cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

829
Views
0
Helpful
2
Replies
Highlighted
Beginner

Commercial certs for Decrypt and Resign

We are looking to do the decrypt/resign for outbound SSL traffic and want the easiest way of getting the clients to trust the resigned certificate.  We do not have a PKI so that leaves us with getting a commercial certificate or using the Firepower box as the CA server and go that route with self-signed.  Going with a commercial certificate is preferred as we would not have to push out the CA certificate through AD or to mobile devices however I have been told that many commercial SSL certificate providers will not issue issue certificates that allow resigning.  Does this sound right?  

2 REPLIES 2
Highlighted
Advisor

I pray that no commercial CA

I pray that no commercial CA would ever issue with such a certificate.  It would be a major failing on their part, and a gigantic security nightmare.

Do you have AD?  If so, publish your signing certificate with group policy and all your windows machines will trust it.

Highlighted
Hall of Fame Guru

You cannot obtain a "decrypt

You cannot obtain a "decrypt and resign" certificate from any public CA. Issuing such a certificate would fundamentally break the whole PKI trust architecture.

Only with an internal CA can you accomplish what you're asking. As Philip has suggested, Windows Active Directory Certificate Services (AD CS) is usually the path of least resistance here.

It doesn't help for non-domain computers and devices but it's better than nothing.