Decryption and Certificate Questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption and Certificate Questions

L3 Networker

Hello Pros,

I would like to set up decryption for all traffic/devices accessing the internet. This will include smartphones and all sorts of devices. I would like to set it up in a way where each user is not forced to install a certificate before the device trusts the certificate. 

 

1.   If I create a certificate on the Palo and mark it 'Forward Trust Certificate' and 'Trusted Root CA', will it be trusted by these devices?

 

2.   Will I need to select the 'Forward Untrust Certificate' option?

 

Or is there a better way to achieve decryption in such a set up so that these devices can trust the Certificate without having to install it.

 

 

7 REPLIES 7

L6 Presenter

Get a certificate from a public certificate store like Verisign.  Problem solved.

Cyber Elite
Cyber Elite

The thing to remember about certs and not having to push them out is that the client device needs to be able to see the cert and trust it. So Brandons reply is a good way of going about it.

 

THe other thing i have seen is that you may have to not decryt some traffic for it to work properly if you are going to use you own internal or self generated cert.

 

Hope this helps.

L5 Sessionator

Hello, all,

 

in order to decrypt, CA that created certificate used for decryption needs to be trusted by the end-hosts whose traffic you intend to decrypt.

 

Inbound decryption can use certificate you buy from outside root Certification Authorities (or intermediary ones).

 

Outbound decryption (one that OP asks about) wants to replace any certificate "from the outside", therefore you need to be able to fake anybody's certificate. This will not work without creating your own certificate for forward decryption, and than either:

a) having end-hosts acknowledge and accept individual fake certificates for different sites

b) install CA certificate to the end-host so they will automatically trust those fake certificates and they will never be presented with the warning about fake certificate

 

b) should be your targeted option, so decryption will be done without interruptions to the end user. This is challenging in BYOD environment, as with mobile devices etc - it raises "political" question: do you have right to decrypt someone's private traffic in your business network OR do they have right to use your business network for their private purposes... for domained computers it is much easier - installing root certification authority certificates to machines and pushing software to computers in domain is easy (or at least easier) and it does not raise as many questions. You can provide users with instructions how to install certificates to devices and let them decide whether they will be doing it on their own.

 

Instructions how to install certificates used for decryption can be found here:

https://live.paloaltonetworks.com/t5/Articles/How-to-Perform-Client-Certificate-Install-for-SSL-Decr...

 

Quick reference on certificates:

https://live.paloaltonetworks.com/t5/Articles/SSL-Certificates-Quick-Reference-Resources/ta-p/53068

 

There is much more information in KB articles, feel free to search or ask 🙂

 

Regards

 

Luciano

The problem I have noticed with Public CA certificate is that when you import it to the Palo, some of the options you would need to enable to allow decryption are greyed out and not available to select. For example 'Forward Trust Certificate'

Hi,

What are the sample types of traffic you feel should not be decrypted for this to work properly?

Hello,

Here are the list of applications they have: https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-D...

 

For my stuff, I just created a custom URl category and told the decrypton policy to ignore those URL's since it cannot be by application.

 

Maybe someoen else has a different method?

 

Regards,

That is because you don't have the public CA's private key. For a certificate to be used with SSL Decryption (either Forward Trust or Forward Untrust), it must be both a CA certificate and you must have the private key.

 

No public CA will ever give you a certificate like that. If they did, then they would be giving you the option to create a certificate for any site and have that cert you generated trusted by most browsers.

 

To satisfy the CA and Private Key requirements, you either need a corporate CA or you need to generate a self-signed cert (either on the firewall or using a tool like OpenSSL) and get that certificate installed in all your clients who will be getting their SSL traffic decrypted.

  • 6250 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!