3 Replies Latest reply on Nov 9, 2010 12:20 PM by Chanson

    Signed Certificate for SSL Scanner

    infosecjeff

      I realize in a Windows Domain Environment via GPO we can install the self-signed certificate of the Web Gateway in all our domain computer's Trusted Certification Authority container for our web clients; but if we expect to have a lot of guest computers, and we want to perform SSL scanning could we install a Trusted Authority Certificate on our Web Gateway, even if the Web Gateway is on an internal network and not an externally published FQDN?

        • 1. Re: Signed Certificate for SSL Scanner
          michael_schneider

          Hello Jeff,

           

          you can for sure. You'd need to get a subordinate CA from Thawte, Verisign and alike. This involves much money and lawyers as you will automatically become a subsite of the Root CA. What I'd suggest instead would be to simply use the welcome page functionlaity to inform guest users (identified by IP?) to download and install the CA cert from a network share or via HTTP from MWG and install it manually.

           

          best,

          Michael

          1 of 1 people found this helpful
          • 2. Re: Signed Certificate for SSL Scanner

            Hello Jeff,

             

            If you do decide to go the route of pushing out your own self-signed Root CA there is a very good third party site detailing how to do this with group policy here:

             

            http://unixwiz.net/techtips/deploy-webcert-gp.html

            • 3. Re: Signed Certificate for SSL Scanner

              I just happened to be buying a SSL cert for another purpose when I can across this.

              You can buy a publically signed Subordinate cert, but the requirements are steep.

               

              http://www.geotrust.com/enterprise-ssl-certificates/georoot/

               

              (excerpt:)

              GeoRoot Eligibility Requirements

              To purchase GeoRoot you must meet the following minimum requirements:

              • Net worth of $5M or more
              • A minimum of $5M in Errors and Omissions insurance
              • Articles of Incorporation (or similar) and an incumbency certificate provided
              • A written and maintained Certificate Practice Statement (CPS)
              • A FIPS 140-2 Level 2 compliant device (GeoTrust has partnered with SafeNet, Inc.) for key generating and storing your root certificate keys
              • An approved CA product from Baltimore/Betrusted, Entrust, Microsoft, Netscape or RSA