Decryption certificate

Reply
L3 Networker

Decryption certificate

Hi,

I have a PA500 (OS 5.0.11)

I already configured it for SSL Decryption with a self signed certificate.

I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.

Question is: can I use my wildcard certificate for SSL Decryption?

How?

I try to import my certificate but I cannot use it for SSL Decryption

Thanks

Regards

L7 Applicator

Re: Decryption certificate

Hi !

For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.

A document that may come in handy

How to Implement SSL Decryption

regards

Tom


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: Decryption certificate

Thanks but in case of a Certification Authority like Verisign or Digicert I need to request a new certificate (signed by them) or I need to import a root certificate?

Thanks

L2 Linker

Re: Decryption certificate

In case of CA like verisign or digicert, you need to import chained certificate signed by the Public CA

This document is very helpful:

How to Install a Chained Certificate Signed by a Public CA

L3 Networker

Re: Decryption certificate

I follow this guide and I create a pkcs12 chained certificate with this command:

openssl pkcs12 -export -in [certificate.pem] -inkey [certificate.key] -CAfile [chain.cer] -caname digicert -out [server-chain.p12] -name digicert -chain

but when I import my certificate (IMPORTANT: it is a web server certificate) it is not recognized as a CA.

I think problem is that my certificate was request for a web server.

If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.

Highlighted
L7 Applicator

Re: Decryption certificate

You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.

For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.

Hope this helps,

Greg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!