This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption - getting spoof cert out to BYOD personal devices

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decryption - getting spoof cert out to BYOD personal devices

Go to solution
dannon
L3 Networker

‎11-20-2014 11:27 AM

We are in the process of setting up SSL decryption.  We have a BYOD wireless network that needs to have SSL decryption turned on.  Students can connect with their personal devices, so we need to be able to block Facebook, porn, etc.that are coming in over HTTPS.  We've got it working with organization-owned equipment but are having hang-ups with personal devices.

My question is more of a general one to the rest of the users: if you are doing this too, how do you get the cert available to the end user so they can install on their device?  We were thinking of having an internal web page that explains the need to install the cert, and have it include a URL to download the cert from the internal web server.  I know with other filtering appliances we've had in the past, we did this, and end-users could never figure out how to put the cert in "Trusted Root Certification Authorities" store.

Would there be a better way to handle this?

Thanks,

Dan

Labels:
0 Likes Likes
8 REPLIES 8

Go to solution
hshah
L6 Presenter
In response to dannon

‎11-24-2014 03:36 PM

Hi Dannon,

We could solve this dilemma by enforcing Client Certificate Authentication - There by you can give the users certificates, signed by the Local CA

and they will put that in the Root Cert Store

Regards,

Hardik Shah

0 Likes Likes

Go to solution
ChrisV
L0 Member

‎11-24-2014 09:15 PM

+1 need this for education sector, would be VERY useful and push out some competing products which claim to already do this.

Would be very useful when no ssl certificate detected, a portal page detecting the device (ios/android/windows/macos) provided an install mechanism for the certificate.

0 Likes Likes

Go to solution
gwesley
L2 Linker

‎11-25-2014 10:22 PM

It would be tough to do a redirect to a web page if the client doesn't trust us as a CA - which is the problem we're trying to solve here.  I've emailed certs to users with instructions to install, and that has worked ok.  For mobile devices, a solution like our Mobile Security Manager has the ability to simplify provisioning of common configuration like email and certificates.

0 Likes Likes

Go to solution
dannon
L3 Networker

‎12-02-2014 01:16 PM

In the end, we setup an internal web server (IIS7) and have several HTML pages.  We also have a link to the SSL-cert and screenshots on how to install it on various client OSs.

We have our Cisco WLC 5508 wireless controller redirecting BYOD guests to this page after they connect.

This was the quickest and simplest way for us.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks