Change the expired self-signed SSL certificate (keyring) used for SSL Interception on the ProxySG

book

Article ID: 165994

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Changing an expired self-signed certificate used for SSL Interception

Resolution

If you want to change the certificate used for SSL Interception, please follow the steps below:

On the ProxySG:

  1. Create a new Keyring by navigating to Configuration > SSL > Keyrings, and Apply to save the changes
  2. Edit this new Keyring, and click on Create New Certificate. Enter the details and Apply to save the changes
  3. Click Edit again for the certificate, and copy the entire content in the Certificate field to the clipboard
  4.  Navigate to Configuration > SSL > CA Certificates and click Import.
  5.  Now open your Visual Policy Manager and navigate to SSL Intercept Layer
  6. Edit your Enable Interception action item, and change the Issuer Keyring to the newly created certificate.


In the Client Desktop:

  1. Take a copy of the certificate from the newly created Keyring
  2. Open a notepad and paste the content to this. Save the file as “Somename.cer”
  3. Install this certificate as a “Trusted Root Certificate Authority” by double clicking and using the install option


Notes:

  • This new certificate can be then passed to your Domain Group policy Administrator to add it as “Trusted Root Certificate Authority” and push to client. This will work for IE and Chrome.
  • Since Firefox uses a different certificate cache, you will have to add the new certificate to a Firefox browser separately.