by adrien » May 12 20 5:34 pm
Hi
fundamentally, SSL inspection requires generating certificates that masquerade as the certificate of any website your users go to.
For this, the certificate used is used to sign other certificates.
there's no CA in the world that will sell you a cert that can be used for this, because the basis of a CA business is verifiying the authenticity of holders of certificates.
The base cert used by WinGate is created by WinGate with the attributes that allow it to sign other certificates - to attest to their validity. This is why this certificate used must be trusted by your users, which involves adding the cert to their root cert store.
You can possibly ease deployment of the WinGate cert with group policy. It may also be possible to mint a suitable certificate from AD CA services so it's trusted by your domain users, but we haven't done that before. In the end, deploying the WinGate self-signed cert for this is a lesser problem.
Regards
Adrien de Croy