cancel
Showing results for 
Search instead for 
Did you mean: 
infosecjeff
Level 7

Signed Certificate for SSL Scanner

Jump to solution

I realize in a Windows Domain Environment via GPO we can install the self-signed certificate of the Web Gateway in all our domain computer's Trusted Certification Authority container for our web clients; but if we expect to have a lot of guest computers, and we want to perform SSL scanning could we install a Trusted Authority Certificate on our Web Gateway, even if the Web Gateway is on an internal network and not an externally published FQDN?

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Signed Certificate for SSL Scanner

Jump to solution

I just happened to be buying a SSL cert for another purpose when I can across this.

You can buy a publically signed Subordinate cert, but the requirements are steep.

http://www.geotrust.com/enterprise-ssl-certificates/georoot/

(excerptSmiley Happy

GeoRoot Eligibility Requirements

To purchase GeoRoot you must meet the following minimum requirements:

  • Net worth of $5M or more
  • A minimum of $5M in Errors and Omissions insurance
  • Articles of Incorporation (or similar) and an incumbency certificate provided
  • A written and maintained Certificate Practice Statement (CPS)
  • A FIPS 140-2 Level 2 compliant device (GeoTrust has partnered with SafeNet, Inc.) for key generating and storing your root certificate keys
  • An approved CA product from Baltimore/Betrusted, Entrust, Microsoft, Netscape or RSA
0 Kudos
3 Replies
McAfee Employee

Re: Signed Certificate for SSL Scanner

Jump to solution

Hello Jeff,

you can for sure. You'd need to get a subordinate CA from Thawte, Verisign and alike. This involves much money and lawyers as you will automatically become a subsite of the Root CA. What I'd suggest instead would be to simply use the welcome page functionlaity to inform guest users (identified by IP?) to download and install the CA cert from a network share or via HTTP from MWG and install it manually.

best,

Michael

0 Kudos
Chanson
Level 7

Re: Signed Certificate for SSL Scanner

Jump to solution

Hello Jeff,

If you do decide to go the route of pushing out your own self-signed Root CA there is a very good third party site detailing how to do this with group policy here:

http://unixwiz.net/techtips/deploy-webcert-gp.html

0 Kudos
eelsasser
Level 15

Re: Signed Certificate for SSL Scanner

Jump to solution

I just happened to be buying a SSL cert for another purpose when I can across this.

You can buy a publically signed Subordinate cert, but the requirements are steep.

http://www.geotrust.com/enterprise-ssl-certificates/georoot/

(excerptSmiley Happy

GeoRoot Eligibility Requirements

To purchase GeoRoot you must meet the following minimum requirements:

  • Net worth of $5M or more
  • A minimum of $5M in Errors and Omissions insurance
  • Articles of Incorporation (or similar) and an incumbency certificate provided
  • A written and maintained Certificate Practice Statement (CPS)
  • A FIPS 140-2 Level 2 compliant device (GeoTrust has partnered with SafeNet, Inc.) for key generating and storing your root certificate keys
  • An approved CA product from Baltimore/Betrusted, Entrust, Microsoft, Netscape or RSA
0 Kudos