External intermediate certification authority certificate & key

pjasa · ‎03-06-2014

Hi all. I was curious if an external vendors like Entrust or Thawte would sell an Intermediate CA certificate and key for HTTPS filtering, or if this is something reserved only for business partners (like other CA's who are going to charge for certs). I know how to do this internally using our enterprise microsoft CA, that works well with Windows boxes, but that CA is not on GPO'd on non-windows boxes like apple devices nor Android smartphones, so we thought using a more widely recognized root-authority intermediate cert would be better for our users. Im no expert on certificates so feel free to correct if im misunderstanding, thanks.

Jeffrey Richmond · ‎03-07-2014

Hello,

In most cases, a 3rd party trusted CA (such as Verisgn or Thawte) will not sell an intermediate certificate, as that essentially gives you the power to sign other certificates and make them seem legitimate as they would be trusted by the user's browser. This is a major security vulnerability for users and could deminish the reputation of the CA.

For devices/applications that do not have the WSA certificate in their trusted cert store, you can either pass through the connections in the Decryption policies, or you can have them click through the certificate warning (if possible) for connections that are decrypted.

Regards,

Jeff Richmond

Customer Support Engineer

Content Security Technical Services (CSTS) - Web Security

donnylee · ‎03-08-2014

Hi,

For Apple devices, you can push the profile with the certifcate too.

Thanks,

Donny