cancel
Showing results for 
Search instead for 
Did you mean: 
pkonitz
Level 7

certyficates in webgateway

Jump to solution

Hi all,

there were few topics on this but it didn't answered all my questions so I write the next one

When MWG presents itself with its own cert, clients don't trust it by default (its self signed so its obvious).

One solution to this and the only one I found on community and any materials is to import MWG cert as trusted CA.

Can it be done in a different way? What about linux stations where we can't use GPO?

The GUI cert is done in the way that we generate new CERT request, send it to our CA to sign it and then import it again in our MWG.

Why this doesn't work in the same way when clients want to access HTTPS pages? That this cert of MWG is signed by our local CA (trusted) and client doesn't need to import this self signed CA cert of MWG?

please clarify this

regards

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: certyficates in webgateway

Jump to solution

Hello,

the difference between the GUI certificate and certificates for HTTPS sites is that the GUI cert is a server certificate. This certificate is only valid for one host, so you can get it trusted by a known CA. The certificate you use for MWG signing requests for HTTPS site is a CA itself, which signs server certificates itself.

So a CA needs to be used that is trusted in the browsers. It is not possible to obtain a CA which is signed by a CA that is already trusted in the browsers, like VeriSign etc, because MWG will create server certificates for all URLs you access via HTTPS. If you go to facebook.com MWG will create a server certificate for facebook.com and sign it with its local CA.

This local CA needs to be known in the users browsers. There are only two ways:

-  You already have a company wide CA which is trusted on all machines. You can use it to create a SubCA and import the SubCA into MWG

- All browsers need to be configured to trust the CA imported into MWG. For Internet Explorer you can share it via GPO, for Firefox or linux computers you may want to provide a link with instructions or a script for installation to your users.

I am not aware of a way to have Firefox automatically import a given CA for a complete company.

Best,

Andre

0 Kudos
2 Replies
asabban
Level 17

Re: certyficates in webgateway

Jump to solution

Hello,

the difference between the GUI certificate and certificates for HTTPS sites is that the GUI cert is a server certificate. This certificate is only valid for one host, so you can get it trusted by a known CA. The certificate you use for MWG signing requests for HTTPS site is a CA itself, which signs server certificates itself.

So a CA needs to be used that is trusted in the browsers. It is not possible to obtain a CA which is signed by a CA that is already trusted in the browsers, like VeriSign etc, because MWG will create server certificates for all URLs you access via HTTPS. If you go to facebook.com MWG will create a server certificate for facebook.com and sign it with its local CA.

This local CA needs to be known in the users browsers. There are only two ways:

-  You already have a company wide CA which is trusted on all machines. You can use it to create a SubCA and import the SubCA into MWG

- All browsers need to be configured to trust the CA imported into MWG. For Internet Explorer you can share it via GPO, for Firefox or linux computers you may want to provide a link with instructions or a script for installation to your users.

I am not aware of a way to have Firefox automatically import a given CA for a complete company.

Best,

Andre

0 Kudos
pkonitz
Level 7

Re: certyficates in webgateway

Jump to solution

Thx Andre,

helpful as always

now everything is clear

regards

Przemek

0 Kudos