https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17872#M13006 <HTML><HEAD></HEAD><BODY><P>Hi ialeksov,</P><P></P><P> It's not possible to purchase a Trust Root CA. What you can buy is a server type certificate, with a specific hostname.</P><P>If it was so easy, you can easily imagine the world would not be secure anyomore....</P></BODY></HTML> Tue, 02 Sep 2014 22:58:05 GMT cpainchaud 2014-09-02T22:58:05Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17867#M13001 <HTML><HEAD></HEAD><BODY><P>We provide internet access for public use (wifi hotspot). For better control and visibility, I would like to introduce SSL decryption (we already use it for our internal users). But there is no way I can deploy the certificate to those users (who I don't know and don't control their devices).</P><P></P><P>Is there any way I can enhance control and visibility of web applications in another way ? "Transparent" SSL decryption ?</P></BODY></HTML> Fri, 29 Aug 2014 07:51:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17867#M13001 dieter_b 2014-08-29T07:51:18Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17868#M13002 <HTML><HEAD></HEAD><BODY><P>Hello Dieterb,</P><P></P><P>Even if, you will not deploy that certificate to <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN class="GINGER_SOFTWARE_mark">wifi</SPAN> hotspot users, the traffic will be decrypted. But, every time they will get a certificate warning, while access any SSL page. Since the self generated certificate is issued by PAN firewall and it is not in the browser's certificate ring. </SPAN></P><P></P><P>A related discussion thread on same topic: <A href="https://live.paloaltonetworks.com/message/41346">Decryption certificate</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 29 Aug 2014 08:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17868#M13002 HULK 2014-08-29T08:37:55Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17869#M13003 <HTML><HEAD></HEAD><BODY><P>I know, but I think it's not done to confront users with constant certificate errors.</P><P></P><P>I know about the ssl decryption opt-out response page. I could warn the users about this. But I think that is a global option, so it would also appear to our internal users (which is not necessary).</P><P></P><P>What do others do with public internet traffic passing their PA?</P></BODY></HTML> Fri, 29 Aug 2014 08:45:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17869#M13003 dieter_b 2014-08-29T08:45:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17870#M13004 <HTML><HEAD></HEAD><BODY><P>Yes, you are correct. <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN class="GINGER_SOFTWARE_mark">opt</SPAN>-out response page is a global setting, hence it will be applicable <SPAN class="GINGER_SOFTWARE_mark">for</SPAN> your internal user's as well.</SPAN></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5020">How to Enable/Reset the Opt-Out Page for SSL Decryption</A></P><P></P><P>Thanks</P></BODY></HTML> Fri, 29 Aug 2014 08:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17870#M13004 HULK 2014-08-29T08:51:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17871#M13005 <HTML><HEAD></HEAD><BODY><P>Hi dieterb,</P><P></P><P>The only way that you might be able to accomplish this is to use a decrypt certificate that is issued by a trusted root CA.</P><P>This is the only option since you do not have the ability to push the cert yourself to the devices, since you do not control them.</P><P>Using an untrusted certificate looks bad and will prompt the users every time they visit a site to accept the "risk" since their traffic is being "men in the middled" by a device that was cert from an unknown CA.</P><P>You can pay a couple of 100$ and get a cert and have no worries about this at all. Most of the customer I have seen prefer this solution.</P><P></P><P>I hope this helps you.</P><P></P><P>BR</P></BODY></HTML> Tue, 02 Sep 2014 22:33:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17871#M13005 ialeksov 2014-09-02T22:33:30Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17872#M13006 <HTML><HEAD></HEAD><BODY><P>Hi ialeksov,</P><P></P><P> It's not possible to purchase a Trust Root CA. What you can buy is a server type certificate, with a specific hostname.</P><P>If it was so easy, you can easily imagine the world would not be secure anyomore....</P></BODY></HTML> Tue, 02 Sep 2014 22:58:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-for-public-use/m-p/17872#M13006 cpainchaud 2014-09-02T22:58:05Z