Solutions

Installing a Certificate Signed by an Intermediate CA for SSL Termination

Solutions ID:    KB1327
Version:    4.0
Status:    Published
Published date:    03/02/2009
Updated:    01/26/2012
 

Problem Description

Installing a Certificate Signed by an Intermediate CA for SSL Termination
You want help installing a Certificate Signed by an Intermediate CA for SSL Termination

Resolution

VeriSign, Baltimore Technologies, Entrust, Thawte, and other top level Certification Authorities (CAs) sign their own certificates and contain a trusted root certificate that is installed and recognized in all common browsers. Some vendors differ in this manner, as they are not their own top level CA. They instead are chained off of another CAs root.

The installation on Blue Coat Systems Proxies requires an addition to the standard local (web server) certificate. The certificate must be combined with the CA certificate and the root CA certificate.
 

  • Verisign Root CA
    • Company's Web Site Certificate

Some vendors differ in this manner, as they are not their own top level CA.  They instead are chained off another CA's root.  Comodo is one example of this type of certificate.

  • GTE Cybertrust Global CA
    • Comodo Root
      • Company's Web Site Certificate

The way to install this is the same for any CA who does not sign certificates with a top-level certificate root.  This also occurs when top level CAs use intermediate certificates.  Many CAs will use this method to perform session based browser encryption level upgrades for browsers with less than 128-bit native SSL support.

The installation on Blue Coat Systems proxies requires an addition to the standard local (web server) certificate.  The certificate must be combined with the CA certificate and the root CA certificate.

The file looks like this:

-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgIRAIAGPrphtEaf8EIFySc7rjcwDQYJKoZIhvcNAQEFBQAw
gdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UE
...
Local Certificate
...
C4Iahx/8F1hXF7VdyA1Y8NWDkM2+qnA3Cmcq1RhmLE+TsVeCbd+dR6BQfLyDdtSS
SkIjjt/ZjbKR56vRw28C2+hme8wpxnt+ufpjKQVj0f4gzXucOV7SQZ/oq+3J9TGe
IEm/CBAopHFzIqDHyX+7eWA5oY9jpcbxEVPpjegHEshNQekUXxyY3tqgoQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKjCCBJOgAwIBAgIEAgACmjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
...
CA root (intermediate)
...
x0ZnMpLJS/Gn1+BWvPZyEJ1/sHXWnVe1cYWqxDqnS7jsD+bS+P+1zdRFJazqBqeK
tc0yIuQhkhvvzjSuMEQa7pt/8JQRhoqHGQEoOs+z
-----END CERTIFICATE-----

The certificate above would be installed using the standard certificate installation command:

ProxySG#(config ssl)inline certificate <keyring id>

This will allow correct termination for certificates signed by non-top level CAs and allow for the trust to be automatically inherited.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question