question

PorscheMe-6235 avatar image
0 Votes"
PorscheMe-6235 asked suvasara-MSFT commented

How to add outboudn website SSL cert root CA to fire walls trusuted CAs list

We installed Azure Firewall - Premium SKU. All is well.

When we enabled TLS inspection, our outbound calls are failing with below error
Can’t connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
Try this:

It may be because, the website ssl cert root may not be in the fire wall's trusted root CA's list.



azure-virtual-networkazure-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered suvasara-MSFT edited

@PorscheMe-6235, Azure Firewall Premium supports integration with Key Vault for server certificates that are attached to a Firewall Policy. You can either create or reuse an existing user-assigned managed identity, which Azure Firewall uses to retrieve certificates from Key Vault on your behalf. End-user browser and client applications must trust your organization's Root CA certificate or intermediate CA certificate.

Ref: https://azure.microsoft.com/en-in/blog/azure-firewall-premium-now-in-preview-2/
Doc: https://docs.microsoft.com/en-us/azure/firewall/premium-certificates


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PorscheMe-6235 avatar image
0 Votes"
PorscheMe-6235 answered PorscheMe-6235 edited

@suvasara-MSFT thanks for reply.

My question is how does firewall validate step #3 in Doc: https://docs.microsoft.com/en-us/azure/firewall/premium-certificates

May be the www.website.com SSL cert was issued by a CA which firewall wasn't aware? Is there a list of root CA certs that the firewall trust by default? can we add www.website.com SSL cert's root to the firewaal root CAs list?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered suvasara-MSFT commented

@PorscheMe-6235, Apologies for the delay in response. Yes, Azure does have list of trusted CA's. But the list needs an update on trusted CA list. We will work on the document and will update soon.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

78676-image.png




image.png (113.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PorscheMe-6235 ,
Greetings,

If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.


Best regards
Subhash

0 Votes 0 ·