Certificate for Flex 100 SSL inspection

Sébastien
Sébastien Posts: 41  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hi,

I would like to import a certificate signed by my own Windows Server domain CA to use with SSL inspection but it doesn't work (importation doesn't work). Error message : PKI certificate type is not supported

What I do : I make a new request on my domain CA for a certificate base on the "computer" model, common name "usgflex100". Certificate roles are server and client authentication. Key length 2048 bits. Provider : Microsoft RSA SChannel. I then export the certificate with the private key (PKCS12) and bang error when importing it on the device.

On the other side I tried to make a certificate request on the USG Flex 100 but when I try to sign it with my domain CA it says that no certificate model is specified and it stops there.

I would like to use a domain signed certificate because the CA propagates automatically to all domain computers.

What am I doing wrong ?

Thank you for your help,

Seb

Accepted Solution

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,431  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Briz,
    The external certificate is type of an end-entity certificate which is a digitally-signed statement issued by a Certificate Authority.
    In SSL inspection scenario, it is not allowed to import “end-entity” certificate as a root CA. 
    Please select device default certificate for SSL inspection.

  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Anniversary 10 Comments Friend Collector
    So no way to use a certifiate issued by my own CA ?

    Using the default certificate requires to deploy the USG's CA to all computers on the network, and browsers like Firefox or Chrome have their own trusted CAs lists... As I said previously, having a certificate issued by my own domain CA will help because my CA is trusted everywhere in the Windows domain.

    What if I buy an SSL certificate on the web, will it work you think ?

    Thanks

    NOTE : not installing USG's CA on the client when using the default certicate for SSL inspection causes conflicts with ESET security program, which is another reason to use an already trusted CA
  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Ok understood ! Even if my certificate is issued by my CA or any other CA, the device will issue a new certificate for each website visited and therefore this certificate will not be trusted by my CA because it was issued by the device. Thanks for your help !


Security Highlight