External certificate for SSL Inspection not work

Briz

Hi,

this is my first question.

For my usg310 I have buyed and installed a external certificate following this guide:

ftp://ftp.zyxel.it/guide/usg/guide_next_gen_usg_firmware_4/next_gen_usg_ssl_import.pdf

I have configured it for 'SSL Inspection' but when I try to navigate i receive error "NET :: ERR_CERT_INVALID"

In the browser certificate info i view this alert: 'certificate invalid for the selected purpose'

When i have generated the Certificate Request i have this 'key usage':

After Import generated certificate:

Is my problem caused by this?

The problem is the 3rd Party SSL Certificate Authority, which generates the certificate without needed 'key usage'?

Briz

I found this in the knowledge base:

https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015551&lang=EN

If I understand correctly, is not possible to configure an external certificate for ssl inspection!

So the guide I found is wrong?

Briz

any answers?

Zyxel_Cooldia

Hi @Briz

Welcome to Zyxel Community. ?

The KB is correct. The external certificate is type of an end-entity certificate which is a digitally-signed statement issued by a Certificate Authority.

In SSL inspection scenario, you cannot import “end-entity” certificate as a root CA. 

Please use self-sign certificate for SSL inspection.

Briz

Hi @Zyxel_Cooldia,

thanks for your reply, now i use self-sign certificate for SSL inspection.

For clarity, I meant this as an incorrect guide:

ftp://ftp.zyxel.it/guide/usg/guide_next_gen_usg_firmware_4/next_gen_usg_ssl_import.pdf

on page 8 in "SSL Inspection" sets the external certificate buyed form 3rd Party SSL Certificate Authority

Zyxel_Cooldia

Hi @Briz ,

Thank you for highlighting the error in our documentation.

We will correct this guide.