Downloadable CA List feature
search cancel

Downloadable CA List feature

book

Article ID: 165702

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Downloadable CA List feature has been introduced in SGOS 6.3 version

Resolution

When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS.
The ProxySG must have an up-to-date list of trusted CA certificates to enable the certificate validation process. The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose. In previous SGOS versions, the ProxySG appliance’s list of browser-trusted CAs was only automatically updated upon SGOS upgrade and users were able to add manually trusted CA certificates.

From SGOS 6.3 the Downloadable CA List feature is available. The appliance will now automatically download an updated browser trusted list of CAs (trust_package.bctp) every seven days by default. This smart download compares the existing browser-trusted list on the appliance
to the new list only modifies CA certificates that are have been added or deleted since the last update.

To show the current settings (and some additional info, for example download error log):


10.91.22.2 - Blue Coat SG210 Series#show security trust-package

Download url: http://appliance.bluecoat.com/sgos/trust_package.bctp
Auto-update: enabled             Auto-update interval: 7 days

Previous (success) install via manual

 Creation time: Wednesday November 30 2011 04:08:01 UTC

 CA Certificate List changes:
         browser-trusted: CAs - 0 added, 0 deleted, 0 modified

 image-validation install: Thursday December 15 2011 01:11:56 UTC

Download log:
        Downloaded at: Thursday December 15 2011 01:16:54 UTC    Failed
        Error status - 951
        Downloaded from: http://appliance.bluecoat.com/sgos/trust_package.bctp



To change the download path:


10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package download-path http://10.91.22.102/trust_package.bctp
  ok


Note: 
The SG appliance can only download and install a trust_package.bctp trust package created by Blue Coat Systems, Inc.


To enable/disable the automatic download completely:

10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update disable
  ok
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update enable
  ok


To change the default 7 days interval (accepted values from 1 to 30):

10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update interval 15
  ok


To force a download of the CA list:


10.91.22.2 - Blue Coat SG210 Series#(config)load trust-package
  Downloading from "http://10.91.22.102/trust_package.bctp"
  The trust package has been successfully downloaded.
  trust package successfully installed