When using SSL Visibility with Venafi, configuration steps will need to be taken on the Venafi server. The first is creation of objects.
The following objects will need to be created on the Venafi server:
- Blue Coat SSL Visibility device
- A Certificate object for the SSL Visibility device
- An administrative user
- A Trust Store
- A Certificate Trust Bundle
- Log in to the Venafi Trust Protection Platform GUI using https. Click on Manage > Applications > BlueCoatSSLVisibilityAppliance.
You will then see the properties for the SSL Visibility appliance that are part of the Venafi Application.
- Fill out appropriate information including Contacts, Approvers, etc.
- Click on the Application Credential text box. In the Credential Selector, click the AutoSSLVCredential under the Policy > BlueCoatSSLVisabilityAppliance and click Select.
- Next, click Save at the bottom of the screen.
The next step is to add a new SSL Visibility device.
- Click Add > Devices > Device on the left side of the GUI and add the relevant information:
- Click on the drop down at the end of the Device Credential text box and choose the BlueCoatSSLVisabilityAppliance folder from the Credential Selector text box.
- Click on the folder to open it and then click on the AutoSSLVCredential option and then click Select.
After doing this your Device screen should look like the following example.
- Next, click Save. Your device should then be successfully saved.
The next step is to add the user credentials to access the SSL Visibility appliance from the Venafi GUI.
- Right click on the newly created device and choose Add > Credential > Username Credential.
- Add a user that has rights to manage PKI and manage policy rules. Complete and click Save.
Next a certificate will be added. You can either have the Venafi device get the certificate or manually load the certificate.
- To have the Venafi device log in and get the certificate, right-click on the device then choose Add Certificate.
- Click on the Retrieve Certificate button.
The other way to add the certificate is to manually load the certificate.
- Rright-click on the Blue Coat device object and click on New > Certificate.
- Provide a name for the certificate and a description.
- From within the CSR Handling section choose User Provided CSR and then upload a previously created CSR from your SSL Visibility device.
- Complete the rest of the information on the page and click Save.
Next a Bluecoat SSL Visibility appliance Trust Store will be created.
- Right click on your Blue Coat device and choose Add > Trust Store > Bluecoat SSLVA Trust Store.
- Provide a Certificate Trust Store Name; this is the name that will show up on the SSL Visibility device when the Certificate Trust Bundle is pushed to the SSL Visibility device.
- From within the Certificate Trust Bundles section you can choose your previously created bundles. Be sure to choose your Application Credential as well.
- Finally, clear the Processing Disabled check box at the top of the page in the Status section. You may want to hold off on this step until you are actually prepared to push the bundle.
- When complete, click Save at the bottom of the screen.
You will need to create a new application to be associated with your device.
- Right click on the SSL Visibility device and choose Add > Application > Blue Coat SSLVA. Be sure to choose the certificate you created on the Certificate section of the page.
- In the General section, add the Application Name as well. (Bluecoat SSLv is fine).
Next you need to add the bundle.
- Right click on the SSL Visibility device and choose Add > Certificate Trust Bundle.
- Add your Whitelisted or Blacklisted Certificates.
The last step is to provision the certificate lists to the SSL Visibility appliance.
To do this go back to the Trust Store object and click on the Provision Now button. This will add the bundle lists to the SSL Visibility appliance, where they will be visible in the PKI > Trusted Certificates field.