Can 3rd party certificates be installed on NGFW so SSL Inspector works without installing the certificate?
Unfortunately this is not possible because of the architecture of SSL. In order to inspect HTTPS traffic the NG Firewall must decrypt, inspect, and then re-encrypt the traffic. We accomplish this by "masquerading" as the server in question: looking at the site that the browser is going to and dynamically generating a SSL Server Certificate for that site.
Every SSL Server Certificate is signed by a "Certificate Authority." It is this Certificate Authority that is trusted by the browser. A Certificate Authority's job is to verify the identity of the site in question.
For example, let's say Carl Brown (client browser) wants to talk to Walter Smith (Website) but doesn't know Walter Smith. He does, however, know Carly Adams (Certificate Authority) and trusts her judgement. So Walter Smith shows Carl Brown a letter signed by Carly Adams certifying 'This is Walter Smith and you can trust him': this is what happens when you accept an SSL certificate. You don't know the server, but you trust that the Certificate Authority has verified it.
In order to accomplish what you're requesting, you'd need to either get GeoTrust or Verisign to give you permission to use their certificate to sign website certificates dynamically, or you need to get the browsers to trust your new certificate authority.
Since the former is impossible, you need to do the latter.
Please sign in to leave a comment.