cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1213
Views
0
Helpful
2
Replies

Commercial certs for Decrypt and Resign

m.yost
Level 1
Level 1

We are looking to do the decrypt/resign for outbound SSL traffic and want the easiest way of getting the clients to trust the resigned certificate.  We do not have a PKI so that leaves us with getting a commercial certificate or using the Firepower box as the CA server and go that route with self-signed.  Going with a commercial certificate is preferred as we would not have to push out the CA certificate through AD or to mobile devices however I have been told that many commercial SSL certificate providers will not issue issue certificates that allow resigning.  Does this sound right?  

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

I pray that no commercial CA would ever issue with such a certificate.  It would be a major failing on their part, and a gigantic security nightmare.

Do you have AD?  If so, publish your signing certificate with group policy and all your windows machines will trust it.

Marvin Rhoads
Hall of Fame
Hall of Fame

You cannot obtain a "decrypt and resign" certificate from any public CA. Issuing such a certificate would fundamentally break the whole PKI trust architecture.

Only with an internal CA can you accomplish what you're asking. As Philip has suggested, Windows Active Directory Certificate Services (AD CS) is usually the path of least resistance here.

It doesn't help for non-domain computers and devices but it's better than nothing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: