Page 1 of 1
ssl intercept CA
Posted: 24 May 2016 15:42
by frank3427
I am looking to setup ssl intercept and in reading i see that you have to create a CA and then load the CA on to the clients. what I am wondering is how can sign the CA from our current CA.
something like this
corp root Ca
|----proxy ca
|---- client ca
currently all client already have the Corp CA installed.
Re: ssl intercept CA
Posted: 24 May 2016 21:49
by charles
Dear Frank
The SSL mediation uses a CA
root certificate (and not an intermediate CA certificate) so you need not to sign that CA with your Corp root CA. As you already have a Corp root CA I suggest that you import it into your CG instead of generating a new one.
To do so put your Corp root CA and its related private key on an SFTP file server then use the following commands (since the version NG 1.2.0):
Code: Select all
access file add <sshd-ip> sftp <login>
apply
At this stage you need to wait for the apply termination. Replace
<sshd-ip> and
<login> respectively by the IP address of your sftp file server and your login name on that SFTP file server.
Then use the following commands:
Code: Select all
tls ca certificate load sftp <sshd-ip> <corp-ca-certificate-filename>
tls ca key load sftp <sshd-ip> <corp-ca-private-key-filename>
apply
Please note that when for SFTP you should specify the
full path of files (example: /home/frank/corp-ca.cert).
Refer to the following documentation sections for further information:
http://www.cacheguard.net/doc/command/tls.html
http://www.cacheguard.net/doc/command/access.html
Best Regards,