Original Message:
Sent: 10-15-2024 14:09
From: Nikolay Semov
Subject: Using a Public CA Cert for SSL Forward Proxy
I don't think it's worth it just for this.
If you find yourself in situations like this often, then you could consider setting up an internal Certificate Authority. Otherwise, it's just another thing to worry about and maintain.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-15-2024 13:05
From: RoutingFrames
Subject: Using a Public CA Cert for SSL Forward Proxy
We do not, is that hard to setup? In your opinion, would it be worth it?
Original Message:
Sent: 10-15-2024 12:56
From: Nikolay Semov
Subject: Using a Public CA Cert for SSL Forward Proxy
If you have an established internal certificate authority, you should get a sub-CA certificate issued for the SRX. In the absence of that, yes, you need to make computers trust the SRX self-signed MITM certificate. If you are in a Windows domain environment, you can do that with a group policy.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-15-2024 12:24
From: RoutingFrames
Subject: Using a Public CA Cert for SSL Forward Proxy
Hmm, okay so the only way to do this is with a self-signed cert, and then upload it to each computer? I just want to confirm.
Original Message:
Sent: 10-15-2024 10:58
From: Nikolay Semov
Subject: Using a Public CA Cert for SSL Forward Proxy
You're essentially looking for your SRX to act as a publicly-trusted sub-CA, with ability to issue a certificate for any website.
Unless you're operating at the scale of a nation state, I don't believe you're likely to be able to get the necessary certificate to do this.
------------------------------
Nikolay Semov
Original Message:
Sent: 10-14-2024 21:03
From: RoutingFrames
Subject: Using a Public CA Cert for SSL Forward Proxy
Hi Ben, yes i'm talking about Mitm so inside clients don't complain.
I've used that link to configure most of it, but there's not much detail about loading a external CA for MITM use.
Original Message:
Sent: 10-14-2024 20:42
From: bkamen
Subject: Using a Public CA Cert for SSL Forward Proxy
Do you mean an "official" cert signed by a CA?
LetsEncrypt is handled directly in JunOS after like 22.4 IIRC.
I have it set up for one client so Juniper Secure Connect is happy and works. But it's only valid for the SRX (because of the hostname)
At home, I have my own server that handles LetsEncrypt and downloads wildcard certs, but I haven't taken the time to figure out pushing them to an SRX system yet. (I don't run an SRX at home.)
So - that would be the 2 routes I'd do first.
LetsEncrypt is really easy to set up on Linux. Read up the docs available around the net for setting up LetsEncrypt if that's the way you want to go.
But are you asking about having a cert on your SRX to be the man-in-the-middle so inside clients don't complain?
Did you look at this?
https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy.html
-Ben
------------------------------
Ben Kamen
Original Message:
Sent: 10-14-2024 16:26
From: RoutingFrames
Subject: Using a Public CA Cert for SSL Forward Proxy
Hi all,
Is it possible to use a public CA cert as my Root-CA in ssl proxy configuration so I do not have to add self-signed certs to all computers downstream of the SRX?