Add ProxySG certificate into a browser

book

Article ID: 166277

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When full SSL Interception is configured on the Proxy via Policy, the SG will be issuing the Certificate associated with that Keyring (defined in the SSL Intercept Rule in Policy) to the client when it attempts to make a secure connection over SSL (assuming the SG is intercepting that connection and the SSL Intercept Rule matches in Policy).

This example is for a Forward Proxy (not reverse proxy) deployment.

To stop the browser from issuing "Untrusted" type error messages, install that ProxySG Keyring Certificate into the Browser's trusted list.

 

Resolution

This can be done via the following steps:

  1. Identify the Keyring used for Interception. This can be done by browsing to "Configuration" tab > "Policy" > "Policy Files" > "View Policy" in the SG Management Console and clicking "View". A popup window appears with ALL the policy installed on the device.

Search for the string "ssl.forward_proxy.issuer_keyring"

 

In this example, the Keyring used in the Rule is the DEFAULT keyring.

 

ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default) 

 

  1.  Browse to "Statistics" tab > "Advanced" > "SSL"

Click "Download a ProxySG Certificate as a CA certificate"

Click on the "DEFAULT" keyring and save the certificate as ".cer" format onto the desktop or another location.

 

  1. Install the Certificate into the browser.

In this example, this can be done manually on Internet Explorer, Firefox and also All browsers at the same time. 

 

     a.    Internet Explorer    

Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificate file saved earlier > Change the file types to All on the Windows Explorer screen > Next > Next > Finish

 

     b.    Firefox

Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option to "Trust this CA to identify web sites"

 

     c.    All browsers at the same time

On Microsoft Windows

  1. Open Microsoft Management Console (Start > Run > mmc.exe)
  2. Choose File > Add/Remove Snap-in
  3. In the Standalone tab, choose Add
  4. Choose the Certificates snap-in, and click Add
  5. In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard
  6. Close the Add/Remove Snap-in dialog
  7. Navigate to Certificates (Local Computer)
  8. Choose a store to import
  9. If there is a Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities
  10. If there is a certificate for the server itself, choose Other People
  11. Right-click the store and choose All Tasks > Import
  12. Follow the wizard and provide the certificate file

 

          On a Linux distribution

  1. Place the certificate in the machine. The following commands will assume that it is located in /root/certificate.cer
  2. As root run:
  • source /etc/sysconfig/outsystems
  • $JAVA_HOME/bin/keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file /root/certificate.cer
  1. There will probably be a password prompt. If unchanged, the password is "changeit".
  2. When the tool asks if this certificate should be trusted, answer "yes".
  3. Restart jboss using the command:
  • service jboss-outsystems restart