Might be silly question, For inbound inspection does the cert has to be a CA.
We use a wildcart so that will have to imported as CA, correct?
Solved! Go to Solution.
The thing about a Decryption Certificate is that it needs to create certificates on the fly as part of the decryption process (Man in the Middle). You cannot purchase a 3rd Party CA (Certificate Authority) , as there is no way that GoDaddy or anyone else would allow you to create their SSL Certs (what a CA does). You either have to have an internal CA that you grant a CA to the Firewall to use as its own (And be trusted) or to use the Firewall as the CA.
Just about every SSL article that we have talks about using the built in CA on the Firewall, but I will see if I can find any that may explain the use of an External CA.
@jdelio Thanks for response..Yes all articles and videos show with self signed cert. But i can't use this self signed cert for our publicly exposed websites, it has to be a cert from external CA. Self signed can work if it was outbound encryption, which we are already performing with cert from our internal CA.
OK, you are talking about 2 things..
1. Outbound SSL Decryption - Where you use an Internal CA as the CA to create certs for internal users so they natively trust the CA cert.
2. Inbound SSL Decryption - Where you have a Web server that you want the firewall to decrypt traffic on behalf of.
In the second case, you end up using the Certificate from the Web Server. Essentially Posing AS that Web server, so you can decrypt and encrypt the traffic.
So, wherever you purchased the Cert for the Web server, you would just install that certificate on the firewall and use that cert for Inbound SSL decryption.. I am sure we have something on that..
Here is one that I created on SSL decryption
Also, FYI here is the SSL Decryption resource list:
hope this helps..
When setting up inbound inspection the certificate won't be a CA cert, you're just going to import the certificate and the private key. The following documentation will walk you through the setup process. Just keep in mind you'll likely want to limit the decryption rule base entry to a select test IP when getting everything setup so you don't cause any security issues on your public resource.
And just FYI the links shared earlier, i don't have access to them.
I used the wildcard cert now that we also use for GlobalProtect, but the first attempts are failing. I have opened a new discussion for that.
@raji_toor You do not have access to those articles? Do you get an error? everyone should have access to those.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!