Certificate signing request from Proxy to preform SSL interception Proxy to act as Sub cA

Server
1

We are using proxy in transparent mode/MITM mode which performs SSL encryption. We have a option of creating proxy self signed certificates so that client who connects through Internet goes via proxy where proxy performs SSL interception. Client must have proxy certificate in their trusted CA.

Now many clients here are vendor appliances in which we cant install proxy self signed certificate easily. But these devices trust well known CA’s which are in their trusted store. So if I create CSR from proxy and get it signed by Lets Encrypt which will make LE as root CA and Proxy as Sub CA. So clients with pre-installed trusted certificates can authenticate with proxy as well for SSL interception and we don’t have to install certificates on clients separately. Is it possible with LE?

2

CA’s aren’t allowed to do that.

1 Like
3

Is there any other way to achieve other than installing certificate at client side?

4

You mean, is there any wait to transparently decrypt/re-encrypt https traffic without allowing it client-side or server-side ? No. There isn’t. Because if you could, it would be a security problem.

What you can do, for device where you can’t easily add your custom CA, is use an internal proxy: you want to connect to https://example.com/… ? connect to https://yourproxy.yourdomain.com/example.com/

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.