topic Re: Is it possible to use wildcard certificate as forward trust certificate? in General Topics

Is it possible to use wildcard certificate as forward trust certificate?

nugroho — Thu, 12 Sep 2019 22:43:20 GMT

I have a wildcard certificate that already works for global protect portal and gateway.

I would like to make this trusted certificate to be used for SSL decryption (forward-proxy mode) but I can't make any of those certificate to be Forward Trust Certificate because the checkbox is greyed out.

So, is it possible to use wildcard certificate as forward trust certificate? if yes, how to do that?

Thanks in advance

Re: Is it possible to use wildcard certificate as forward trust certificate?

tommyschoemans — Fri, 13 Sep 2019 05:51:37 GMT

Hey,

It needs to be a certificate of the type CA, then you should be able to use it as a forward trust certificate.

kr,

Tommy

Re: Is it possible to use wildcard certificate as forward trust certificate?

nugroho — Fri, 13 Sep 2019 06:22:41 GMT

@tommyschoemans

I couldn't quite understand what do you mean by type CA (I'm not really familiar with certificates). Is there any info that I not included in question that I should provide to determine whether is it possible or not using my current certificate as forward trust certificate?
In case you mean that it is possible with my certificate to set it as forward trust certificate, how could I do that? because as I state in the question, I can't set it because it is greyed out and I don't know the reason why is it greyed out.

Re: Is it possible to use wildcard certificate as forward trust certificate?

tommyschoemans — Fri, 13 Sep 2019 07:12:39 GMT

The reason for it being greyed out is because the certificate is not a CA one ( CA column not checked ). A CA or intermediate CA can sign certificates. Your wildcard certificate is signed by Cert Comodo Int1 and this is signed by cert Comodo Int2, etc...

In order to do SSL inspection you need to have a certificate that can sign certificates on behalf of the intercepted webiste to present to the end-users. So you just need to create yourself a root or intermediate CA ( preferably ) to use as a forward trtust certificate. Easiest is if you have a Microsoft AD you can use the MS PKI and create one here. The certificate will already be trusted by your AD members. Otherwise just use openSSL and have the CA certificate imported in the windows certificate store and if using Firefox certificate store.

kr,

Tommy

Re: Is it possible to use wildcard certificate as forward trust certificate?

nugroho — Fri, 13 Sep 2019 13:18:33 GMT

@tommyschoemans

I see, please confirm this, so I can't use my current certificates (Cert COMODO Root, COMODO Int1, COMODO Int2 or wildcard which is signed by COMODO) to use as forward trust certificate, right?

I will close my questions (accept solutions) once this confirmed.
Thanks.

Re: Is it possible to use wildcard certificate as forward trust certificate?

tommyschoemans — Fri, 13 Sep 2019 14:09:06 GMT

You can not user the wildcard certificate nor the other ones for forward trust.

Re: Is it possible to use wildcard certificate as forward trust certificate?

MangeshM — Thu, 15 Sep 2022 05:34:13 GMT

Hi Team,

Can I use wild card Certificate for Decryption Policy.