AnsweredAssumed Answered

SSL: trusted Root CA

Question asked by RSA Admin Employee on May 20, 2015
Latest reply on May 21, 2015 by RSA Admin

Hello, forum,


There is an old, but still disturbing matter of replacing SSL certificates for traffic monitoring. Users get nervous about it, but nevertheless it should be done due to well known reasons. Imagine that you are an authorized service and ssl traffic monitoring is your concern. Monitoring corporate users is easy due to you have ability to install trusted root CA using for example GPO on all their corporate devices and then just do SSL MITM and forward traffic to SA. But this is an issue with external users as you do not have control over their devices, but you are legally allowed to do it. There are some ways (some are pure imagination):


1) Force OS vendors to install custom root certificate. Every OS has it's own list of trusted root certs, I believe that is due to this approach,

2) Make you own trusted root CA, pass audits, issue both official and mitm certs for only in-state usage. A very long and quite expensive process, could be related to 1)

3) Become a subordinate CA, but all CA's clearly state that using their subordinate CA for DPI (same as ssl mitm) is illegal. But there were lot's of examples of trusted root CA's usage for DPI purpose. For this process I guess the root CA must be located in your state.

4) Buy some magic ssl inspection box that will have a pre-installed root ca, and the cert will be the vendors responsibility. Some sources state that such boxes exist, due to limited information they may be distributed only government-level channels.


I'm sure that many of you had similar thoughts/requests, I hope someone can share, what is a best approach for monitoring external ssl traffic.

I hope this post doesn't break any rules. Also feel free to PM me on this delicate matter.


Thanks in advance, peace