External certificate for SSL Inspection not work

Options
Briz
Briz Posts: 20  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hi,

this is my first question.

For my usg310 I have buyed and installed a external certificate following this guide:

ftp://ftp.zyxel.it/guide/usg/guide_next_gen_usg_firmware_4/next_gen_usg_ssl_import.pdf

I have configured it for 'SSL Inspection' but when I try to navigate i receive error "NET :: ERR_CERT_INVALID"

In the browser certificate info i view this alert: 'certificate invalid for the selected purpose'


When i have generated the Certificate Request i have this 'key usage':

After Import generated certificate:

Is my problem caused by this?

The problem is the 3rd Party SSL Certificate Authority, which generates the certificate without needed 'key usage'?

All Replies

  • Briz
    Briz Posts: 20  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    I found this in the knowledge base:

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015551&lang=EN

    If I understand correctly, is not possible to configure an external certificate for ssl inspection!

    So the guide I found is wrong?

  • Briz
    Briz Posts: 20  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    any answers?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Briz

    Welcome to Zyxel Community. ?

    The KB is correct. The external certificate is type of an end-entity certificate which is a digitally-signed statement issued by a Certificate Authority.

    In SSL inspection scenario, you cannot import “end-entity” certificate as a root CA. 

    Please use self-sign certificate for SSL inspection.

  • Briz
    Briz Posts: 20  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Hi @Zyxel_Cooldia,

    thanks for your reply, now i use self-sign certificate for SSL inspection.

    For clarity, I meant this as an incorrect guide:

    ftp://ftp.zyxel.it/guide/usg/guide_next_gen_usg_firmware_4/next_gen_usg_ssl_import.pdf

    on page 8 in "SSL Inspection" sets the external certificate buyed form 3rd Party SSL Certificate Authority

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Briz ,

    Thank you for highlighting the error in our documentation.

    We will correct this guide.

Security Highlight