Solutions

Downloadable CA List feature

Solutions ID:    KB4826
Version:    1.0
Status:    Published
Published date:    12/15/2011
 

Problem Description

Downloadable CA List feature has been introduced in SGOS 6.3 version

Resolution

When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS.
The ProxySG must have an up-to-date list of trusted CA certificates to enable the certificate validation process. The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose. In previous SGOS versions, the ProxySG appliance’s list of browser-trusted CAs was only automatically updated upon SGOS upgrade and users were able to add manually trusted CA certificates.

From SGOS 6.3 the Downloadable CA List feature is available. The appliance will now automatically download an updated browser trusted list of CAs (trust_package.bctp) every seven days by default. This smart download compares the existing browser-trusted list on the appliance
to the new list only modifies CA certificates that are have been added or deleted since the last update.

To show the current settings (and some additional info, for example download error log):


10.91.22.2 - Blue Coat SG210 Series#show security trust-package

Download url: http://appliance.bluecoat.com/sgos/trust_package.bctp
Auto-update: enabled             Auto-update interval: 7 days

Previous (success) install via manual

 Creation time: Wednesday November 30 2011 04:08:01 UTC

 CA Certificate List changes:
         browser-trusted: CAs - 0 added, 0 deleted, 0 modified

 image-validation install: Thursday December 15 2011 01:11:56 UTC

Download log:
        Downloaded at: Thursday December 15 2011 01:16:54 UTC    Failed
        Error status - 951
        Downloaded from: http://appliance.bluecoat.com/sgos/trust_package.bctp



To change the download path:


10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package download-path http://10.91.22.102/trust_package.bctp
  ok


Note: 
The SG appliance can only download and install a trust_package.bctp trust package created by Blue Coat Systems, Inc.


To enable/disable the automatic download completely:

10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update disable
  ok
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update enable
  ok


To change the default 7 days interval (accepted values from 1 to 30):

10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update interval 15
  ok


To force a download of the CA list:


10.91.22.2 - Blue Coat SG210 Series#(config)load trust-package
  Downloading from "http://10.91.22.102/trust_package.bctp"
  The trust package has been successfully downloaded.
  trust package successfully installed


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question