01-02-2022 04:05 PM
Hi @Gareth.Doyle ,
The short answer is no, you cannot "ask for cert from CA". But I want you to think about why is not possible, because this is common misunderstanding of how the SSL certificates and decryption are working.
- When you want to establish encrypted connection to web server, you need to make sure that the server you are talking to is the correct server and not some imposter.
- For that purpose the web server send you its SSL certificate, which contains some information that it can be used to validate the identity of the server.
- But what is stopping me from pretending that I am the real server, by sending you a peace of paper that says "I am google, you can trust me".
- Here comes the Certificate Authorities (CA). CA are responsible to validate the information on this peace of paper and if the information is correct, they will sign it as proof that is real.
- Every browser/application/device has "certificate store" that contains a list of CAs that this app/device will trust. If you receive certificate from web server that is signed by CA in your cert store you know that this information is correct and you connect to the real web server.
(This is very brief and simplified explanation of who your device is evaluating the web server certificate)
- When you want to inspect the traffic between the web server and the client, you need to decrypt it, but this is not really possible if you only sitting in between, because the keys used for encryption/decryption are never sent through and only the endpoints know what is the key.
- For that reason any modern network security device is actually creating two connection - one from client to device and one from device to server. For the client (end user) it believes it is communicating with real sever the whole time, and for the web server it believes the network device is the actual client.
- This also means that network sec device (lets call it firewall) will create two encrypted connection, but for each it will act as client and of the other as server.
- Because firewall needs to "pretend" it is the real server it needs to "forge" SSL certificate that it will use to communicate with the client (end user). It cannot use its own cert (putting its own name), because this will be very confusing (you open google.com, but receive reply from myfirewall.local).
- Forging SSL cert, means that firewall will create this certificate on the fly (in the moment you want to communicate with the web server), and put details to impersonate the web site.
- As mentioned above, every server certificate must be signed by CA. And your device/application must trust this CA, or it will figure out that the received certificate is forged and not from the real web server, but created from imposter that cannot be trusted.
- Here comes the self-signed CA or internal PKI. For home or lab it is most common to use self-signed CA (CA that you have created on your firewall or on any other device with OpenSSL tools). But this means that you must install that CA to every certificate store that your devices are using.
- But think for a moment, when you visit web page (encrypted), you will receive different cert (for google, facebook, etc) and firewall will use the same CA to sign them.
Now lets get back to your question - Imagine just for a moment, that publicly trusted CA gives you their signing certificate, so you can install it on your firewall...Now you can decrypt any web site, without installing self-signed CAs on your devices (great), BUT....this also means that everybody in the world will trust any certificate that is created and signed by you...Which means you can decrypt everybody's traffic, what can stop you from doing this (only that you promise to not use is for bad thinks). Basically you are asking publicly trusted CA to handover to you their authority and their business, nothing is stopping you from selling certificates the same way like any CA.
I hope you can understand my explanation, why you cannot use public CA for forwarding proxy, so if you really want full decryption there is no workaround for that - you need self-signed CA, that must be installed on all of your devices.
If there are devices that you cannot install your CA on it, there are still some level of protection:
- First you can still apply Decryption rule, but with action no-decrypt. This will not decrypt the traffic, but will apply the decryption profile, which will block sessions with invalid certificates, or such that are using weak encryption. Not sure if this will bring you any real benefit in home environment
- Even with no decryption, you can still apply URL filtering. Firewall will not be able to look at the actual data to see the full URL/URI, but it will see the Common Name (CN) and Subject Alternative Name (SAN) from the server certificate so it can still have some idea what resource might be requested. For example, if you open https://fun.com/guns (just example), it will see that server cert is for fun.com and categorized as appropriate, but it will not see that you are looking at violent content on that site. So it will rely on more general categorization (for the whole domain, not particular content).
- And because CN and SAN are part of the ssl/tls certificate, URL categorization/filtering will work even for non web-based traffic, as long as it is using SSL/TLS encryption and SSL certificates. So you should be able to create custom URL categories with list of FQDNs and use it as matching criteria for your security rule (to allow traffic only to specific list of hosts), or you can add it to URL filtering profile and allow/block traffic based on URL categories.
