Certificate CA help

[Sir Asvald]

Hello Guys. I'm currently using my Pfsense box as my CA for my domain. I want it to able to install all the certificates automatically when anyone connects through Wi-Fi or LAN. Right now, anyone who tries to access the intranet within the network, will get an error saying the Certificate isn't trusted.

 

How can I achieve this?

 

Thanks. 

 

 

[TheAndroidSentByCyberlife]

You can't have it automatically trusted unless you add your CA as a trusted authority on all the devices, i believe.

[Sir Asvald]

7 minutes ago, Reallifecat said:

You can't have it automatically trusted unless you add your CA as a trusted authority on all the devices, i believe.

That's what I meant. instead of going to each device and doing it manually, is there a different way?

[TheAndroidSentByCyberlife]

 

Just now, Abdul201588 said:

That's what I meant. instead of going to each device and doing it manually, is there a different way?

I'm not sure there is due to the nature of SSL security, because you cant have just anyone accessing your network and installing them self as a CA.

[Sir Asvald]

1 minute ago, Reallifecat said:

 

I'm not sure there is due to the nature of SSL security, because you cant have just anyone accessing your network and installing them self as a CA.

No, I want to install the CA Certificate on their device. I don't want them to be CA.. So any site they access it doesn't give them an error saying its not trusted..

[TheAndroidSentByCyberlife]

Just now, Abdul201588 said:

No, I want to install the CA Certificate on their device. I don't want them to be CA.. So any site they access it doesn't give them an error saying its not trusted..

you misunderstood me, you cant automatically install the certificates onto devices remotely as this would pose a security risk. 

[Sir Asvald]

1 minute ago, Reallifecat said:

you misunderstood me, you cant automatically install the certificates onto devices remotely as this would pose a security risk. 

Devices are connected to internal network. Nothing do to with them being in some remote area..

[unijab]

You can buy from a trusted CA ... try getting certs from letsencrypt 

[Sir Asvald]

Just now, unijab said:

You can buy from a trusted CA ... try getting certs from letsencrypt 

I've got server that isn't connected to the internet, therefore I cannot get a CA from letsencrypt.. It hosts my intranet..

 

 

[Jarsky]

You can use a GPO to deploy the certificate. You could even link the machine/user certs to security groups for greater security control over who gets it deployed.

[leadeater]

Sounds like you have configured SSL proxy which is pretty much a bad idea. You're essentially doing a man-in-the-middle attack on anyone using your network to browse secure web sites defeating the whole point of having secure websites. This is something I don't do unless it really is required and people using the internet need to know this before using it, you could get banking passwords etc.

[leadeater]

15 hours ago, Reallifecat said:

you misunderstood me, you cant automatically install the certificates onto devices remotely as this would pose a security risk. 

 

15 hours ago, Abdul201588 said:

Devices are connected to internal network. Nothing do to with them being in some remote area..

What he means is there is no way to just push/install certificates on to devices like this unless the device is centrally managed by something like Active Directory. Certificate management and certificate stores on devices are fundamental to PKI security and underpins secure access on the internet, this is why so few CA exist due to the implicit trust we put in them because if one were to go rouge or get compromised literally everyone would be screwed and there would be no secure access on the internet anymore, it only takes one.

 

Private CA's need to be treated the same as a public CA for all involved in using or interacting with it, you can seriously compromise a device's security if not careful.

[Blake]

16 hours ago, Abdul201588 said:

Hello Guys. I'm currently using my Pfsense box as my CA for my domain. I want it to able to install all the certificates automatically when anyone connects through Wi-Fi or LAN. Right now, anyone who tries to access the intranet within the network, will get an error saying the Certificate isn't trusted.

 

How can I achieve this?

 

Thanks. 

 

 

Get certificate from pfsense box. Make GPO that deploys certificate to all clients on the network. All these systems now see the "external site" certificates that are issued by "pfsense box" as trusted. is the basic jist of it. guests will still get the "Not trusted", but you could setup a tunnel and push clients through that unsecured tunnel either via a white list or black list.

 

This is extremely common in schools to protect the kiddies.

[leadeater]

19 minutes ago, Blake said:

Get certificate from pfsense box. Make GPO that deploys certificate to all clients on the network. All these systems now see the "external site" certificates that are issued by "pfsense box" as trusted. is the basic jist of it. guests will still get the "Not trusted", but you could setup a tunnel and push clients through that unsecured tunnel either via a white list or black list.

 

This is extremely common in schools to protect the kiddies.

I rarely setup SSL proxy for schools too though. I use DNS based filtering to do it, most firewall solutions out there can do it however through subscription services like FortiGuard. There should actually be no need to break PKI to provide adequate protection and should be done when there is a security and auditing need to do so and not because it's possible.

 

The other consideration is what do you actually gain by being able to intercept and scan the content of secure websites, not much beyond word score weighting and block over threshold with something like DansGuardian. 99.99% of bad sites can be identified before needing to scan the page content. If you're worried about Google search you can enforce safe search at the proxy/firewall for everyone.

 

You'll find not many staff members will be happy to find out you can collect any passwords they use on secure websites and arguments like personal banking should not be done on the school/work network basically won't fly.

 

It's cool and all to be able to do this but people need to be mindful of what they are actually doing and what it means, you also need to secure the proxy logs and have stricter access on who can view them.