Wildcard cert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildcard cert

L2 Linker

I recently setup a backup internet provider and bought a wildcard cert instead of renewing our previous cert. Previously just had a cert for remote.mydomain.com we used for globalprotect from network solutions. I have external DNS A records set for remote.mydomain.com with an ip from our main provider. I also set up an A record for remote2.mydomain.com with an ip from the backup provider. I have not created any automatic failover for GP. I was looking at just manually have GP users change to the secondary portal if our main goes down. I have seen some articles when doing this without a CA but not sure on the exact procedure when using a CA for the wildcart cert. I also have certs generated by the firewall I used as the trusted root cert and SSL decryption certs. I was hoping to use the one wildcard cert for all of these now. I recall having an issue in the past because I believe network solutions also has intermediate certs I needed to account for. Looking for pointers if anyone has been through a setup like this before.

 

Thanks in advance

4 REPLIES 4

L7 Applicator

Hi @gvyskocil 

The wildcard cert will work perfectly fine for external global protect portals and gateways, but you cannot use this one for SSL decryption. Fo SSL decryption you need a CA certificate and this one you will not get from any public Certificate Authority. So there is no other option than generating one locally or from an internal CA in your company.

I Agree with @Remo , there is no way that any public Certificate provider will give you a CA to create certs on their behalf.  You could then try to sell their certs and charge for them. 

You have to use an Internal CA or allow the firewall to create them for you.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L2 Linker

Thanks for the replies. I guess I was confused on the setup for decryption. For outbound I thought I needed to configure SSL forward proxy and best practice is to use a enterprise CA as forward trust certificate. As both posters noted, that is a internal enterprise CA, not a public one as I though I might use. Or I can just use self signed certificates from the firewall.  Then it looks like I need a different certificate for a forward untrust certificate. I will probably just use self signed on both for now. I was getting confused as inbound traffic is part of web traffic but looks like the key is the session itself starts as outgoing. The traffic only starts when an internal user requests an external website and I need to look at that as outbound.

 

SSL inbound inspection would be if I have some internal server that people access from outside? For that part can I use the wildcard cert? I have a public cert that server uses for TLS that I am looking at switching to the wildcard cert.

 

Thanks again for the replies. I think I am getting a better understanding of this now.

Hi @gvyskocil 

Yes, you're right. For inbound inspection you can use the wildcard certificate.

  • 3400 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!