SSL Proxy might fail after upgrading to SGOS 6.3, 6.4 and 6.5. The following are logged in the Event Log :
- Failed to create authority key identifier extension
- unable to get issuer keyid
SGOS 6.3, 6.4 and 6.5 code has been tightened to ensure that ssl.forward_proxy.issuer_keyring is indeed a CA. When SSL Proxy does a check for these extensions and finds them missing, interception fails. This does not mean that you cannot use a self-signed certificate for SSL interception.
To address the problem :
1. Create a new Certificate Signing Request (000008819)
2. Sign the CSR with your Certificate Authority
3. Import the new Certificate into your list of CA (000011775)
Note: It is important that the new certificate you are using for interception holds the following extensions:
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
If you are using XCA (http://xca.sourceforge.net/) to sign your certificate, these extensions can be found under 'Extensions --> Key Identifier'
Note: If new Keyring was created in this process, you need to change the SSL Proxy Issuer Keyring to the new Keyring. This can be achieved by going to Management Console GUI - Configuration - Proxy Settings - SSL Proxy - Issuer Keyring.