In this case, the certificate used for the SSL Intercept will be imported to the client browser as Root Certificate Authority. In this example, we are going to generate a new keyring rather than using the “default” keyring.
1. Creating a new keyring
ProxySG Web Management Console > Configuration > SSL > Keyrings > Create > Provide an appropriate name, example “sslproxy” > Click on “show keypair” (enabling this would allow you to backup the certificate by allowing view to the keypair of the specific keyring) > OK
2. Creating a new certificate for the new keyring.
You should now be able to view the new keyring listed on the SSL keyring screen. Click on that new keyring, in this example “sslproxy” > Press edit/view > A new screen will pop up > On the “Certificate” portion > Click “Create” > A new screen will pop up > Vital Info required in generating this certificate
a. Country Code – internet code for the specific country, e.g: MY for Malaysia
b. Common Name – IP address of the proxy which will be used for SSL intercept.
c. Challenge – Challenge key for the Certificate, keep a record of this as it will be needed when restoring this certificate back in case a full system recovery is needed and you would like to retain the same certificate.
d. Other info are not compulsory but good to fill in.
Press Ok after filling in all vital information > On main screen > Press Apply
Please take note that “State”, “Country”, “Organization”, “Unit” and “Common Name” must be same as DEFAULT keyring. Challenge (password) can be modified.
3. Optional steps, performing a backup of the certificate and keypair
Require SSH or serial console connection to the ProxySG. Keypair portion need to copy starting from -----BEGIN RSA till END RSA PRIVATE KEY-----, the certificate generated by the keypair can be either obtain through web management console or through CLI, bellow is an example on how to obtain it through CLI.
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config ssl)view keypair sslproxy
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
ProxySG#(config ssl)view certificate sslproxy
4. Importing the certificate to a browser.
In this example, this is done manually on a Internet Explorer and Firefox. Before proceeding with this, we may require the copy of the certificate saved from earlier steps.
a. Internet Explorer 6
Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificates files saved earlier > Change the file types to all on the windows explorer screen > Next > Next > Finish
Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option which to “Trust this CA to identify web sites”.