How to eliminate the invalid certificate warning pop up when intercepting HTTPS / SSL

Solution

Overview

SSL warning message pop up frequently when browsing to https website

Cause
Resolution

In this case, the certificate used for the SSL Intercept will be imported to the client browser as Root Certificate Authority. In this example, we are going to generate a new keyring rather than using the “default” keyring.

1. Creating a new keyring

ProxySG Web Management Console > Configuration > SSL > Keyrings > Create > Provide an appropriate name, example “sslproxy” > Click on “show keypair” (enabling this would allow you to backup the certificate by allowing view to the keypair of the specific keyring) > OK

2. Creating a new certificate for the new keyring.

You should now be able to view the new keyring listed on the SSL keyring screen. Click on that new keyring, in this example “sslproxy” > Press edit/view > A new screen will pop up > On the “Certificate” portion > Click “Create” > A new screen will pop up > Vital Info required in generating this certificate

a. Country Code – internet code for the specific country, e.g: MY for Malaysia
b. Common Name – IP address of the proxy which will be used for SSL intercept.
c. Challenge – Challenge key for the Certificate, keep a record of this as it will be needed when restoring this certificate back in case a full system recovery is needed and you would like to retain the same certificate.
d. Other info are not compulsory but good to fill in.

Press Ok after filling in all vital information > On main screen > Press Apply

Please take note that “State”, “Country”, “Organization”, “Unit” and “Common Name” must be same as DEFAULT keyring. Challenge (password) can be modified.


3. Optional steps, performing a backup of the certificate and keypair

Require SSH or serial console connection to the ProxySG. Keypair portion need to copy starting from -----BEGIN RSA till END RSA PRIVATE KEY-----,  the certificate generated by the keypair can be either obtain through web management console or through CLI, bellow is an example on how to obtain it through CLI.

ProxySG>
ProxySG>en
Enable Password:
ProxySG#
ProxySG#conf t

Enter configuration commands, one per line.  End with CTRL-Z.

ProxySG#(config)ssl   
ProxySG#(config ssl)view keypair sslproxy
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDbSxC+tt3tqrGcJNWDBXaa0fh5U79NKEovmTPyZTB+evWgcST1
..
vUiixBiO5d92S00Q8Qz8AzPrDpUy8/VUhAfqcp4yTlIHsA==
-----END RSA PRIVATE KEY-----

ProxySG#(config ssl)
ProxySG#(config ssl)view certificate sslproxy
-----BEGIN CERTIFICATE-----
MIICLTCCAZagAwIBAgIEFuGXkzANBgkqhkiG9w0BAQQFADBbMQswCQYDVQQGDAJN
...

w3IdGFU2RdaeRV7KehWupg2pLbZpDnUBKmp+0+o2Bxqp
-----END CERTIFICATE-----

4. Importing the certificate to a browser.

In this example, this is done manually on a Internet Explorer and Firefox. Before proceeding with this, we may require the copy of the certificate saved from earlier steps.

     a.    Internet Explorer 6   
    Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificates files saved earlier > Change the file types to all on the windows explorer screen > Next > Next > Finish

     b.    Firefox
    Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option which to “Trust this CA to identify web sites”.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3093
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat