 GMT

yes, and my question was is there any benefit to buy third party certificate for outbound decryption? If I need manually import Root CA to my endpoints anyway (would it be self-signed or third party issued like from Digicert).

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

OtakarKlier — Fri, 25 Aug 2023 14:20:28 GMT

Hello,

With a paid public certificate, the client already has the root certificate installed and you dont have to deploy it. If you have active directory in your internal network, you can use a subordinate certificate and your windows client will automatically trust it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWOCA0

Regards,

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Remo — Sun, 27 Aug 2023 06:51:34 GMT

Hi @Shahlar

Could you show us the public CA certificate you bought? Because I think there is no way to get a public CA certificate that you can use for outbound decryption and the only way to do this is with a locally self signed cert or with a CA cert from an already existing internal CA. Public certificates (no CA certs) you can use for inbound decryption - so to decrypt specific traffic to one or a few webservers (for example with a wildcard certificate).

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Tue, 29 Aug 2023 08:41:42 GMT

Hi @Remo

Here is a snapshot from Palo Alto. Plus in certificate itself the field: Subject Type=CA.

Btw, I have one Root CA, one Intermediate CA and one ICA. And as I mentioned earlier, even though it's from DigiCert, I still need to import Root CA on my endpoints, so that they can trust to my Intermediate CA. Which leads to my original topic question: why I should play money to Digicert? I see no difference in their and mine self-signed.

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

BPry — Tue, 29 Aug 2023 13:43:48 GMT

@Shahlar,

Digicert isn't going to sell you a subordinate CA certificate that is actually trusted by the default root and intermediate certificates, if they did they'd quickly become an untrusted certificate authority like Symantec. They'd essentially be selling certificates with the ability to MITM every single major operating system and browser used by normal individuals.

I think you may have purchased a dedicated intermediate from Digicert, and in the process of using it for this massively violated ToS of the product. In the event that this was what you did, then the behavior is actually expected

behavior with how you would have been using the certificate.

I'd highly recommend getting an actual SubCA certificate generated if you have your own in-house PKI system so that your clients automatically trust the generated certificates. If you don't have your own PKI system, just generate a certificate on the firewall and feed it out to all connected clients. This can be done through GPO and most MDMs.

In the event that you don't have Group Policy to fall back on and you don't have an MDM, you can actually get the certificate deployed through GlobalProtect upon connection easily. Under your Portal Agent configurations add the certificate as a 'Trusted Root CA' and ensure that you have the box checked for 'INSTALL IN LOCAL ROOT CERTIFICATE STORE'. Anyone connecting to GlobalProtect will now have those certificates installed automatically the next time they connect.

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Tue, 29 Aug 2023 14:00:10 GMT

Hi @BPry

Thank you for the detailed answer. What do you mean by violating ToS? How having third party SSL Decryption certificate violates the ToS?

I see, so in general there is no point to use third party certificate for SSL Decryption, unless it's from you own PKI (which may be on outsource)

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

TomYoung — Tue, 29 Aug 2023 16:11:40 GMT

Hi @Shahlar ,

You said, "we just obtained CA certificate for SSL decryption for testing purposes". Was this a public certificate and did you also get the private key? I have never heard of a public certificate authority issuing a CA certificate to a user. Then the user could issue certificates on their behalf, defeating the whole purpose of a trusted CA.

The issue is not that there is no point to using public CAs for SSL Forward Proxy. You can't get a public CA certificate and private key. If you have one, I am very curious how you got it. Maybe I am missing something.

Thanks,

Tom

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar — Wed, 30 Aug 2023 08:19:27 GMT

Hi @TomYoung

I cleared that out already for myself. So it's not public trusted CA, its CA from public trusted authority. But CA itself is private and acts the same way as self-signed(import root CA into endpoint, so they wlll trust your private CA on Palo Alto). Which confuses me, then why should I use that private certificate and if there any benefits.