How to deal with certificat issues in production envirement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to deal with certificat issues in production envirement

Not applicable

Hi All,

I tried to generate a self-signed certificate for tests needs and I noticed that we must add a certificate at all existings browsers on all network station, I wonder how I can remedy to this problem in production envirement, as you can see the use of this type of certificate is not quite effective since we will have to ask all visitors and network users  to add this certificate in order to solve the problem of certificate uncompatibility . Please can you tell me how it goes at the prod i'm really confused and i couldn't figured it out.

Thanks in advance for your support.

Best Regards,

5 REPLIES 5

L3 Networker

Hello Lachen,

You can refer the following document to push the firewall certificate using GPO.

Pushing Firewall Certificate using GPO

Regards,

Jahnavi.

L4 Transporter

Hello,

We can create a CSR on firewall device and get it signed by well known public signing authorities.

How to Generate a CSR and Import the Signed CA Certificate

As we know that most known browsers today come inbuilt with well known certificates there will not be a need to reimport the certs if already signed by the company.

Thanks

Hi Phoenix :

  thanks for your reply, My concern is about those public signing authorities can you please give me an exemple are they generating signed certificat for free? other thing if i get a signed certificat have I need to add manualy this certificat to all browser or it will be recognazed by the browser and then there will be no need to add it like in the case of self-signed certificat?

Best Regards,

Here You are http://www.startssl.com/?app=1

Please ramain that You need to "glue" Your cert with intermediate cert of StartSSL.

I'm using StartSSL for years.

Regards

SLawek

@Lahcen when you get a certificate from a public CA like Go Daddy or Symmantec, they won't generate it with the "CA" flag checked, which means you won't be able to use it for SSL decryption. You have to either use a CA generated on the firewall, or one from an in-house CA.

The challenge you are talking about is a common one, and there are a couple solutions.

Some admins choose to not decrypt BYOD or guest content, but also not allow those devices full access to all resources to help mitigate any threats that may be missed by not doing decryption. Setting up separate wireless SSIDs can help with that. You may have a guest wifi that doesn't do decryption and only allows access to the Internet. Then you'd have a corporate wifi that does decryption, possibly with a splash page that has a link to your internal CA root certificate that can be downloaded with instructions on how to install it to various devices.

There's no one solution that makes it seamless. The highly authenticated nature of SSL makes this challenge present, but also guarantees that a man-in-the-middle attack isn't going to be something easy to do.

Hope this helps,

Greg

  • 4007 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!