Certificate for Flex 100 SSL inspection
Hi,
I would like to import a certificate signed by my own Windows Server domain CA to use with SSL inspection but it doesn't work (importation doesn't work). Error message : PKI certificate type is not supported
What I do : I make a new request on my domain CA for a certificate base on the "computer" model, common name "usgflex100". Certificate roles are server and client authentication. Key length 2048 bits. Provider : Microsoft RSA SChannel. I then export the certificate with the private key (PKCS12) and bang error when importing it on the device.
On the other side I tried to make a certificate request on the USG Flex 100 but when I try to sign it with my domain CA it says that no certificate model is specified and it stops there.
I would like to use a domain signed certificate because the CA propagates automatically to all domain computers.
What am I doing wrong ?
Thank you for your help,
Seb
I would like to import a certificate signed by my own Windows Server domain CA to use with SSL inspection but it doesn't work (importation doesn't work). Error message : PKI certificate type is not supported
What I do : I make a new request on my domain CA for a certificate base on the "computer" model, common name "usgflex100". Certificate roles are server and client authentication. Key length 2048 bits. Provider : Microsoft RSA SChannel. I then export the certificate with the private key (PKCS12) and bang error when importing it on the device.
On the other side I tried to make a certificate request on the USG Flex 100 but when I try to sign it with my domain CA it says that no certificate model is specified and it stops there.
I would like to use a domain signed certificate because the CA propagates automatically to all domain computers.
What am I doing wrong ?
Thank you for your help,
Seb
0
Accepted Solution
-
Hi @Sébastien,For SSL Inspection scenario, Flex 100 must to be the root ca, and all your clients need to trust this root ca certificate.Then the Flex 100 will be able to generate a certificate (base on the root CA certificate) for other hosts when they are trying to browse the external https websitesThere is no trusted CA will grant you a CA key for this purpose, it's against SSL inspection.5
All Replies
-
Hi @Briz,The external certificate is type of an end-entity certificate which is a digitally-signed statement issued by a Certificate Authority.In SSL inspection scenario, it is not allowed to import “end-entity” certificate as a root CA.Please select device default certificate for SSL inspection.0
-
So no way to use a certifiate issued by my own CA ?
Using the default certificate requires to deploy the USG's CA to all computers on the network, and browsers like Firefox or Chrome have their own trusted CAs lists... As I said previously, having a certificate issued by my own domain CA will help because my CA is trusted everywhere in the Windows domain.
What if I buy an SSL certificate on the web, will it work you think ?
Thanks
NOTE : not installing USG's CA on the client when using the default certicate for SSL inspection causes conflicts with ESET security program, which is another reason to use an already trusted CA0 -
Hi @Sébastien,For SSL Inspection scenario, Flex 100 must to be the root ca, and all your clients need to trust this root ca certificate.Then the Flex 100 will be able to generate a certificate (base on the root CA certificate) for other hosts when they are trying to browse the external https websitesThere is no trusted CA will grant you a CA key for this purpose, it's against SSL inspection.5
-
Ok understood ! Even if my certificate is issued by my CA or any other CA, the device will issue a new certificate for each website visited and therefore this certificate will not be trusted by my CA because it was issued by the device. Thanks for your help !
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight