Configure SSL intercept for an explicit deployment using a self-signed certificate
search cancel

Configure SSL intercept for an explicit deployment using a self-signed certificate

book

Article ID: 168173

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

  • You want to configure Edge SWG (ProxySG) or Advanced Secure Gateway (ASG) to intercept SSL using a self-signed certificate for increased security.
  • You want to block inappropriate web sites that communicate over SSL in an explicit proxy deployment.
  • You want to view active intercepted HTTPS connections.

Environment

Explicit forward proxy deployment using either explicit browser settings or PAC file.

Resolution

Contents

To set up SSL interception with a self-signed certificate:

  1. Create a keyring
  2. Create a self-signed certificate
  3. View and validate the new certificate
  4. Enable SSL detection for explicit proxy requests
  5. Select the new certificate in the SSL Proxy
  6. Create an SSL policy for HTTPS interception
  7. Download the certificate and import it to the browser
  8. Verify HTTPS interception by ProxySG or ASG from a web browser
  9. Verify HTTPS interception from Active Sessions

Following the steps below are steps to create a keyring, create a self-signed certificate, and install policy via Command Line Interface.

Step 1: Create a keyring

  1. In the Configuration tab, navigate to SSL > Keyrings.
  2. Click Create.
  3. In the Keyring Name field, enter a name, such as "SSL_Self_Signed." We'll use this name in later steps.
  4. Select either Show key pair or Do not show key pair. If you enabled Show key pair, you can move the private key and certificate to another proxy.
  5. For Create a new, set the keyring size. The default is a 1024-bit keyring; you can strengthen it up to a 2048-bit keyring.
  6. Click OK to save the committed settings. The SSL keyring is created.

Step 2: Create a self-signed certificate

  1. Edit the newly-created keyring from the previous step.
  2. Under Certificate, click Create.
  3. Fill in the certificate template. For Common Name (CN), Symantec recommends using something that you can easily identify, such as the host name of ProxySG appliance.



    * The above information to entered is for you and you team/organization/company to determine. It is not something that Broadcom can provide. 
     
  4. Once you have filled out the certificate template, click APPLY.
  5. Click APPLY.
  6. Click Save...
  7. Click Save Changes
  8. Click Close

See also Create a self-signed certificate from the command line.

Step 3: View and validate the new certificate

  1. Click the self-signed certificate hyperlink or edit icon
  2. Verify the common name (CN).
  3. Verify the certificate expiration date. Self-signed certificates are valid for 2 years.

Step 4: Enable SSL detection

  1. In the Configuration tab, navigate to Services > Proxy Services.
  2. Under the Proxy Services section, select the hyperlink or edit for Explicit HTTP
  3. Check Detect Protocol.
  4. Click APPLY.
  5. Click Save...
  6. Click Save Changes
  7. Click Close.

Step 5: Select the new certificate in the SSL Proxy

  1. In the Configuration tab, navigate to Proxy Settings > SSL Proxy Settings.
  2. Under General Settings, in the Issuer Keyring drop-down, select the newly-created SSL keyring. For this example, we used "SSL_Self_Signed."
  3. Click Save...
  4. Click Save Changes
  5. Click Close

Step 6: Create an SSL policy for HTTPS interception

  1. Click Visual Policy Manager
  2. In the Visual Policy Manager, Click Add Layer > select SSL Intercept Layer, then press Add, then OK
  3. Click in the Action field, and navigate to Set > Add a new object > Enable SSL Interception.
  4. Check Issuer Keyring, and select the newly-created SSL keyring from the drop-down menu. For this example, we used "SSL_Self_Signed."
  5. Click APPLY.
  6. Click Set
  7. Click Apply Policy to save the SSL policy.

Step 7: Download the certificate and import it to the browser

  1. Under the Dashboard tab, navigate to Advanced URLs.
  2. Click SSL, select Download a Certificate as a CA certificate.
  3. Click the newly-created, self-signed keyring (e.g. "SSL_Self_Signed"), and save the certificate with a ".cer" format.
  4. You can install the certificate in the browser Trusted Root Certification Authorities, or you can deploy it using Microsoft Group Policy.

See also Eliminate the invalid certificate warning when intercepting HTTPS / SSL.

Step 8: Verify HTTPS interception by ProxySG or ASG from a web browser

  1. Go to https://www.symantec.com, or to any secure website that is being intercepted.
  2. In the web browser's address bar, click the lock icon (red arrow).
  3. Click View Certificate.
  4. Validate that "Issued by" matches the ProxySG common name (CN) in the certificate.

Step 9: Verify HTTPS interception from Active Sessions

  1. In the Reports tab, navigate to Sessions > Click Show.
  2. Verify that HTTPS Fwd is visible for each server connection present.

Create a self-signed certificate from the command line

Blue Coat SG Series#conf t
Blue Coat SG Series#(config)ssl
Blue Coat SG Series#(config ssl)create keyring show SSL_Self_Signed 2048 
  ok
Blue Coat SG Series#(config ssl)create certificate SSL_Self_Signed cn sunnyvale-proxySG300 challenge my_challenge c US state CA city Sunnyvale o "Technical Support" email "[email protected]" company "Symantec by Broadcom" digest SHA256 bc "critical,CA:TRUE"
  ok
Blue Coat SG Series#(config ssl)view certificate SSL_Self_Signed
-----BEGIN CERTIFICATE-----
MIIEjjCCA3agAwIBAgIENuwXQTANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxGjAYBgNVBAoTEVRl
Y2huaWNhbCBTdXBwb3J0MR0wGwYDVQQDExRzdW5ueXZhbGUtcHJveHlTRzMwMDEi
MCAGCSqGSIb3DQEJARYTdGVzdDEyM0BleGFtcGxlLmNvbTAeFw0yNTAzMTMyMDA4
MzNaFw0yNzAzMTMyMDA4MzNaMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EjAQBgNVBAcTCVN1bm55dmFsZTEaMBgGA1UEChMRVGVjaG5pY2FsIFN1cHBvcnQx
HTAbBgNVBAMTFHN1bm55dmFsZS1wcm94eVNHMzAwMSIwIAYJKoZIhvcNAQkBFhN0
ZXN0MTIzQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
<truncated for brevity>
-----END CERTIFICATE-----
 
Blue Coat SG Series#(config ssl)view keyring SSL_Self_Signed

Keyring ID:               SSL_Self_Signed
Private key showability:  show
Signing request:          absent
Certificate:              present
Certificate subject:      /C=US/ST=CA/L=Sunnyvale/O=Technical Support/CN=sunnyvale-proxySG300/[email protected]
Certificate issuer:       /C=US/ST=CA/L=Sunnyvale/O=Technical Support/CN=sunnyvale-proxySG300/[email protected]
Certificate valid from:   Mar 13 20:08:33 2025 GMT
Certificate valid to:     Mar 13 20:08:33 2027 GMT
Certificate thumbprint:   88:47:FB:B4:66:36:89:6F:76:8A:E0:A5:0A:07:12:89
Keylist membership:

 

Search the sysinfo for the existing policy section, and copy out the entire code from "inline policy vpm to end-xxxxxxxx-inline-xml."

In the example below, copy from "inline policy vpm end-xxxxxxxx-inline end-xxxxxxxx-inline-xml" to "end-xxxxxxx-inline-xml" into a text editor, such as Notepad. Replace the SSL Intercept Layer keyring and paste the code back into the CLI.

 

 
Blue Coat SG Series#(config ssl)exit
Blue Coat SG Series#(config)
Blue Coat SG Series#(config)!- END proxies
Blue Coat SG Series#(config)!- BEGIN policy
Blue Coat SG Series#(config)inline policy vpm end-1234567-inline end-1234567-inline-xml
##COPY ENTIRE VPM Policy but edit the SSL Intercept Layer to the new Keyring
;; Tab: [SSL Intercept Layer (1)]
 
client.address=x.x.x.x/32 ssl.forward_proxy(yes) detect_protocol(yes) ssl.forward_proxy.issuer_keyring("SSL_Self_Signed") ; Rule 1
end-1234567-inline-xml
  ok
Blue Coat SG Series#(config)
Blue Coat SG Series#(config)!- END policy
Blue Coat SG Series#(config)
Powered by Wolken Software