Page 1 of 1

ssl intercept CA

Posted: 24 May 2016 15:42
by frank3427
I am looking to setup ssl intercept and in reading i see that you have to create a CA and then load the CA on to the clients. what I am wondering is how can sign the CA from our current CA.

something like this

corp root Ca
|----proxy ca
|---- client ca

currently all client already have the Corp CA installed.

Re: ssl intercept CA

Posted: 24 May 2016 21:49
by charles
Dear Frank

The SSL mediation uses a CA root certificate (and not an intermediate CA certificate) so you need not to sign that CA with your Corp root CA. As you already have a Corp root CA I suggest that you import it into your CG instead of generating a new one.

To do so put your Corp root CA and its related private key on an SFTP file server then use the following commands (since the version NG 1.2.0):

Code: Select all

access file add <sshd-ip> sftp <login>
apply
At this stage you need to wait for the apply termination. Replace <sshd-ip> and <login> respectively by the IP address of your sftp file server and your login name on that SFTP file server.

Then use the following commands:

Code: Select all

tls ca certificate load sftp <sshd-ip> <corp-ca-certificate-filename>
tls ca key load sftp <sshd-ip> <corp-ca-private-key-filename>
apply
Please note that when for SFTP you should specify the full path of files (example: /home/frank/corp-ca.cert).

Refer to the following documentation sections for further information:
http://www.cacheguard.net/doc/command/tls.html
http://www.cacheguard.net/doc/command/access.html


Best Regards,