2 Replies Latest reply on Feb 8, 2012 4:57 AM by pkonitz

    certyficates in webgateway

      Hi all,

      there were few topics on this but it didn't answered all my questions so I write the next one

       

      When MWG presents itself with its own cert, clients don't trust it by default (its self signed so its obvious).

      One solution to this and the only one I found on community and any materials is to import MWG cert as trusted CA.

       

      Can it be done in a different way? What about linux stations where we can't use GPO?

      The GUI cert is done in the way that we generate new CERT request, send it to our CA to sign it and then import it again in our MWG.

      Why this doesn't work in the same way when clients want to access HTTPS pages? That this cert of MWG is signed by our local CA (trusted) and client doesn't need to import this self signed CA cert of MWG?

       

      please clarify this

       

      regards

        • 1. Re: certyficates in webgateway
          asabban

          Hello,

           

          the difference between the GUI certificate and certificates for HTTPS sites is that the GUI cert is a server certificate. This certificate is only valid for one host, so you can get it trusted by a known CA. The certificate you use for MWG signing requests for HTTPS site is a CA itself, which signs server certificates itself.

           

          So a CA needs to be used that is trusted in the browsers. It is not possible to obtain a CA which is signed by a CA that is already trusted in the browsers, like VeriSign etc, because MWG will create server certificates for all URLs you access via HTTPS. If you go to facebook.com MWG will create a server certificate for facebook.com and sign it with its local CA.

           

          This local CA needs to be known in the users browsers. There are only two ways:

           

          -  You already have a company wide CA which is trusted on all machines. You can use it to create a SubCA and import the SubCA into MWG

          - All browsers need to be configured to trust the CA imported into MWG. For Internet Explorer you can share it via GPO, for Firefox or linux computers you may want to provide a link with instructions or a script for installation to your users.

           

          I am not aware of a way to have Firefox automatically import a given CA for a complete company.

           

          Best,

          Andre

          • 2. Re: certyficates in webgateway

            Thx Andre,

            helpful as always

            now everything is clear

             

            regards

            Przemek