The purpose of this article is to provide the steps in order to request a certificate from an Internal Microsoft Certificate Authority PKI and import it appropriately in a ProxySG for further use in SSL Interception.
1. Select Configuration > SSL > Keyrings. Create a new keyring for the ProxySG. Select Show Keypair based on your security policy. Click OK and Apply to save your changes.
2. Edit the keyring created above.
3. Click Create under Certificate Signing Request at the bottom.
4. Fill appropriate information into the request. The Common Name can be set to reflect what users should see if viewing certificate details(e.g. Bluecoat SSL interception) Click OK, then Close, then Apply.
5. Edit the Keyring. At the bottom will now be a certificate signing request (CSR). Copy this text to the clipboard. Click Close.
6. Save this text in a file and give it a name such as proxysg.csr. Click Close.
Complete the following steps using Internet Explorer:
7. In Internet Explorer, open the URL of the Mirosoft Certificate Authority server. Generally, the default URL is http://server/certsrv.
8. Click Request a certificate.
9. Click advanced certificate request.
10. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file.
11. (Optional) You may be prompted to install "Microsoft Certificate Enrollment Control ActiveX". Click Accept and continue.
12. In the Saved Request field, copy the CSR created above on the ProxySG. Select Subordinate Certification Authority for the Certificate Template. Click Submit.
13. Depending on the configuration of the CA, you may be issued a certificate immediately, or it may need to be approved by an admin. Once approved, select Base 64 encoded and Download certificate.
14. Click Home in the rop right corner of the page.
15. Click Download a CA certificate, certificate chain, or CRL.
16. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
Complete the following steps on the ProxySG:
17. In the Management Console on the ProxySG, select Configuration > SSL > Keyrings. Select the keyring created above and click Edit.
18. Click Import, under Certificate.
19. Paste in the base 64 certificate text download above and click Close and then Apply to save your changes.
20. Next, it will be necessary to add the Root CA and the ProxySG CA certificate to the list of CA certificates on the ProxySG. In the Management Console, go to the CA Certificates tab.(Select Configuration > SSL > CA Certificates)
21. Click Import. Name the CA certificate and paste in the base 64 version of the ProxySG's subordinate CA certificate and click OK and then Apply.
22. Click import. Name the CA Certificate and paste in the Base 64 version of the Root CA Certificate downloaded above and click OK.
23. Next we will add the Root CA, intermediate CA (if applicable), and proxy certificate as a browser trusted CA. Select CA Certificate Lists tab at the top.
24. Select browser-trusted and click Edit.
25. Select the newly added Root CA, intermediate CA (if applicable), and proxy certificate on the left and click Add to move it to the right column. Click OK and then Apply.