Discussion:
[pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
Roberto Carna
2018-01-30 16:56:34 UTC
Permalink
Dear, I have pfSEnse + Squid in transparent mode.

I have to filter web sites and content in HTTPS with Squidguard, so
I've created a CA self-signed certificate and a server certificate
(signed by the CA) in pfSense. After that I defined the CA certificate
in the Squid configuration tab from pfSense.

In order to let navigate the WiFi clients in a good way through the
Squid transparent proxy, filtering everything we want with Squidguard,
I have to force the installation of the CA certificate on them.

How can I automatically force the CA certificate installation as a
trusted Root CA on WiFi clients, taking into account they can be
Windows, Linux, Android, Iphone, etc. ???

Thanks in advance.

ROBERT
Edwin Pers
2018-01-30 17:08:31 UTC
Permalink
I'm assuming you're talking about devices you own/control.
Windows is easy, just push it out using AD
Linux you'd have to script something to push it out to each device with ssh or similar
IOS & Android you might have luck with apple & google's enterprise management systems, but I'm not sure they support pushing out certs

If they're not devices you own/control then you can't do it, that's not how SSL works.

Ed


-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Roberto Carna
Sent: Tuesday, January 30, 2018 11:57 AM
To: pfSense Support and Discussion Mailing List <***@lists.pfsense.org>
Subject: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients

Dear, I have pfSEnse + Squid in transparent mode.

I have to filter web sites and content in HTTPS with Squidguard, so I've created a CA self-signed certificate and a server certificate (signed by the CA) in pfSense. After that I defined the CA certificate in the Squid configuration tab from pfSense.

In order to let navigate the WiFi clients in a good way through the Squid transparent proxy, filtering everything we want with Squidguard, I have to force the installation of the CA certificate on them.

How can I automatically force the CA certificate installation as a trusted Root CA on WiFi clients, taking into account they can be Windows, Linux, Android, Iphone, etc. ???

Thanks in advance.

ROBERT
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Izaac
2018-01-30 17:22:50 UTC
Permalink
Post by Roberto Carna
How can I automatically force the CA certificate installation as a
trusted Root CA on WiFi clients, taking into account they can be
Windows, Linux, Android, Iphone, etc. ???
So, I'm going to re-word this in a way that may make it more obvious why
the answer is what it is"

Q: How can I automatically undermine the basis of the SSL PKI by forcing my
CA (which, by design, generates certificates for arbitrary sites and
thereby main-in-the-middles all communications) onto third parties that
happen to be traversing my network?

A: You can not -- at least not legally or ethically.
--
. ___ ___ . . ___
. \ / |\ |\ \
. _\_ /__ |-\ |-\ \__
Izaac
2018-01-30 17:26:44 UTC
Permalink
Post by Izaac
main-in-the-middles
<facepalm>man-in-the-middle</facepalm>
--
. ___ ___ . . ___
. \ / |\ |\ \
. _\_ /__ |-\ |-\ \__
Loading...