Proxy server beginner question regarding certificate of authority

Started by patrick3000, October 16, 2023, 05:25:40 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 16, 2023, 05:25:40 AM Last Edit: October 16, 2023, 05:50:01 AM by patrick3000
I have OPNsense set up as the firewall for my house. Both my spouse and I work form home, and we rely on the network extensively.

I would like to harden security, and I'm considering setting up a transparent proxy server in OPNsense so that I can subsequently install Zenarmor and ClamAV. However, I'm undecided about this because all the proxy server tutorials I've seen rely on self-signed certificates for SSL access, and there is no way I'd want to install trusted certificates on all client devices in my house, which include numerous Linux and Windows laptops and desktop PCs, as well as phones with IOS.

So, I'm wondering whether there is a way to buy a trusted certificate from an authority and install that in OPNsense for SSL access with the proxy server rather than using a self-signed certificate, which would avoid the need to do any configuration at the client level.  I would think this would be possible, and trusted certificates aren't expensive, but for some reason, all the tutorials I've seen rely on self-signed certificates, so I'm wondering if there's something I'm missing.

Bottom line: Is it possible to install a transparent proxy server on OPNsense and install a trusted certificate of authority, rather than self-signed, so that I can avoid the need to do any configuration at the client level?
October 16, 2023, 07:07:35 AM #1
Bottom Line:

NO
October 16, 2023, 07:20:19 AM #2
Thanks. I don't understand why, because trusted, signed certificates are available for purchase from various authorities, but I tend to believe that you're likely correct, because I have not yet seen a tutorial that discusses setting up a transparent proxy server with anything other than a self-signed certificate, and given the hassle of configuration at the client level that that entails, I'm guessing that if it were possible to use a trusted certificate form an authority, then the tutorials would discuss how to do so.
October 16, 2023, 07:38:46 AM #3
You can buy leaf certificates.

What you're asking is if it's not possible to buy an Intermediate CA able to issue _any_ certificates trusted worlwide -- for home use.
October 16, 2023, 08:24:01 AM #4
The transparent proxy needs to generate and sign certificates for e.g. forum.opnsense.org, google.com, ... on the fly. So you need a CA certificate. These are not generally available for individuals.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 16, 2023, 06:33:15 PM #5
Patrick M. Hausen that makes sense. Thanks for the explanation.
October 16, 2023, 07:00:49 PM #6
Maybe ask Honest Achmed how to establish your own CA  ;)

https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 16, 2023, 07:20:58 PM #7 Last Edit: October 16, 2023, 07:24:23 PM by patrick3000
LOL.

On a more serious note, I am now considering setting up a transparent proxy on a single subnet, that's only used by me and has a couple of Linux laptops plus my Truenas servers, and seeing how much of a hassle it is to add the certificates at the client level, without doing it on the other subnets that are used for phones, television, my spouses Windows laptops, etc.

If it works well, maybe I'll expand it to the other subnets later.
Print
Go Up Pages1
User actions