Solutions

How to eliminate the invalid certificate warning pop up when intercepting HTTPS / SSL

Solutions ID:    KB3093
Version:    3.0
Status:    Published
Published date:    07/16/2009
Updated:    10/01/2009
 

Problem Description

SSL warning message pop up frequently when browsing to https website

Resolution

In this case, the certificate used for the SSL Intercept will be imported to the client browser as Root Certificate Authority. In this example, we are going to generate a new keyring rather than using the “default” keyring.

1. Creating a new keyring

ProxySG Web Management Console > Configuration > SSL > Keyrings > Create > Provide an appropriate name, example “sslproxy” > Click on “show keypair” (enabling this would allow you to backup the certificate by allowing view to the keypair of the specific keyring) > OK

2. Creating a new certificate for the new keyring.

You should now be able to view the new keyring listed on the SSL keyring screen. Click on that new keyring, in this example “sslproxy” > Press edit/view > A new screen will pop up > On the “Certificate” portion > Click “Create” > A new screen will pop up > Vital Info required in generating this certificate

a. Country Code – internet code for the specific country, e.g: MY for Malaysia
b. Common Name – IP address of the proxy which will be used for SSL intercept.
c. Challenge – Challenge key for the Certificate, keep a record of this as it will be needed when restoring this certificate back in case a full system recovery is needed and you would like to retain the same certificate.
d. Other info are not compulsory but good to fill in.

Press Ok after filling in all vital information > On main screen > Press Apply

Please take note that “State”, “Country”, “Organization”, “Unit” and “Common Name” must be same as DEFAULT keyring. Challenge (password) can be modified.


3. Optional steps, performing a backup of the certificate and keypair

Require SSH or serial console connection to the ProxySG. Keypair portion need to copy starting from -----BEGIN RSA till END RSA PRIVATE KEY-----,  the certificate generated by the keypair can be either obtain through web management console or through CLI, bellow is an example on how to obtain it through CLI.

ProxySG>
ProxySG>en
Enable Password:
ProxySG#
ProxySG#conf t

Enter configuration commands, one per line.  End with CTRL-Z.

ProxySG#(config)ssl   
ProxySG#(config ssl)view keypair sslproxy
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDbSxC+tt3tqrGcJNWDBXaa0fh5U79NKEovmTPyZTB+evWgcST1
..
vUiixBiO5d92S00Q8Qz8AzPrDpUy8/VUhAfqcp4yTlIHsA==
-----END RSA PRIVATE KEY-----

ProxySG#(config ssl)
ProxySG#(config ssl)view certificate sslproxy
-----BEGIN CERTIFICATE-----
MIICLTCCAZagAwIBAgIEFuGXkzANBgkqhkiG9w0BAQQFADBbMQswCQYDVQQGDAJN
...

w3IdGFU2RdaeRV7KehWupg2pLbZpDnUBKmp+0+o2Bxqp
-----END CERTIFICATE-----

4. Importing the certificate to a browser.

In this example, this is done manually on a Internet Explorer and Firefox. Before proceeding with this, we may require the copy of the certificate saved from earlier steps.

     a.    Internet Explorer 6   
    Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificates files saved earlier > Change the file types to all on the windows explorer screen > Next > Next > Finish

     b.    Firefox
    Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option which to “Trust this CA to identify web sites”.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question