Hello - We are deploying MWG as forward proxy. We have internal certificate server and all the internal apps trust any certificate generated from our internal certificate server.
I'm trying to import a certificate to enable SSL Scanning. I have been given different answers by different technicians.
Per our security team, we can generate an SSL certificate from Entrust with private key.
Will that be sufficient to import as Known CA and enable SSL scanning?
I also see an option for "SSL Client Context without known CA." It seems like that certificate is the one which has hostname attached to it. Because the certificate that we would get from Entrust will have hostname tagged to it. So can we import here and use SSL scanning?
We don't use Microsoft Subordinate or anything like that. Please help and let me know what it's needed here. Thank you.
In order to perform SSL inspection, you need a certificate authority (aka CA).
This is different from a web server certificate -- which is what your PKI team probably gets a lot of requests for, so when you ask them for a certificate, that's what you'll get. Entrust will not likley generate you another CA, they will likley only be able to generate a web server certificate -- the metaphor I like to use for this situation is... if you asked Entrust to give you a CA its like asking the government if you can print your own money.
The setting for "SSL Client Context without CA" is not used for forward proxy SSL inspection. Its used for reverse proxy SSL inspection (aka protecting web servers).
Most customers have some sort of PKI infrastructure setup this could be may be very basic.
You could setup an offline root CA (with openssl or microsoft), then create an online issuing, and generate a SSL inspection certificate off of the online issuing CA. This is ideal because you will have the ability to revoke trust if something were to happen -- using a CRL. This article goes over the commands you'd need (nothing McAfee specific -- just look for "setting up an offline root ca using openssl"):
Otherwise you could setup a self-signed CA on MWG, but if it was comprimised in someway, there is no way to revoke the trust on the clients (unless you pull the certs off).