Given a proxy performing MITM SSL decryption and inspection, is it possible to i

Question

Given a proxy performing MITM SSL decryption and inspection, is it possible to install a wildcard certificate (*.domain.com) on the proxy signed by a root CA (such as VeriSign or GoDaddy) such that clients will not have to have a self-signed cert installed (since they will already trust the root CAs in their trusted store)?

I'm thinking about this in terms of allowing BYOD devices on a network and avoiding the necessity of installing a cert on different device types such as iOS, Android, Windows Phone, etc.

Explanation / Answer

This should be possible with certain configurations of proxy servers. Usually SSL proxies are put in place to proxy all outbound traffic, not just traffic to a server that you own, which is why you typically need to install the SSL proxy cert on all devices. If you want to only proxy traffic to one domain for which you have a cert signed by a root authority, then you should be able to install that wildcard cert on the proxy and not need anything from the clients.

Related Questions

Navigate

• Browse (All)
• Browse G
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.