Cross-signing the CA Certificate


#1

Hi All,

I am implementing a proxy server that will inspect HTTPS traffic. I when using the private Certificate Authority (CA) that comes with the product allows me to inspect HTTPS traffic, however, the client browsers display a certificate warning each time users access an HTTPS website.

“IWSaaS allows administrators to cross-sign your organization’s own CA certificate with the Certificate Signing Request (CSR) file provided by Trend Micro, and upload the cross-signed certificate on the IWSaaS management console. Cross-signing the CA certificate establishes a trusted relationship between the IWSaaS CA certificate and your organization’s own CA certificate.”

https://docs.trendmicro.com/en-us/iwsaas-3.0/iframe/edit_https_policy_crossSignCAOlh/

A couple of questions,

1.) I need a CA Certificate. Will a standard certificate from the likes of GoDaddy / LE suffice?
2.) im not familiar with openssl, how am I best to have this cross-signed?


#2

No. Publically trusted CA’s will never cross sign a certificate for an organisarion which isn’t a publically trusted CA itself.


#3

What you’re doing is basically what TLS is designed to prevent. In order for you to make this work, you’ll need to pay attention to the part where it says “your organization’s own CA certificate.” You would need to have your internal CA root certificate trusted by any machine that will see a certificate signed by that CA.

Of course, this means only clients for which you have control over the trusted certificate stores would allow traffic without a warning, but that’s absolutely the point of TLS! If you don’t have legitimate control/ownership of the machine, you shouldn’t be able to inspect encrypted traffic it sends. What you’re trying to do is set up a MITM, and TLS is designed to prevent that.

Side note, with the advent of TLS 1.3, this may become a much more difficult problem to solve for you.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.