05-21-2021 12:12 PM
I recently setup a backup internet provider and bought a wildcard cert instead of renewing our previous cert. Previously just had a cert for remote.mydomain.com we used for globalprotect from network solutions. I have external DNS A records set for remote.mydomain.com with an ip from our main provider. I also set up an A record for remote2.mydomain.com with an ip from the backup provider. I have not created any automatic failover for GP. I was looking at just manually have GP users change to the secondary portal if our main goes down. I have seen some articles when doing this without a CA but not sure on the exact procedure when using a CA for the wildcart cert. I also have certs generated by the firewall I used as the trusted root cert and SSL decryption certs. I was hoping to use the one wildcard cert for all of these now. I recall having an issue in the past because I believe network solutions also has intermediate certs I needed to account for. Looking for pointers if anyone has been through a setup like this before.
Thanks in advance
06-01-2021 02:36 PM
Hi @gvyskocil
The wildcard cert will work perfectly fine for external global protect portals and gateways, but you cannot use this one for SSL decryption. Fo SSL decryption you need a CA certificate and this one you will not get from any public Certificate Authority. So there is no other option than generating one locally or from an internal CA in your company.
06-01-2021 02:40 PM
I Agree with @Remo , there is no way that any public Certificate provider will give you a CA to create certs on their behalf. You could then try to sell their certs and charge for them.
You have to use an Internal CA or allow the firewall to create them for you.
06-02-2021 10:23 AM
Thanks for the replies. I guess I was confused on the setup for decryption. For outbound I thought I needed to configure SSL forward proxy and best practice is to use a enterprise CA as forward trust certificate. As both posters noted, that is a internal enterprise CA, not a public one as I though I might use. Or I can just use self signed certificates from the firewall. Then it looks like I need a different certificate for a forward untrust certificate. I will probably just use self signed on both for now. I was getting confused as inbound traffic is part of web traffic but looks like the key is the session itself starts as outgoing. The traffic only starts when an internal user requests an external website and I need to look at that as outbound.
SSL inbound inspection would be if I have some internal server that people access from outside? For that part can I use the wildcard cert? I have a public cert that server uses for TLS that I am looking at switching to the wildcard cert.
Thanks again for the replies. I think I am getting a better understanding of this now.
06-02-2021 10:28 AM
Hi @gvyskocil
Yes, you're right. For inbound inspection you can use the wildcard certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
