Trust Root CA

25 views
Skip to first unread message

Enrique Fernandez

unread,
Sep 29, 2021, 6:55:22 AM9/29/21
to Diladele Web Safety
Hi all.

For an installation with many computers, installing the SSL certificate for the SSL inspection can be very difficult.

Is it possible to buy a known root ca certificate so as not to have to install it on clients' web browsers?

If possible, do you know of any known providers?

Thanks in advance.

rafael....@diladele.com

unread,
Sep 29, 2021, 7:06:48 AM9/29/21
to Diladele Web Safety
No this is not possible, here is the article that explains why -- https://docs.diladele.com/faq/squid/non_root_ca.html

Enrique Fernandez

unread,
Sep 29, 2021, 7:24:33 AM9/29/21
to Diladele Web Safety
I was not referring to a wildcard certificate.

I wanted to say if it is possible to decrypt by buying a Root CA like Fortigate does for example... 

thanks!.

rafael....@diladele.com

unread,
Sep 29, 2021, 7:27:25 AM9/29/21
to Diladele Web Safety
Please read the article - it explains that in order to decrypt the connection the proxy ca *must* be root - root cas are not sold, they are generated (fortinet also generated it).

Enrique Fernandez

unread,
Sep 29, 2021, 7:36:42 AM9/29/21
to Diladele Web Safety
I understand the article, I did not know that root cas were not sold...

With fortigate, you don't have to install the certificate on the clients, do you know how they do it?

Thanks!.
El miércoles, 29 de septiembre de 2021 a las 13:06:48 UTC+2, rafael....@diladele.com escribió:

rafael....@diladele.com

unread,
Sep 29, 2021, 7:42:21 AM9/29/21
to Diladele Web Safety
Decryption certificate must be installed as trusted into the system. The whole point of TLS is behind this statement.
If anyone was able to decrypt connections to a bank without the installation of a root ca - imagine when a person sits in the airport cafe's wifi network - this would be the end of the known electronic society.

So either they installed the decryption certificate into your system (for example by management solution, at the factory etc) or they do *not* decrypt at all.
One wa to check that is to click on the padlock in your browser address bar when you are on facebook.com for example  - the site certificate was signed by fortigate? if so - root ca is your system somewhere.
If not - they do not decrypt.

br,
Raf

Enrique Fernandez

unread,
Sep 29, 2021, 10:01:34 AM9/29/21
to Diladele Web Safety
Hi.

I've been checking how Fortigate does it, has two modes: SSL Certificate Inspection and Full SSL Inspection (https://kb.fortinet.com/kb/documentLink.do?externalID=FD35043).

This explains what you have commented in the email above... 

[...]
Conclusion:
If webfilter only is required, SSL Certificate Inspection is the correct option.
If webfilter, identify attacks, viruses and application control are required, then Full SSL Inspection is the best option.
[...]

Thanks for the explanation.
Reply all
Reply to author
Forward
0 new messages