How do I Resolve Issues on my ProxySG with the Godaddy Sha1 to Sha2 Crossover?

book

Article ID: 168411

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have a reverse proxy with a Godaddy certificate.

Read the attached document from Godaddy explaining the crossover certificate, and the chaining required for it to work across various certificate equipped devices

When checking the certificate offered and the certificate path presented using a test utility like https://www.ssllabs.com/ssltest/ you are not seeing the proper Sha1 to Sha2 crossover, which will impact Sha1 equipped clients trying to browse across the reverse proxy

Cause

By default the ProxySG appliance is configured for the CCL (CA Certificate List) of All Root CAs

Even if you import the Godaddy Crossover cert (Hash signature Hash 34 0B 28 80 F4 46 FC C0 4E 59 ED 33 F5 2B 3D 08 D6 24 29 64), the ssl scan will reflect the original certificate chain.

 

Resolution

You need to create a custom CCL list that uses the below certificates only, and assign that CCL list to the reverse proxy service:
  1.  Import the Godaddy crossover cert into the ProxySG appliance.  Use the attached word document to obtain the file, then go to Configuration > SSL > CA Certificates > CA Certificates > Import.
  2. Create custom CA Certificate List, (CCL) > Configuration > SSL > CA Certificate > CA Certificate Lists > Create New.
  3. Name the new CA Certificate List.
  4. Add the below CA certificates that exit in proxy to the CCL, in addition to the newly imported Godaddy Crossover cert:
    • GoDaddySecureCA-G2
    • Go_Daddy_Class_2_CA
  5. Click Apply.
  6. Go to Configuration > Services, select the SSL Reverse Proxy service and click Edit. The Edit Service dialog displays.
  7. Change the CCL to use the new list you created in step 2 above. 
  8. Click Apply.
  9. Retest from ssllabs.com or your chosen utility.  The your browser or utility may need the cache cleared as is the case with ssllabs.com. Do that, then confirm the certificate path matches what is expected in the Word document attached to this article

Attachments

GoDaddys SHA2 crossover.docx get_app