03-25-2014 07:27 AM
Hi All,
I tried to generate a self-signed certificate for tests needs and I noticed that we must add a certificate at all existings browsers on all network station, I wonder how I can remedy to this problem in production envirement, as you can see the use of this type of certificate is not quite effective since we will have to ask all visitors and network users to add this certificate in order to solve the problem of certificate uncompatibility . Please can you tell me how it goes at the prod i'm really confused and i couldn't figured it out.
Thanks in advance for your support.
Best Regards,
03-25-2014 07:52 AM
Hello Lachen,
You can refer the following document to push the firewall certificate using GPO.
Pushing Firewall Certificate using GPO
Regards,
Jahnavi.
03-25-2014 07:53 AM
Hello,
We can create a CSR on firewall device and get it signed by well known public signing authorities.
How to Generate a CSR and Import the Signed CA Certificate
As we know that most known browsers today come inbuilt with well known certificates there will not be a need to reimport the certs if already signed by the company.
Thanks
03-25-2014 08:08 AM
Hi Phoenix :
thanks for your reply, My concern is about those public signing authorities can you please give me an exemple are they generating signed certificat for free? other thing if i get a signed certificat have I need to add manualy this certificat to all browser or it will be recognazed by the browser and then there will be no need to add it like in the case of self-signed certificat?
Best Regards,
03-25-2014 09:31 AM
Here You are http://www.startssl.com/?app=1
Please ramain that You need to "glue" Your cert with intermediate cert of StartSSL.
I'm using StartSSL for years.
Regards
SLawek
03-25-2014 09:32 AM
@Lahcen when you get a certificate from a public CA like Go Daddy or Symmantec, they won't generate it with the "CA" flag checked, which means you won't be able to use it for SSL decryption. You have to either use a CA generated on the firewall, or one from an in-house CA.
The challenge you are talking about is a common one, and there are a couple solutions.
Some admins choose to not decrypt BYOD or guest content, but also not allow those devices full access to all resources to help mitigate any threats that may be missed by not doing decryption. Setting up separate wireless SSIDs can help with that. You may have a guest wifi that doesn't do decryption and only allows access to the Internet. Then you'd have a corporate wifi that does decryption, possibly with a splash page that has a link to your internal CA root certificate that can be downloaded with instructions on how to install it to various devices.
There's no one solution that makes it seamless. The highly authenticated nature of SSL makes this challenge present, but also guarantees that a man-in-the-middle attack isn't going to be something easy to do.
Hope this helps,
Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
