05-26-2016 06:46 AM - edited 03-12-2019 06:01 AM
We are looking to do the decrypt/resign for outbound SSL traffic and want the easiest way of getting the clients to trust the resigned certificate. We do not have a PKI so that leaves us with getting a commercial certificate or using the Firepower box as the CA server and go that route with self-signed. Going with a commercial certificate is preferred as we would not have to push out the CA certificate through AD or to mobile devices however I have been told that many commercial SSL certificate providers will not issue issue certificates that allow resigning. Does this sound right?
05-26-2016 06:05 PM
I pray that no commercial CA would ever issue with such a certificate. It would be a major failing on their part, and a gigantic security nightmare.
Do you have AD? If so, publish your signing certificate with group policy and all your windows machines will trust it.
05-26-2016 08:50 PM
You cannot obtain a "decrypt and resign" certificate from any public CA. Issuing such a certificate would fundamentally break the whole PKI trust architecture.
Only with an internal CA can you accomplish what you're asking. As Philip has suggested, Windows Active Directory Certificate Services (AD CS) is usually the path of least resistance here.
It doesn't help for non-domain computers and devices but it's better than nothing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: