- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-29-2014 12:51 AM
We provide internet access for public use (wifi hotspot). For better control and visibility, I would like to introduce SSL decryption (we already use it for our internal users). But there is no way I can deploy the certificate to those users (who I don't know and don't control their devices).
Is there any way I can enhance control and visibility of web applications in another way ? "Transparent" SSL decryption ?
08-29-2014 01:37 AM
Hello Dieterb,
Even if, you will not deploy that certificate to wifi hotspot users, the traffic will be decrypted. But, every time they will get a certificate warning, while access any SSL page. Since the self generated certificate is issued by PAN firewall and it is not in the browser's certificate ring.
A related discussion thread on same topic: Decryption certificate
Hope this helps.
Thanks
08-29-2014 01:45 AM
I know, but I think it's not done to confront users with constant certificate errors.
I know about the ssl decryption opt-out response page. I could warn the users about this. But I think that is a global option, so it would also appear to our internal users (which is not necessary).
What do others do with public internet traffic passing their PA?
08-29-2014 01:51 AM
Yes, you are correct. opt-out response page is a global setting, hence it will be applicable for your internal user's as well.
How to Enable/Reset the Opt-Out Page for SSL Decryption
Thanks
09-02-2014 03:33 PM
Hi dieterb,
The only way that you might be able to accomplish this is to use a decrypt certificate that is issued by a trusted root CA.
This is the only option since you do not have the ability to push the cert yourself to the devices, since you do not control them.
Using an untrusted certificate looks bad and will prompt the users every time they visit a site to accept the "risk" since their traffic is being "men in the middled" by a device that was cert from an unknown CA.
You can pay a couple of 100$ and get a cert and have no worries about this at all. Most of the customer I have seen prefer this solution.
I hope this helps you.
BR
09-02-2014 03:58 PM
Hi ialeksov,
It's not possible to purchase a Trust Root CA. What you can buy is a server type certificate, with a specific hostname.
If it was so easy, you can easily imagine the world would not be secure anyomore....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!