Possible to use a third-party certificate for HTTPS Inspection?

Question

Hi all, 
 As I am getting more familiar with my new XG firewall, I am naturally wanting to do more and more things. I've started looking at the deep-packet inspection/HTTPS Decrypt and Scan functionality. I've seen the discussions on this board about the invalid certificate warning that you get because the XG is essentially performing a "man-in-the-middle" attack to decrypt and inspect the content, and the guidance seems to be "install the CA as a trusted CA on your computer" to make it go away. While I know that would work, and while I know this can be automated to some extent with Group Policy in a Windows domain, it strikes me that the best way would just be to obtain and use a legit 3rd party certificate that everybody would trust out of the gate, that way even non-domain connected, non-Windows devices would not display any complaints about the certificate. So I searched the knowledgebase and I found an article that seems to suggest this is possible and explains how to do it, located here: https://community.sophos.com/kb/en-us/123003 
 Unfortunately, this seems to have been written for v15 and I am not sure if this is still applicable in v16. In particular, even though I have added an external CA, it does not show up in the list as shown in step 2 of the guide. So I went back to step 1 and referenced this URL https://community.sophos.com/kb/en-us/123036. Again, this seems to be stale content and not up to date for v16, as I do not have the ability to add a CA passphrase which it says must be specified for this to work. 
 At this point I am unsure how to proceed. The documentation seems to indicate it is possible, but the content is stale and doesn't seem applicable to v16. 
 Has anybody achieved success using a 3rd party certificate for HTTPS decryption? Thanks in advance.

Michael Dunn · Accepted Answer

The first thing is to understand the difference between a Certificate, and a Certificate Authority.

A Certificate Authority is someone who generates Certificates and assures everyone involved that the website is who they say they are. Most certificate authorities are companies like DigiSign, GoDaddy, etc. Microsoft, Apple, Mozilla and other browser makers will install into their browsers a default list of trusted certificate authorities. If a user goes to a website that has a certificate, but the certificate was signed by a Certificate Authority they don't recognize, a warning is presented to the user.

It is very hard to become a Certificate Authority that would be trusted enough that browser makers would auto-install you as a trusted CA.

The XG has Certificate that it uses for every time that you visit a page presented by the XG (WebAdmin, User Portal, etc). You can go to a official Certificate Authority company and purchase a Certificate from them that you then use on your XG. All users would then go no warning when they visit a page host by the XG (basically when the XG hostname appears in the address bar).

But... If you want to go to HTTPS google, the XG cannot use the purchased certificate. In order to perform man-in-the-middle the XG must be a Certificate Authority and create a certificate that says "Yes, this is really Google". Your browser then looks at the Certificate, sees the Certificate Authority it was signed by, and then decided whether or not to believe it or warn the user.

Be very aware - the XG is lying to the browser. The certificate basically is saying "This is really Google and your encrypted SSL connection is secure" when in fact it is completely not. The encryption is not secure - the XG is completely listening in on the traffic. There is no way a browser maker would ever by default trust a Certificate Authority whose main purpose is to lie to users and break into encrypted traffic.

Your company, and Sophos itself, cannot become a Certificate Authority that everyone trusts by default. However, if you already have some devices that are a effectively a self-signed Certificate Authority, you can share that across your company. For example, lets say you have a multi-site office each with its own XG. By default each XG would sign with its own CA that it created at install, so any laptop that went between sites would have to have multiple XG CAs to install. You can copy the CA from one XG to another, basically synchronizing them so they are all using the same CA. It is still a private one that needs to be installed on the browser, but it is only one. Or for example if you were upgrading from a different proxy to the XG and wanted to migrate the existing-and-already-trusted CA from the old one to the new one.

Look at it this way - as an admin, you want to spy on encrypted traffic without your users knowing. The browser makers will absolutely do everything in their power to make sure this can never happen. HTTPS was designed so that Proxies cannot spy on you without your knowledge. Otherwise the FBI would just install an XG at every ISP and watch everyone's supposedly-security traffic. The very definition of man-in-the-middle is that it is an attack. The user must be told and either be warned at every website load, create exceptions for certain sites, or permanently trust the CA manually (or automated push to their box by a admin).

That all being said, although I've not read the KB articles and cannot advise on the correct steps, I've pinged the KB team that they need updating.