ssl intercept CA

Discuss and get help configuring CacheGuard OS
Post Reply
frank3427
Posts: 1
Joined: 24 May 2016 15:06

ssl intercept CA

Post by frank3427 » 24 May 2016 15:42

I am looking to setup ssl intercept and in reading i see that you have to create a CA and then load the CA on to the clients. what I am wondering is how can sign the CA from our current CA.

something like this

corp root Ca
|----proxy ca
|---- client ca

currently all client already have the Corp CA installed.

User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: ssl intercept CA

Post by charles » 24 May 2016 21:49

Dear Frank

The SSL mediation uses a CA root certificate (and not an intermediate CA certificate) so you need not to sign that CA with your Corp root CA. As you already have a Corp root CA I suggest that you import it into your CG instead of generating a new one.

To do so put your Corp root CA and its related private key on an SFTP file server then use the following commands (since the version NG 1.2.0):

Code: Select all

access file add <sshd-ip> sftp <login>
apply
At this stage you need to wait for the apply termination. Replace <sshd-ip> and <login> respectively by the IP address of your sftp file server and your login name on that SFTP file server.

Then use the following commands:

Code: Select all

tls ca certificate load sftp <sshd-ip> <corp-ca-certificate-filename>
tls ca key load sftp <sshd-ip> <corp-ca-private-key-filename>
apply
Please note that when for SFTP you should specify the full path of files (example: /home/frank/corp-ca.cert).

Refer to the following documentation sections for further information:
http://www.cacheguard.net/doc/command/tls.html
http://www.cacheguard.net/doc/command/access.html


Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com

Post Reply