Hot!SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert?

Author
mihirk
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 19:48:23
  • Status: offline
2020/03/06 13:51:14 (permalink)
0

SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert?

So I am trying to setup policies and of course almost all of them require SSL inspection enabled.
 
I did issue the cert from the domain controller which is self-signed and imported it to the firewall.
Of course it will throw an error saying that it is not a valid ssl cert unless I install that cert as Trusted Root on all PCs.

If we get a cert from trusted CA then how would that work?
 
Would I be using any of the following information:
Public IP: xx.xxx.xxx.xxx
Domain Name: xyz.local (AD Domain) or xyz.com (A domain we own).

Would SSL inspection still work if I get the CA signed cert for xyz.com domain?
 
I am pretty new to the SSL and certificates world so I have not much of an idea how things work.
#1
mj75
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/27 06:56:36
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/27 07:00:51 (permalink)
0
Hello,
 
UP subject !!
I have a same problem.
 
An idea ?
#2
emnoc
Expert Member
  • Total Posts : 5732
  • Scores: 371
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/27 11:03:14 (permalink)
0
1st no public CA is going to issue you a CA-root cert, that is not feasible nor a option to buy just a rootCA-cert
 
Your rootCA is that "your" root certificate, you just trust that in the OS or Firefox browser as a trusted rootCA and be done.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#3
sw2090
Platinum Member
  • Total Posts : 678
  • Scores: 42
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/28 04:34:58 (permalink)
0
yeah but they do issue sub-ca certs Ken. Those can be used to sign certificates. The dark side is that this creates one more hop in certificate verification path that has to be covered :/
#4
emnoc
Expert Member
  • Total Posts : 5732
  • Scores: 371
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/28 04:50:04 (permalink)
0
So who do you think is  issuing subCA certificates for resigning ?
 
I think for example you can not go to geotrust , entrust, comodo and just flat out order a subCA off any of the higher roots/intermediates that they have in the chain. 
 
The public CA is making money by the issuance of certificates. If they gave every tom dick or harry a subCA  upon request, than he or she could become a signer and reseller and sign like god..... 1 billion certificate under than chain ;)
 
That's not a offering that is offered to the general end-user.
 
btw I 've worked with two major well known public CAs over the course of the last 8 years.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#5
sw2090
Platinum Member
  • Total Posts : 678
  • Scores: 42
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/28 04:56:48 (permalink)
0
an intermediate to me is nothing else than a sub ca ;)
And intermediates are meanwhile common use for reselling. There meanwhile is a holy lot of smaller certificate sellers that issue certs based on intermediate. A win-win for the CA - they have two cannals for selling...
 
FGT SSL Deep Inspection e.g. needs a sub ca cert to work...
#6
emnoc
Expert Member
  • Total Posts : 5732
  • Scores: 371
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL Certificate Inspection: CA Signed Cert or Self-Signed Cert? 2020/05/28 05:45:11 (permalink)
5 (1)
FGT SSL Deep Inspection e.g. needs a sub ca cert to work...

 
Your not even 100% correct here and providing mis-leading information or confusion.
 
I've done SSL inspection with both a single rootCA  or with a intermediate certificate ( aka subCA ) on fortigates and a host of other firewalls vendors fwiw. ( btw forcepoint NGFW seems not to work with intermediate from my experience and testing...keep that in mind if your doing a PoC or Bakeoff  between vendors and have a heavy dependence of SSLvpn or SSL inspection and deep-chain, the support/development teams knows about this but I highly doubt the sale teams explain this limitation with the CA-depth, &  yes this is me griping about this limitation ) 
 
in the SSL inspections, the certificate can be either a root-CA or intermediateCA certificate , the former is more ideal in the big organization, but I've seen various avenue and topology used by private-CA for SSL inspection.
 
Either way that you go , the chain has to be trusted by the end-user ( i.e OS , browser )
 
In most of the top orgs and fortune500s they using MicrosoftCA or generate it's own selfSignPKI infrastructure commonly by using openssl ( that's what I do ), when you go to a commercial CA for this, all they are doing is managing a "different chain" for you that is NOT the general public-chain that you see in the browser or the OS level. 
 
They are NOT going to just give you a rootCA for SSL inspection or resigning of intermediates fwiw. You can't  go as a individual and say I want you to give me a root-CA. Now if your a big business ( i.e fortune 500, mil,edu, NSA, etc...) they can build you  "your"  PKI-CA & can build you a PKI infrastructure and give you rights to issue example server certificates . I just did that recently with Entrust and Globalsign. They call this service typically a "custom-CA or custom-ICA ...IntermediateCertificateAuthority " . They manage a complete PKI down to OSCP and CRL.
 
But a generic user like you or me,  is NOT going to get that nor would it be cost effective to buy into that program or design as a generic end-user. We are talking about the TOP organizations or business ( i.e millions of dollars ). These organization are signing thousands of  CSR for various needs and reasons.
 
Keep this thought in mind , "all public CAs are really self-Signed" the only difference from your privateCA or let's say your  custom-ICA if you went that route, is yours is NOT a publicly known or recognized ;).
 
The public CAs are paying the OS and browser vendor ( i.e firefox ) to be installed as a trust component in that systems. Technically speaking probably 100K public_CAs exists  ( probably more ) but not all of them are in your window OS or Firefox browser as a accepted CA. 
 
And finally, just guessing probably 1million+ CA existing ( public and private sector ) again not all of them are pre-installed into your end OS device or browser ;)
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#7
Jump to:
© 2020 APG vNext Commercial Version 5.5