> From: [email protected] [mailto:discuss- > [email protected]] On Behalf Of Ski Kacoroski > > I need someone with more certiticate-fu than I have. I have an iBoss > web filtering device that sits in between our internal users and the > internet. We are trying to set it up to also filter https web pages > which means it has to decrypt the connection to see what is going on.
Oh god, if I worked there, I would quit in protest, and so should all your employees. That is horrible. But for the sake of... whatever ... They are right. Here's how it works: Your client OS (or sometimes the browser itself) has a list of root trusted CA's. So they will show green checkmarks and secure closed lock icons, for any websites whose certs were signed by one of those trusted root CA's. Normally those CA's will only sign certs for domains that they could follow some reasonable process to identify the requestor as being authorized on. Meaning, I cannot get a cert signed by any trusted CA, for the domain twitter.com, because I cannot prove I'm authorized on that domain. So here's the part you need to care about. You need your own root CA, and you need the clients in your network to trust it. So you have to create your CA, and you have to install it to all your clients. That way, your iBoss device can browse the internet, https://twitter.com with a signed cert from whatever trusted root CA... Your iBoss device can decrypt the traffic, inspect it, and re-encrypt and sign the traffic using your private root CA. Since the clients on your network trust your private root CA, they will display the "secure" websites. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
