Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy a Trusted CA to your Clients

Introduction

This guide discusses the process for deploying a certificate authority into your environment. This certificate authority is used by the Web Gateway to perform HTTPS Inspection for secure websites. The process of deploying a certificate authority in Web Gateway consists of two basic steps:

  1. Generating the certificate authority (CA)
  2. Establishing a trust between clients and the certificate authority. More information on Certificate Authorities themselves and their function can be found here ( ).

NOTE: You MUST use a non-default Certificate Authority in production. The CA in place by default is the same one used on all SWGs. It is a major security risk to use the default CA!

How do I replace my default Certificate Authority?

There are many methods for getting a certificate authority, here are the recommended methods:

  • Generate a certificate on the Web Gateway through the GUI. (Simplest, instructions below)
  • Generate a certificate on via Microsoft CA

Generating Via the Web Gateway

This example shows how to generate a Certificate Authority via the Skyhigh Security Web Gateway.

Follow along with the screenshots below the instructions:

  1. Select "Policy"
  2. Select the "Settings" tab near the top left.
  3. Expand Engines> SSL Client Context With CA
  4. Select "Default CA"
  5. Select "Generate" and fill in the relevant fields then click OK. 6. Select "Export" and save with a .cer extension.

How do I import and trust the certificate authority in my browser?

Internet Explorer/Chrome Automated Enterprise-Wide Import via GPO

You can use Active Directory Group Policy Objects (GPO) to import certificates into your Internet Explorer certificate store. These instructions are for Server 2008.

Use the KB from Microsoft to assist in navigating to the GPO in your domain: Open Group Policy from Active Directory Users and Computers.

NOTE: Any application which does not use the Internet Explorer certificate store must have the certificate imported manually per user and client. GPO Imports only apply for applications using the IE certificate store.

Once you have the GPO open that you wish to edit, continue to follow the instructions below:

  1. Navigate to Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
  2. Right-click Trusted Root Certificate Authorities and select Import.
  3. Complete the wizard to import the previously exported public Certificate Authority certificate.
  4. Exit the Group Policy Object Editor.
  5. Navigate to Start > Run > cmd.
  6. Type gpupdate /force at the command prompt. This refreshes the GPO.
  7. Log out and log back into the domain.
  8. Navigate to Start > MMC > Certificates.
  9. Expand the Trusted Root Certificate Authorities store. You should see the certificate.

Internet Explorer/Chrome Manual Import

If unable to use GPO, follow instructions below for manually importing certificates into the Internet Explorer certificate store :

NOTE: This process must be done per user and client. This also only works for applications that are using the Certificate Store.

  1. Open the "run" dialog window on whichever version of Windows you are using.
  2. Type "certmgr.msc" and click "OK"
  3. Right click "Trusted Root Certification Authorities" and hover over "All Tasks".
  4. Select "Import"
  5. On the Certificate Import Wizard welcome page, click Next.
  6. Click Browse and navigate to where you stored the WebProtectionCertificate.cer file.
  7. Click Next.
  8. Select Automatically select the certificate store based on the type of certificate.
  9. Click Next.
  10. Click Finish . A successful import message appears.
  11. Message indicating successful import should appear.
  12. Close all open windows.

Alternative Method for Internet Explorer

You could also import the Certificate Authority manually by following these steps in Internet Explorer. Go to: Tools > Internet Options > Content  > Certificates - Click on the 'Trusted Root Certification Authorities' tab and press the Import button.

Firefox Manual Import

Since Firefox doesn't use the IE certificate store each user must manually import the SWG CA's public certificate into the FF certificate store. This limitation is by design of the Firefox browser and not specific to SWG. You can use a Firefox web browser to manually import a certificate.

NOTE: This process must be done for each user and client. This also only works for Firefox.

  1. From the Tools menu, select Options.
  2. Click "Advanced".
  3. Click "Encryption".
  4. Click "View Certificates".
  5. Click "Import".
  6. Navigate to where you stored the WebProtectionCertificate.cer file.
  7. Select "Trust this CA to identify websites".
  8. Click "OK" and close all open windows.

Importing/Exporting a Certificate Authority on Mac OS 10.7

Follow the link below for documentation on how to Import/Export on Mac OS 10.7: http://www.digicert.com/ssl-support/...mac-server.htm

Include Download Link on Blockpage

Web Gateway can host the CA certificate on the block page, enabling users to install certificates themselves if needed. To host the certificate in the block pages we'll perform the following:

  1. Export the CA certificate, save it as "ssl_ca.crt" (it must have a file extension .crt, .cer, or .der)
  2. Upload the certificate to your template collection into a folder called "certs"

trust_ca1.png

  1. Create the link to the certificate using the example below:
<a href="$<propertyInstance useMostRecentConfiguration="false"
propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance
useMostRecentConfiguration="false"
propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Click here
to download</a>

<!-- CA Cert Download -->
<div id="caFooter" style="text-align:left;" >
<a href="$<propertyInstance useMostRecentConfiguration="false"
propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance
useMostRecentConfiguration="false"
propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Click here to download the CA
Certificate.</a>
</div>
<!-- /CA Cert Download -->

4. Put the link into your header/footer, or into specific templates:

5. Implement a certificate check on the block page, which checks if the browser trusts the CA: Uses this image

<!-- CA Cert Check -->
<script>
function caCert(){
document.getElementById(_$<propertyInstance useMostRecentConfiguration=' false"
propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance
useMostRecentConfiguration="false"
propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not
installed. '
document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance
useMostRecentConfiguration="false"
propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance
useMostRecentConfiguration="false"
propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Click here to download</a>'
}
</script>
<div id="caFooter" style="text-align:left;" >
<img style=_span></div>
<!-- /CA Cert Check -->

clipboard_eb00bf0b3cb9ac79134b3e9616336a98a.png

 

Conclusion

By now you should understand what Certificate Authorities are used for and the process for importing them into your environment to work with the SSL Scanner.

 

  • Was this article helpful?