Solved: Re: Even if you're using an

eamonconnolly10 · ‎03-02-2016

I am implementing WCCP to redirect traffic to an Ironport WSA, the port 80 traffic is proxied through without any issues. With regards to all 443 traffic a warning message is now shown to the user to which they can choose to continue to the site or not. Obvoiusly the users are not happy with this as there browsers used to be configured with proxy setting and port 8080 to service all internet requests through the use of WPAD/PAc file. unfortunitely this solution has it's issues

The reason for us implementing WCCP is that we are implementing a a new wireless network which will again be for BYOD devices and because of this we cannot push out setting to the browsers through Group Policies.

The question i have is can i purchase a public cert (e.g. Comodo/Versign/thawte/etc) for the ironport WSA and upload onto the proxy, it's root /intermediate certificate will already be in the BYOD devices certificate stores. When the users connection is proxied they will be presented with this cert which there browsers will be able to validate. All this would mean i would not have to worry about self-signed certs and getting there root certs installed on clients which is not an option in our case.

From what i have read on forums etc it all talks about the self signed or internal CA method but nobody mentions using a public purchased certificate which to me would seem to make things simplier for my case or is there a reason why this cannot be done. Any help would be greatly appreciated.

Ken Stieers · ‎03-02-2016

The "public cert" you're talking about can't be used for this purpose. That cert basically says "I'm server x, and thawte/comodo/godaddy/whoever has verified that" (for various values of "verified")

The cert you need is a subordinate CA cert, which isn't cheap, and requires a whole huge infrastructure of people and systems because with that cert YOU can create certs for google and Microsoft and anyone else, and the worlds browsers will trust you.

Because basically, that's what the WSA is doing, on the fly it generates a new cert for each site you visit so that the connection between your clients and the WSA is encrypted.

You really only have 2 choices... spin up your own CA (lots of up pick Microsoft because it integrates nicely) and issue a subordinate CA cert and apply that to the WSA and make the CA's public root available to your byod folks, or use the demo cert and make that available to your byod folks.

View solution in original post

Ken Stieers · ‎03-02-2016

The "public cert" you're talking about can't be used for this purpose. That cert basically says "I'm server x, and thawte/comodo/godaddy/whoever has verified that" (for various values of "verified")

The cert you need is a subordinate CA cert, which isn't cheap, and requires a whole huge infrastructure of people and systems because with that cert YOU can create certs for google and Microsoft and anyone else, and the worlds browsers will trust you.

Because basically, that's what the WSA is doing, on the fly it generates a new cert for each site you visit so that the connection between your clients and the WSA is encrypted.

You really only have 2 choices... spin up your own CA (lots of up pick Microsoft because it integrates nicely) and issue a subordinate CA cert and apply that to the WSA and make the CA's public root available to your byod folks, or use the demo cert and make that available to your byod folks.

eamonconnolly10 · ‎03-02-2016

Thanks for the reply Ken,

Guess i was misunderstanding the complexity, so are you saying that what would be needed is to create and intermediate CA internally within my comany, that would be an intermediate CA of a root CA like versign/etc and we could then generate certs for the sites users are visiting on the fly and because the user would trust the root cert of the public CA then they would trust the ones we generate on the fly. This intermediate CA certificate is installed on the proxy which is the device generating these certificates on the fly.

Ken Stieers · ‎03-02-2016

Yes. In this case the WSA becomes the intermediate CA.

Atazazuddin Shaikh · ‎03-02-2016

Resources:

Steps to configure HTTPS Proxy and CSR Option on Web Security Appliance:
https://www.youtube.com/watch?v=1g_96XYnkz4&feature=youtu.be

Steps to enable HTTPS proxy on (WSA) & Uploading Root/Intermediate certificate option.
https://supportforums.cisco.com/video/11932521/steps-enable-https-proxy-wsa-uploading-rootintermediate-certificate-option

Thanks

Zack

eamonconnolly10 · ‎03-02-2016

Thanks for both your answers, i have watched the videos and it explains what is needed. This was part of a project and the cost of buying and signed intermediate CA certificate was not factored in, I have been told that they are very expensive, Would anyone know what the rough cost of something like this may be, i know different vendors will offer different prices but if someone was able to suggest a ball park figure for the likes of Comodo/Go Daddy or Versign to sign an intermediate CA certificate for us it would let me know if this was even a option worth suggesting or do i need to go back to to off WCCP and transparent Proxy and look to use WPAD/PAC files to configure proxy setting.

Thanks again for your help

Ken Stieers · ‎03-02-2016

Even if you're using an explicit proxy, you'll need to deal with this if you're going to decrypt HTTPS traffic.

WCCP/explicit proxy are just how you get the traffic to the box, NOT how you deal with it once you get it there...

Here's what you're getting into:

https://www.sslshopper.com/article-trusted-root-signing-certificates.html

Leonardo Pena Aristizabal · ‎04-25-2018

Hello,

I'm having this issue, do you thing a code signing certificate will work?

Thanks

Ken Stieers · ‎04-25-2018

No. A code signing cert will NOT work.

Leonardo Pena Aristizabal · ‎04-26-2018

Thanks for the reply, Is there a way to use a public certificate in the WSA for HTTPS Decrypt, someone has been able to do it?

The issue I have is that muy customer wants to connect users to the corporate network without installing any certificate, we already do that in the corporative computers through a GPO and is working as expected.

Thanks a lot.

Ken Stieers · ‎04-26-2018

No. A public web server cert won't work.

Those certs have the following key usages:
Digital Signature, Key Encipherment (a0)
And Basic Constraints will usually be
Subject Type=End Entity

You need a cert with the following a Key Usage that contains
Certificate Signing
And a constraint that contains
Subject Type=CA

If your client has an internal CA, and they already published the root cert to all of the workstations via GPO, you're halfway there.

Go to their CA, and issue a Subordinate CA Cert, and put that on the WSA.

OR

Take the cert that came from the WSA, and add it to the GPO...

sadik.sener1 · ‎08-03-2018

Hi,

I am very surprised that there are so many people asking for the possibility to decrypt the traffic using a Public CA.

If you had that subordinate CA, you could sell that one to any hacker, any government so that they would enjoy decrypting a whole countries web traffic without getting caught.

The certificates that are given by the public CAs are server certificate, that is identifies the validity of a server.
What is needed on WSA is a sub-ordinate CA, that can issue certificate on behalf of the. (Actually its not necessarily have to be a subordinate CA, it can be a CA as well , but you need your clients to trust that CA)

When i face such issue, i exported the root and subordinate CA directly from the regedit. (Right click -> export) (The certificates are under the path : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates )

When you export the certificate like this, and deliver it to your long term guest, all he/she needs to do is double click on the reg file and they start trusting your internal CA.

If you need more details about exporting the CA , i can go further and tell you.

Hope that helps.

Are you able to use a public cert with HTTPS Proxy?