cancel
Showing results for 
Search instead for 
Did you mean: 
king-ed
Level 7

SSL Scanning - Certificate

Hello

We currently install a certificate on client computers to enable SSL scanning on clients to surpress SSL errors in the browser.  Can I purchase a certificate from somewhere which I can install on my MWG to avoiding having to install a certificate on clients to prevent these SSL errors? If so, what kind of certificate & can anyone give me any pointers?

Thanks

0 Kudos
5 Replies
asabban
Level 17

Re: SSL Scanning - Certificate

Hello,

you need a certificate authority, a certificate that is allowed to sign other certificates. You will most likely not get one from one of the trusted vendors, so you usually have to implement your own company wide CA and roll out that certificate or get a subordinate CA certificate from an existing CA within your company and import that into MWG. In that case the existing CA certificate should already be rolled out to clients, for example within your AD domain.

Best,

Andre

0 Kudos
king-ed
Level 7

Re: SSL Scanning - Certificate

Thanks Andre & Michael.

Do you have any suggestions for organisations where users are bring own devices & are outside of the AD environment?

Many thanks

0 Kudos
asabban
Level 17

Re: SSL Scanning - Certificate

Hello,

for everyone within the AD environment I would distribute the certificate via GPO. For all other users I would introduce a "welcome page" which gives some advice on this topic. A "welcome page" (also known as captive portal) will show a custom site once a day when a user starts browsing. You could place some comments about SSL Scanning and provide hints how users can manually import the CA certificate into their browsers.

As an alternative you can place a link to such a documentation to all error templates easily.

Best,

Andre

0 Kudos
king-ed
Level 7

Re: SSL Scanning - Certificate

Great, can you offer any advice on captive portal & error templates etc?

Thanks

0 Kudos
McAfee Employee

Re: SSL Scanning - Certificate

Example of such a vendor that Andre refers to: https://www.globalsign.com/certificate-authority-root-signing/

best,

Michael

0 Kudos