Follow

Can 3rd party certificates be installed on NGFW so SSL Inspector works without installing the certificate?

No. Unfortunately this is not possible because of the architecture of SSL.   In order to inspect HTTPS traffic the NG Firewall must decrypt, inspect, and then re-encrypt the traffic.  In order to do this it "masquerades" as the server in question.   This accomplished by looking at the site that the browser is going to and dynamically generating a SSL Server Certificate for that site.

Every SSL Server Certificate is signed by a "Certificate Authority."  It is this Certificate Authority that is trusted by the browser.   A Certificate Authority's job is to verify the identity of the site in question.

For example, let's say Carl Brown (client browser) wants to talk to Walter Smith (Website) but doesn't know Walther Smith.  He does, however, know Carly Adams (Certificate Authority) and trusts her judgement.   So, when Walther Smith shows Carl Brown a letter signed by Carly Adams that this is Walther Smith and you can trust him.   This is what happens when you accept an SSL certificate.  You don't know the server, but you trust that the Certificate Authority has verified it.

In order to accomplish what you're requesting, you'd need to either get GeoTrust or Verisign to give you permission to use their certificate to sign website certificates dynamically, or you need to get the browsers to trust your new certificate authority.

Since the former is impossible, you need to do the latter.

 

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk