Downloadable CA List feature has been introduced in SGOS 6.3 version
When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS. The ProxySG must have an up-to-date list of trusted CA certificates to enable the certificate validation process. The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose. In previous SGOS versions, the ProxySG appliance’s list of browser-trusted CAs was only automatically updated upon SGOS upgrade and users were able to add manually trusted CA certificates.
From SGOS 6.3 the Downloadable CA List feature is available. The appliance will now automatically download an updated browser trusted list of CAs (trust_package.bctp) every seven days by default. This smart download compares the existing browser-trusted list on the appliance to the new list only modifies CA certificates that are have been added or deleted since the last update.
To show the current settings (and some additional info, for example download error log):
10.91.22.2 - Blue Coat SG210 Series#show security trust-package
Download url: http://appliance.bluecoat.com/sgos/trust_package.bctp Auto-update: enabled Auto-update interval: 7 days
Previous (success) install via manual
Creation time: Wednesday November 30 2011 04:08:01 UTC
CA Certificate List changes: browser-trusted: CAs - 0 added, 0 deleted, 0 modified
image-validation install: Thursday December 15 2011 01:11:56 UTC
Download log: Downloaded at: Thursday December 15 2011 01:16:54 UTC Failed Error status - 951 Downloaded from: http://appliance.bluecoat.com/sgos/trust_package.bctp
To change the download path:
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package download-path http://10.91.22.102/trust_package.bctp ok
Note: The SG appliance can only download and install a trust_package.bctp trust package created by Blue Coat Systems, Inc.
To enable/disable the automatic download completely:
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update disable ok 10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update enable ok
To change the default 7 days interval (accepted values from 1 to 30):
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update interval 15 ok
To force a download of the CA list:
10.91.22.2 - Blue Coat SG210 Series#(config)load trust-package Downloading from "http://10.91.22.102/trust_package.bctp" The trust package has been successfully downloaded. trust package successfully installed
Imported Document ID: 000009180
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.