Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

External intermediate certification authority certificate & key

Hi all.  I was curious if an external vendors like Entrust or Thawte would sell an Intermediate CA certificate and key for HTTPS filtering, or if this is something reserved only for business partners (like other CA's who are going to charge for certs).     I know how to do this internally using our enterprise microsoft CA, that works well with Windows boxes, but that CA is not on GPO'd on non-windows boxes like apple devices nor Android smartphones, so we thought using a more widely recognized root-authority intermediate cert would be better for our users.   Im no expert on certificates so feel free to correct if im misunderstanding, thanks.

2 REPLIES
Cisco Employee

External intermediate certification authority certificate & key

Hello,

In most cases, a 3rd party trusted CA (such as Verisgn or Thawte) will not sell an intermediate certificate, as that essentially gives you the power to sign other certificates and make them seem legitimate as they would be trusted by the user's browser. This is a major security vulnerability for users and could deminish the reputation of the CA.

For devices/applications that do not have the WSA certificate in their trusted cert store, you can either pass through the connections in the Decryption policies, or you can have them click through the certificate warning (if possible) for connections that are decrypted.

Regards,

Jeff Richmond

Customer Support Engineer

Content Security Technical Services (CSTS) - Web Security

Cisco Employee

Hi,For Apple devices, you can

Hi,

For Apple devices, you can push the profile with the certifcate too.

 

Thanks,

Donny

131
Views
0
Helpful
2
Replies
CreatePlease to create content