Content Inspection
I am getting a weird message on most HTTPS sites when I enable content inspection.
I have gone through the process of creating a certificate using AD as outlined in the instructions and everything seemed to go fine but getting the above error.
At first i thought maybe I had created the certificate incorrectly but have gone through process twice and same result. A quick google search seems to imply the cert is SHA-1 and not SHA-2, but there were no options when creating the certificate as per: https://www.youtube.com/watch?v=2bJyTuAeQK4&t=588s
0
Sign In to comment.
Comments
Looks like jpg did not upload....
The error was:
Your connection is not private
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
The standard method is to import the firewall's Fireware HTTPS Proxy cert on to your PC or phone etc., which will then be used by your web browser.
Instead of using the firewall's default cert, you can replace the Fireware HTTPS Proxy cert on the firewall with a cert from your own CA (Certificate Authority).
See this:
Use Certificates with Outbound HTTPS Proxy Content Inspection
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html
I went through that process and followed the video to create the certificate and have it in place. If I look at the Appliance certificates I can see the signed certificate for Proxy Authority that I created on my AD server. I am trying to avoid installing the certificate on all endpoints if at all possible.
Funny thing is that even when I download the certificate from the Certportal and install on PC, I get same error when going to secure websites. If I look at the certificate details it shows SHA1, I think that may be issue. How would I fix that?
To where are you installing the cert?
Windows: Local Computer -> Trusted Root ?
You need to have the local computer have a cert from your CA, so that it (web browsers) trust the encryption being done on the firewall by the cert that you uploaded to the firewall.
Yes, I installed Local Computer -> Trusted Root. I am on domain computer.
I thought installing a cert from my AD CS would be enough? Only non-domain computers would need to install the cert directly onto their PC, correct?
When I look at the cert properties I see it shows as SHA1, shouldn't that be SHA2? Could that be the issue in a nutshell?
The 2 endpoints decide what to use for the encrypted session.
SHA1 is not in the cert itself.
I don't use a CA cert, but I expect that you need the CA cert installed locally even for a domain PC. You can distribute the cert using a group policy to your domain PCs.
Just for curiosity sake can you look at your cert and see if it is SHA1 or SHA2? I have even tried to install the cert on my PC and still get same error:
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
I verified that both certificates (Proxy Authority and CA Cert are both SHA1), both exported from AD DS.
The default Fireware cert shows
Algorithm: RSA
Keylength: 2048
On a connection, the cert info shows:
Signature Algorithm
SHA-256 with RSA Encryption
Fingerprints have both a SHA-256 and a SHA-1 string.
You should be using SHA-256.
A good while back, Fireware changed to SHA-256.
"SHA-1 is being deprecated by many popular web browsers, and WatchGuard recommends that you now use SHA-256 certificates."
From here:
How do I update my Firebox certificates to use SHA-256
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3RlSAI&lang=en_US
Thanks for sticking with me on this Bruce, I appreciate the help and feedback.
I deleted both certificates from the firebox and rebooted so it would create new default certs. All is working well now, but of course no content inspection. I verified that my AD is using legacy CSP and SHA1 even though I am on Server 2019 (must have migrated using old keys). Before I attempt a side by side migration, I would love to know if anyone else is experiencing this issue using AD certificates generated from AD CS in SHA1 (using MS Strong Cryptographic Provider, not MS Software Key Storage Provider). This is how you can tell if you are using legacy PKI or the newer provider. I am at a loss as to why the default certificates using SHA1 are working, but I have tried exporting certificates from 2 entirely different sites and same result (2 different AD CS and different domains, but both using SHA1 and older PKI). Wish I had a site with new PKI and SHA2 cert to verify......
OK, downloaded new default cert from firebox and installed on PC and can apply content inspection. This issue is definitely with my AD CS using legacy encryption. I am going to look at installing the cert using group policy to all endpoints to get content inspection working, then I will tackle upgrading the AD CS. IT is like owning an old house!!!! You start working on one thing and find a hundred other things to fix. LOL. Thanks for help Bruce!