topic Re: SSL Decryption - getting spoof cert out to BYOD personal devices in General Topics

SSL Decryption - getting spoof cert out to BYOD personal devices

dannon — Thu, 20 Nov 2014 19:27:30 GMT

We are in the process of setting up SSL decryption. We have a BYOD wireless network that needs to have SSL decryption turned on. Students can connect with their personal devices, so we need to be able to block Facebook, porn, etc.that are coming in over HTTPS. We've got it working with organization-owned equipment but are having hang-ups with personal devices.

My question is more of a general one to the rest of the users: if you are doing this too, how do you get the cert available to the end user so they can install on their device? We were thinking of having an internal web page that explains the need to install the cert, and have it include a URL to download the cert from the internal web server. I know with other filtering appliances we've had in the past, we did this, and end-users could never figure out how to put the cert in "Trusted Root Certification Authorities" store.

Would there be a better way to handle this?

Thanks,

Dan

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

bat — Thu, 20 Nov 2014 20:24:48 GMT

dannon

The following document can be helpful:Pushing SSL Decryption Certificates Using GPO

Hope it helps!

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

ssharma — Thu, 20 Nov 2014 20:28:17 GMT

Hi @dannon,

Yes, that would definitely be the best way to proceed as you cannot have control over machines (pc/laptop/cell/macs) etc to push it through GPO. Once you redirect them, they will need to install the certificate on their devices in order for them to not to get browser's warning. Hope this helps. Thank you.

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

hshah — Sat, 22 Nov 2014 15:25:18 GMT

That's an interesting problem you have stated! Now, if i understand it right

1. You are ok with the users being redirected to a website and installing the Cert

2. What the actual problem is the fact that the users are unable to add the certs without instruction and/or the instructions are difficult to follow

3. We cannot use the GPO technically as they are not a part of the domain and hence we cannot push the certificates

Now, I am making some assumptions

1. All the intended clients are Windows - Multiple versions of them may be

2. All the users may not have administrative access on their computer - A little far fetched but still a remote possibility

Solution :

We create an installer using C#, which does this for them. Then we can send the installer and not the certificate file. A simple Next, Next Installation will be far easier to follow.

Since we are talking windows, a simple c# program will be sufficient.

1. Convert the Certificate as a x509 format (Open SSL should be able to do this fairly simply)

2. You could create a C# Forms Application with the main install button performing the following

string certFile; // Contains name of certificate file X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadWrite); store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(certFile))); store.Close();

This will add the Certificate into the Users Root CA (Not the computer account) - Which is sufficient for our purposes

If thats not a possibility, then create a batch bile

2 (Onother Option) . Create a batch file with the content (Name the file installCert.bat or something)

certmgr /add certFile.cer /s Root

And give the certificate in x509 format and the batch file in the same folder. Once people click on the batch file the cert will be installed

Please let me know if you have questions

HTH!

Hardik

So, just cl

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

dannon — Mon, 24 Nov 2014 17:58:02 GMT

That's an interesting solution Hardik.

The issue is that we have many iPhones/iPads and android devices coming in, so it's not just limited to Windows boxes.

I'm wondering if end-users would be wary of us running scripts on their own personal devices...??

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

hshah — Mon, 24 Nov 2014 23:36:22 GMT

Hi Dannon,

We could solve this dilemma by enforcing Client Certificate Authentication - There by you can give the users certificates, signed by the Local CA

and they will put that in the Root Cert Store

Regards,

Hardik Shah

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

ChrisV — Tue, 25 Nov 2014 05:15:51 GMT

+1 need this for education sector, would be VERY useful and push out some competing products which claim to already do this.

Would be very useful when no ssl certificate detected, a portal page detecting the device (ios/android/windows/macos) provided an install mechanism for the certificate.

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

gwesley — Wed, 26 Nov 2014 06:22:43 GMT

It would be tough to do a redirect to a web page if the client doesn't trust us as a CA - which is the problem we're trying to solve here. I've emailed certs to users with instructions to install, and that has worked ok. For mobile devices, a solution like our Mobile Security Manager has the ability to simplify provisioning of common configuration like email and certificates.

Re: SSL Decryption - getting spoof cert out to BYOD personal devices

dannon — Tue, 02 Dec 2014 21:16:07 GMT

In the end, we setup an internal web server (IIS7) and have several HTML pages. We also have a link to the SSL-cert and screenshots on how to install it on various client OSs.

We have our Cisco WLC 5508 wireless controller redirecting BYOD guests to this page after they connect.

This was the quickest and simplest way for us.