ssl intercept CA

Discuss and get help to configure and maintain CacheGuard
Post Reply
Posts: 1
Joined: 24 May 2016 15:06

ssl intercept CA

Post by frank3427 »

I am looking to setup ssl intercept and in reading i see that you have to create a CA and then load the CA on to the clients. what I am wondering is how can sign the CA from our current CA.

something like this

corp root Ca
|----proxy ca
|---- client ca

currently all client already have the Corp CA installed.
User avatar
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris

Re: ssl intercept CA

Post by charles »

Dear Frank

The SSL mediation uses a CA root certificate (and not an intermediate CA certificate) so you need not to sign that CA with your Corp root CA. As you already have a Corp root CA I suggest that you import it into your CG instead of generating a new one.

To do so put your Corp root CA and its related private key on an SFTP file server then use the following commands (since the version NG 1.2.0):

Code: Select all

access file add <sshd-ip> sftp <login>
At this stage you need to wait for the apply termination. Replace <sshd-ip> and <login> respectively by the IP address of your sftp file server and your login name on that SFTP file server.

Then use the following commands:

Code: Select all

tls ca certificate load sftp <sshd-ip> <corp-ca-certificate-filename>
tls ca key load sftp <sshd-ip> <corp-ca-private-key-filename>
Please note that when for SFTP you should specify the full path of files (example: /home/frank/corp-ca.cert).

Refer to the following documentation sections for further information:

Best Regards,
Charles Tajvidi
IT Technical Architect
Post Reply