This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL Decryption Certificate Self-Signed vs Public Trusted CA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption Certificate Self-Signed vs Public Trusted CA

Shahlar
L1 Bithead

‎08-25-2023 05:44 AM

Hi,

 

I searched and read a lot about it, but the more I read the more I get confused. I would appreciate, if someone explain me the difference between self-signed and public trusted certificates for SSL Decryption. As I understand, I need to import it into endpoints machines anyway to make decryption work. Then what is the point of public trusted certificate then? 

0 Likes Likes
12 REPLIES 12

Claw4609
Cyber Elite
Cyber Elite

‎08-25-2023 06:31 AM

Are you referring to inbound or outbound ssl inspection? For forward proxy (outbound) I dont believe you can use a public certificate, you can use either a self-signed certificate or a cert signed by your internal CA (if applicable). Clients would need to trust the forward trust certificate. 

 

 

Configure SSL Forward Proxy (paloaltonetworks.com)

 

Configure SSL Inbound Inspection (paloaltonetworks.com)

0 Likes Likes

Shahlar
L1 Bithead
In response to Claw4609

‎08-25-2023 06:42 AM

I am talking about outbound inspection. But I can buy and install third party issued certificate. Like in this article: Difference Between SSL Forward-Proxy and Inbound Inspection Dec... - Knowledge Base - Palo Alto Netw...

Here is the quote:

""Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair). ""

 

Plus, we just obtained CA certificate for SSL decryption for testing purposes. The point of this was to avoid manual import to any device/software but seems like even in this case we still need manual import.

0 Likes Likes

Claw4609
Cyber Elite
Cyber Elite
In response to Shahlar

‎08-25-2023 07:04 AM

You would effectively just need a certificate that your clients trust and can sign certificates on the fly. 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎08-25-2023 07:05 AM

Hello,

Its how the clients behind the firewall with their traffic flowing out through the firewall see the certificate. If its 'self-signed', then the client will not trust the certificate and the end user will get the "This is not a trusted site" warning.

OtakarKlier_0-1692972316543.png

In order to get the client to trust the certificate, you have to install the root certificate onto all the clients.

Hope this helps.

0 Likes Likes

Shahlar
L1 Bithead

‎08-25-2023 07:16 AM

yes, and my question was is there any benefit to buy third party certificate for outbound decryption? If I need manually import Root CA to my endpoints anyway (would it be self-signed or third party issued like from Digicert). 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎08-25-2023 07:20 AM

Hello,

With a paid public certificate, the client already has the root certificate installed and you dont have to deploy it. If you have active directory in your internal network, you can use a subordinate certificate and your windows client will automatically trust it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWOCA0

Regards,

0 Likes Likes

Remo
L7 Applicator
In response to Shahlar

‎08-26-2023 11:51 PM

Hi @Shahlar 

Could you show us the public CA certificate you bought? Because I think there is no way to get a public CA certificate that you can use for outbound decryption and the only way to do this is with a locally self signed cert or with a CA cert from an already existing internal CA. Public certificates (no CA certs) you can use for inbound decryption - so to decrypt specific traffic to one or a few webservers (for example with a wildcard certificate). 

0 Likes Likes

Shahlar
L1 Bithead
In response to Remo

‎08-29-2023 01:41 AM

Hi @Remo 

 

Here is a snapshot from Palo Alto. Plus in certificate itself the field: Subject Type=CA.

Btw, I have one Root CA, one Intermediate CA and one ICA. And as I mentioned earlier, even though it's from DigiCert, I still need to import Root CA on my endpoints, so that they can trust to my Intermediate CA. Which leads to my original topic question: why I should play money to Digicert? I see no difference in their and mine self-signed. 

 

 

Web capture_29-8-2023_102914_10.50.0.7.jpeg

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎08-29-2023 06:43 AM

@Shahlar,

Digicert isn't going to sell you a subordinate CA certificate that is actually trusted by the default root and intermediate certificates, if they did they'd quickly become an untrusted certificate authority like Symantec. They'd essentially be selling certificates with the ability to MITM every single major operating system and browser used by normal individuals. 

think you may have purchased a dedicated intermediate from Digicert, and in the process of using it for this massively violated ToS of the product. In the event that this was what you did, then the behavior is actually expected

behavior with how you would have been using the certificate. 

 

I'd highly recommend getting an actual SubCA certificate generated if you have your own in-house PKI system so that your clients automatically trust the generated certificates. If you don't have your own PKI system, just generate a certificate on the firewall and feed it out to all connected clients. This can be done through GPO and most MDMs.

 

In the event that you don't have Group Policy to fall back on and you don't have an MDM, you can actually get the certificate deployed through GlobalProtect upon connection easily. Under your Portal Agent configurations add the certificate as a 'Trusted Root CA' and ensure that you have the box checked for 'INSTALL IN LOCAL ROOT CERTIFICATE STORE'. Anyone connecting to GlobalProtect will now have those certificates installed automatically the next time they connect. 

0 Likes Likes

Shahlar
L1 Bithead

‎08-29-2023 07:00 AM

Hi @BPry 

 

Thank you for the detailed answer. What do you mean by violating ToS? How having third party SSL Decryption certificate violates the ToS? 

 

I see, so in general there is no point to use third party certificate for SSL Decryption, unless it's from you own PKI (which may be on outsource)

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎08-29-2023 09:11 AM

Hi @Shahlar ,

 

You said, "we just obtained CA certificate for SSL decryption for testing purposes".  Was this a public certificate and did you also get the private key?  I have never heard of a public certificate authority issuing a CA certificate to a user.  Then the user could issue certificates on their behalf, defeating the whole purpose of a trusted CA.

 

The issue is not that there is no point to using public CAs for SSL Forward Proxy.  You can't get a public CA certificate and private key.  If you have one, I am very curious how you got it.  Maybe I am missing something.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Shahlar
L1 Bithead

‎08-30-2023 01:19 AM

Hi @TomYoung 

 

I cleared that out already for myself. So it's not public trusted CA, its CA from public trusted authority. But CA itself is private and acts the same way as self-signed(import root CA into endpoint, so they wlll trust your private CA on Palo Alto). Which confuses me, then why should I use that private certificate and if there any benefits. 

  • 8759 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks