Topic: Help needed to install new firewall-provided root certificate

[Michail Pappas]

Hello,

our infrastructure has changed, including a new Cisco router firewall that comes with a root certificate in pem format, that should be installed on all clients in order for them to be able to browse the internet. Obviously, this has impacted our SME box: for example https access for yum updates fail. Possibly freshclam will be impacted as well.

I've seen references to a update-ca-trust command. Should I try to follow instructions there, or is there some SME-specific mechanics at play that I should prefer using?

[Jean-Philippe Pialasse]

nice a device authorized to make man in the middle attack by faking the SSL certificate with its own.

so we can answer better, would you mind pointing to this mentioned reference, without more information from you the best answer we can give is similar to what you can get at “Ye Olde Hotele“:
“Maybe I am and maybe I'm not”

[mmccarn]

nice a device authorized to make man in the middle attack by faking the SSL certificate with its own.

I'm seeing this more and more lately as businesses try to enable "data loss prevention" policies to prevent users from intentionally or unintentionally uploading sensitive data to an external https endpoint.

is there some SME-specific mechanics

If the new firewall is configured to provide a proxy you could configure SME to use that for updates.

Otherwise I would make sure I have a backup and forge ahead with update-ca-cert.  Or stand up a new SME server and test it on that.

[ReetP]

Otherwise I would make sure I have a backup and forge ahead with update-ca-cert.  Or stand up a new SME server and test it on that.

A test VM is the ONLY way to safely test this. Do not try it on a production machine.

[Michail Pappas]

nice a device authorized to make man in the middle attack by faking the SSL certificate with its own.

Always a possibility, but not the intended use.

so we can answer better, would you mind pointing to this mentioned reference...

Sure, for example https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7

I'm seeing this more and more lately as businesses try to enable "data loss prevention" policies to prevent users from intentionally or unintentionally uploading sensitive data to an external https endpoint.

That, plus web downloaded malware over https can not be scanned by middle boxes. This is a huge government WAN, implementing the same policy at each point: install a certificate to be able to scan https traffic and intercept malevolent one.

Each branch has different IT expertise (read: from none to some). Establishing a high-end content protection perimeter (solution used is AFAIK in the $$$$$$ range) provides a decent layer of internet protection.

If the new firewall is configured to provide a proxy you could configure SME to use that for updates.

Alas, no such provision AFAIK...

Otherwise I would make sure I have a backup and forge ahead with update-ca-cert. 

Had plenty of backups, but no time for serious testing (apart from asking here) so I plunged ahead some hours ago. From the looks of it everything is working fine so far (keeping fingers crossed).

[ReetP]

Always a possibility, but not the intended use.

It might not be intended, but probably will be.....

Establishing a high-end content protection perimeter (solution used is AFAIK in the $$$$$$ range) provides a decent layer of internet protection.

Assuming the government trusts Cisco.....

Had plenty of backups, but no time for serious testing (apart from asking here) so I plunged ahead some hours ago. From the looks of it everything is working fine so far (keeping fingers crossed).

You really do ask for trouble.....

These sort of changes should not be implemented without some serious testing. You are going to catch a cold sooner or later, and then expect us to drop everything to help you. Which probably won't happen. Just sayin'.

[Jean-Philippe Pialasse]

looking at your link that would be the correct way for sme. ie same way as centos 7.

this would need to be done also on all your clients on the network. including wifi clients like phones and roadwarriors connecting with vpn.
procedure will be indeed different depending on the OS. good luck with apple products

[Michail Pappas]

You are going to catch a cold sooner or later, and then expect us to drop everything to help you. Which probably won't happen. Just sayin'.

I'm about to be broken from the workload imposed on me and my meagre, in terms of size, team. And you are stating the obvious for me, I dig that. But upper management does not understand shit. So yes, sooner or later I'll run into a wall, full throttle.

@Jean, I had the clients worked out. Thankfully no road warriors needing net (all are contained upon connection), no mobile/wifi clients per my branch policy.

I've almost survived this 5year old project. Will enjoy these holidays 🤟