SSL Decryption Certificate Self-Signed vs Public Trusted CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption Certificate Self-Signed vs Public Trusted CA

L1 Bithead

Hi,

 

I searched and read a lot about it, but the more I read the more I get confused. I would appreciate, if someone explain me the difference between self-signed and public trusted certificates for SSL Decryption. As I understand, I need to import it into endpoints machines anyway to make decryption work. Then what is the point of public trusted certificate then? 

12 REPLIES 12

Cyber Elite
Cyber Elite

Are you referring to inbound or outbound ssl inspection? For forward proxy (outbound) I dont believe you can use a public certificate, you can use either a self-signed certificate or a cert signed by your internal CA (if applicable). Clients would need to trust the forward trust certificate. 

 

 

Configure SSL Forward Proxy (paloaltonetworks.com)

 

Configure SSL Inbound Inspection (paloaltonetworks.com)

I am talking about outbound inspection. But I can buy and install third party issued certificate. Like in this article: Difference Between SSL Forward-Proxy and Inbound Inspection Dec... - Knowledge Base - Palo Alto Netw...

Here is the quote:

""Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair). ""

 

Plus, we just obtained CA certificate for SSL decryption for testing purposes. The point of this was to avoid manual import to any device/software but seems like even in this case we still need manual import.

You would effectively just need a certificate that your clients trust and can sign certificates on the fly. 

Cyber Elite
Cyber Elite

Hello,

Its how the clients behind the firewall with their traffic flowing out through the firewall see the certificate. If its 'self-signed', then the client will not trust the certificate and the end user will get the "This is not a trusted site" warning.

OtakarKlier_0-1692972316543.png

In order to get the client to trust the certificate, you have to install the root certificate onto all the clients.

Hope this helps.

L1 Bithead

yes, and my question was is there any benefit to buy third party certificate for outbound decryption? If I need manually import Root CA to my endpoints anyway (would it be self-signed or third party issued like from Digicert). 

Cyber Elite
Cyber Elite

Hello,

With a paid public certificate, the client already has the root certificate installed and you dont have to deploy it. If you have active directory in your internal network, you can use a subordinate certificate and your windows client will automatically trust it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWOCA0

Regards,

Hi @Shahlar 

Could you show us the public CA certificate you bought? Because I think there is no way to get a public CA certificate that you can use for outbound decryption and the only way to do this is with a locally self signed cert or with a CA cert from an already existing internal CA. Public certificates (no CA certs) you can use for inbound decryption - so to decrypt specific traffic to one or a few webservers (for example with a wildcard certificate). 

Hi @Remo 

 

Here is a snapshot from Palo Alto. Plus in certificate itself the field: Subject Type=CA.

Btw, I have one Root CA, one Intermediate CA and one ICA. And as I mentioned earlier, even though it's from DigiCert, I still need to import Root CA on my endpoints, so that they can trust to my Intermediate CA. Which leads to my original topic question: why I should play money to Digicert? I see no difference in their and mine self-signed. 

 

 

Web capture_29-8-2023_102914_10.50.0.7.jpeg

Cyber Elite
Cyber Elite

@Shahlar,

Digicert isn't going to sell you a subordinate CA certificate that is actually trusted by the default root and intermediate certificates, if they did they'd quickly become an untrusted certificate authority like Symantec. They'd essentially be selling certificates with the ability to MITM every single major operating system and browser used by normal individuals. 

think you may have purchased a dedicated intermediate from Digicert, and in the process of using it for this massively violated ToS of the product. In the event that this was what you did, then the behavior is actually expected

behavior with how you would have been using the certificate. 

 

I'd highly recommend getting an actual SubCA certificate generated if you have your own in-house PKI system so that your clients automatically trust the generated certificates. If you don't have your own PKI system, just generate a certificate on the firewall and feed it out to all connected clients. This can be done through GPO and most MDMs.

 

In the event that you don't have Group Policy to fall back on and you don't have an MDM, you can actually get the certificate deployed through GlobalProtect upon connection easily. Under your Portal Agent configurations add the certificate as a 'Trusted Root CA' and ensure that you have the box checked for 'INSTALL IN LOCAL ROOT CERTIFICATE STORE'. Anyone connecting to GlobalProtect will now have those certificates installed automatically the next time they connect. 

L1 Bithead

Hi @BPry 

 

Thank you for the detailed answer. What do you mean by violating ToS? How having third party SSL Decryption certificate violates the ToS? 

 

I see, so in general there is no point to use third party certificate for SSL Decryption, unless it's from you own PKI (which may be on outsource)

Cyber Elite
Cyber Elite

Hi @Shahlar ,

 

You said, "we just obtained CA certificate for SSL decryption for testing purposes".  Was this a public certificate and did you also get the private key?  I have never heard of a public certificate authority issuing a CA certificate to a user.  Then the user could issue certificates on their behalf, defeating the whole purpose of a trusted CA.

 

The issue is not that there is no point to using public CAs for SSL Forward Proxy.  You can't get a public CA certificate and private key.  If you have one, I am very curious how you got it.  Maybe I am missing something.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @TomYoung 

 

I cleared that out already for myself. So it's not public trusted CA, its CA from public trusted authority. But CA itself is private and acts the same way as self-signed(import root CA into endpoint, so they wlll trust your private CA on Palo Alto). Which confuses me, then why should I use that private certificate and if there any benefits. 

  • 9630 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!