After configuring SSL interception where the ProxySG's certificate used for interception is signed by a local PKI certification authority, it is important that the ProxySG trusts all certificates in the certification path including its own subordinate certificate
(local CA signed CA certificate). Without this, the ProxySG will not send the chain of trust to the client. In other words, the ProxySG will only send the certificate in the keyring used for SSL interception and will not send the root and/or intermediate CA certificates. Unless the browser trusts the ProxySG's subordinate certificate specifically, the result will be that users will receive untrusted-issuer certificate warnings in the browser. So the ProxySG will need to send the certificate chain of trust to avoid this problem.
The browsers on the network may not trust the subordinate certificate on the ProxySG since typically only the root and intermediate CA's are trusted.
In order to accomplish this, assure the following steps are included in your SSL interception configuration.
Note: These instructions take place after having already configured a keyring with a signed subordinate certificate. See the following for more information on configuring SSL interception with a subordinate certificate (a form of these steps are included in the following article but are often missed):
KB Article ID: 000027760 (How to configure the SSL proxy on the ProxySG for transparent interception using an SSL certificate issued from a Microsoft PKI server)
This article DOES NOT apply to SSL interception deployments where the ProxySG's self-signed certificate is exported to all browsers on the network.
Follow these steps in the Management Console of the ProxySG:
Go to Configuration>SSL>Keyrings (For HSM configurations, go the command line interface and enter the following in enable mode: show ssl hsm-keyring <hsm-keyring-name>, copy the certificate from the console output, and skip to step 6)
Select the keyring that is configured with the subordinate certificate
Click View Certificate
Click PEM tab
Click Copy To Clipboard
Go to Configuration>SSL>CA Certificates
Give the CA certificate a name (example: ProxySSLInterceptionCert)
Click Paste From Clipboard
Click CA Certificate Lists tab
Select the browser-trusted CCL
Select the newly imported CA certificate (example: ProxySSLInterceptionCert) from the left pane
If you have multiple keyrings such as if you have configured HSM and you have multiple HSM-keyrings that correspond to multiple LunaSP appliances, you will need to follow the above steps for each certificate within those keyrings.
Imported Document ID: 000029516
Subscribing will provide email updates when this Article is updated. Login is required.