Wanting To Get Signed Certificate - Which?



  • Hello, all!

    (Just as a heads up, I'm new to the whole certificate idea, so am trying to learn as much as possible)

    Working on getting blocking set up at a low budget mission school, and am trying to find some way to block HTTPS.

    So far, it looks like the best solution is to use Squid, and have HTTPS traffic be redirected through it. The problem is, it looks like it'll throw a certificate error whenever anyone tries it.

    So… I'm looking into how to get a signed certificate so this won't happen.

    Which type of certificate is needed? We have our domain name through Namecheap, and they have some pretty good offers on SSL certificates there... Would those work for this? Or do they have to be for a website? Also, does it have to be a wildcard SSL, or could it be a single domain SSL?

    Yes, I've looked for the answer, but thus far haven't run across one that specifically answers my questions...

    Thanks!
    ElectroPulse



  • You should look into OpenDNS.

    You can set up an account with them, configure what you want to be blocked on their site.

    Then you load their DNS settings into pfsense.

    You set the pfsense DNS forwarder to use only those settings.

    Then you block access to outside DNS (port 53) and allow only pfsense to be contaced for DNS from the client computers.

    That should get you most of the way there.



  • You will still get an HTTPS error even if you buy a signed cert. That error comes from the cert not matching the specific webserver.

    Squid intercepts the https session and the browser sees that the cert squid uses doesnt match whichever website is being browsed.



  • @kejianshi:

    You should look into OpenDNS.

    You can set up an account with them, configure what you want to be blocked on their site.

    Then you load their DNS settings into pfsense.

    You set the pfsense DNS forwarder to use only those settings.

    Then you block access to outside DNS (port 53) and allow only pfsense to be contaced for DNS from the client computers.

    That should get you most of the way there.

    Unfortunately, not an option due to the pricing of the packages that have the required functions (again, I'm at a low-budget mission school).

    @radrmr:

    You will still get an HTTPS error even if you buy a signed cert. That error comes from the cert not matching the specific webserver.

    Squid intercepts the https session and the browser sees that the cert squid uses doesnt match whichever website is being browsed.

    Ah, man… So there's no advantage to having a signed cert then?



  • What is the cost of a free service?

    DynDNS also works - Also free.



  • @kejianshi:

    What is the cost of a free service?

    DynDNS also works - Also free.

    The cost of a free service? Essential funcionality, as mentioned before. Group- and time-based rules are required.



  • You could probably handle the group issue within pfsense but I'm not sure about DNS by time.  Anyway - Good luck.  :)


Log in to reply