cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1163
Views
0
Helpful
2
Replies

External intermediate certification authority certificate & key

pjasa
Level 1
Level 1

Hi all.  I was curious if an external vendors like Entrust or Thawte would sell an Intermediate CA certificate and key for HTTPS filtering, or if this is something reserved only for business partners (like other CA's who are going to charge for certs).     I know how to do this internally using our enterprise microsoft CA, that works well with Windows boxes, but that CA is not on GPO'd on non-windows boxes like apple devices nor Android smartphones, so we thought using a more widely recognized root-authority intermediate cert would be better for our users.   Im no expert on certificates so feel free to correct if im misunderstanding, thanks.

2 Replies 2

Jeffrey Richmond
Cisco Employee
Cisco Employee

Hello,

In most cases, a 3rd party trusted CA (such as Verisgn or Thawte) will not sell an intermediate certificate, as that essentially gives you the power to sign other certificates and make them seem legitimate as they would be trusted by the user's browser. This is a major security vulnerability for users and could deminish the reputation of the CA.

For devices/applications that do not have the WSA certificate in their trusted cert store, you can either pass through the connections in the Decryption policies, or you can have them click through the certificate warning (if possible) for connections that are decrypted.

Regards,

Jeff Richmond

Customer Support Engineer

Content Security Technical Services (CSTS) - Web Security

donnylee
Cisco Employee
Cisco Employee

Hi,

For Apple devices, you can push the profile with the certifcate too.

 

Thanks,

Donny

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: