Configure SSL intercept for an explicit deployment using a self-signed certificate

book

Article ID: 168173

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

  • You want to configure Symantec ProxySG or Advanced Secure Gateway (ASG) to intercept SSL using a self-signed certificate for increased security.
  • You want to block inappropriate web sites that communicate over SSL in an explicit proxy deployment.
  • You want to view active intercepted HTTPS connections.

Environment

Explicit forward proxy deployment using either explicit browser settings or PAC file.

Resolution

Contents

To set up SSL interception with a self-signed certificate:

  1. Create a keyring
  2. Create a self-signed certificate
  3. View and validate the new certificate
  4. Enable SSL detection for explicit proxy requests
  5. Select the new certificate in the SSL Proxy
  6. Create an SSL policy for HTTPS interception
  7. Download the certificate and import it to the browser
  8. Verify HTTPS interception by ProxySG or ASG from a web browser
  9. Verify HTTPS interception from Active Sessions

Following the steps below are steps to create a keyring, create a self-signed certificate, and install policy via Command Line Interface.

Step 1: Create a keyring

  1. In the Configuration tab, navigate to SSL > Keyrings.
  2. Click Create.
  3. In the Keyring Name field, enter a name, such as "SSL_Self_Signed." We'll use this name in later steps.
  4. Select either Show key pair or Do not show key pair. If you enabled Show key pair, you can move the private key and certificate to another proxy.
  5. For Create a new, set the keyring size. The default is a 1024-bit keyring; you can strengthen it up to a 2048-bit keyring.
  6. Click OK to save the committed settings. The SSL keyring is created.

Step 2: Create a self-signed certificate

  1. Edit the newly-created keyring from the previous step.
  2. Under Certificate, click Create.
  3. Fill in the certificate template. For Common Name (CN), Symantec recommends using something that you can easily identify, such as the host name of ProxySG appliance.

    User-added image
     
  4. Once you have filled out the certificate template, click OK.
  5. Click Save.

See also Create a self-signed certificate from the command line.

Step 3: View and validate the new certificate

  1. Highlight the self-signed certificate, and click Edit.
  2. Verify the common name (CN).
  3. Verify the certificate expiration date. Self-signed certificates are valid for 2 years.

    User-added image

Step 4: Enable SSL detection

  1. In the Configuration tab, navigate to Services > Proxy Services.
  2. In the right pane, select Explicit HTTP, and click Edit.
  3. Check Detect Protocol.
  4. Click OK.
  5. Click Apply.

Step 5: Select the new certificate in the SSL Proxy

  1. In the Configuration tab, navigate to Proxy Settings > SSL Proxy.
  2. Under General Settings, in the Issuer Keyring drop-down, select the newly-created SSL keyring. For this example, we used "SSL_Self_Signed."
  3. Click Apply.

Step 6: Create an SSL policy for HTTPS interception

  1. In the Configuration tab, navigate to Policy > Visual Policy Manager > Launch.
  2. In the Visual Policy Manager, navigate to Policy > Add SSL Intercept Layer.
  3. Right-click in the Action field, and navigate to Set > New > Enable HTTPS Interception.
  4. Check Issuer Keyring, and select the newly-created SSL keyring. For this example, we used "SSL_Self_Signed."
  5. Click OK.
  6. Click Install Policy to save the SSL policy.

Step 7: Download the certificate and import it to the browser

  1. In the Statistics tab, navigate to Advanced > SSL.
  2. Click Download a ProxySG Certificate as a CA certificate.
  3. Click the newly-created, self-signed keyring (e.g. "SSL_Self_Signed"), and save the certificate with a ".cer" format.
  4. You can install the certificate in the browser Trusted Root Certification Authorities, or you can deploy it using Microsoft Group Policy.

    User-added image

See also Eliminate the invalid certificate warning when intercepting HTTPS / SSL.

Step 8: Verify HTTPS interception by ProxySG or ASG from a web browser

  1. Go to https://www.symantec.com, or to any secure website that is being intercepted.
  2. In the web browser's address bar, click the lock icon (red arrow).
  3. Click View Certificate.
  4. Validate that "Issued by" matches the ProxySG common name (CN) in the certificate.

    User-added image

Step 9: Verify HTTPS interception from Active Sessions

  1. In the Statistics tab, navigate to Sessions > Active Sessions.
  2. Verify that HTTPS Fwd is visible for each server connection.

    User-added image

Create a self-signed certificate from the command line


Blue Coat SG Series#conf t
Blue Coat SG Series#(config)ssl
Blue Coat SG Series#(config ssl)create keyring show SSL_Self_Signed 1024 
  ok
Blue Coat SG Series#(config ssl)create certificate SSL_Self_Signed 
  Country code []: US
  State or province []: California
  Locality or city []: Sunnyvale
  Organization name []: Support Services
  Organization unit []: Technical Customer Support
  Common name []: sunnyvale-proxySG300
  Email address []: [email protected]
  Challenge  []: test123
  Company name []: Blue Coat Systems
  Digest type (sha1, sha224, sha256, sha384 or sha512) [sha256]: 
  ok
Blue Coat SG Series#(config ssl)view certificate SSL_Self_Signed
-----BEGIN CERTIFICATE-----
MIIEAzCCA2ygAwIBAgIEKSRkKTANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEZMBcG
A1UEChMQU3VwcG9ydCBTZXJ2aWNlczEjMCEGA1UECxMaVGVjaG5pY2FsIEN1c3Rv
bWVyIFN1cHBvcnQxHTAbBgNVBAMTFHN1bm55dmFsZS1wcm94eVNHMzAwMR4wHAYJ
KoZIhvcNAQkBFg90ZXN0MTIzQDEyMy5jb20wHhcNMTcxMTE1MDAxOTUzWhcNMTkx
MTE1MDAxOTUzWjCBtTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EjAQBgNVBAcTCVN1bm55dmFsZTEZMBcGA1UEChMQU3VwcG9ydCBTZXJ2aWNlczEj
MCEGA1UECxMaVGVjaG5pY2FsIEN1c3RvbWVyIFN1cHBvcnQxHTAbBgNVBAMTFHN1
bm55dmFsZS1wcm94eVNHMzAwMR4wHAYJKoZIhvcNAQkBFg90ZXN0MTIzQDEyMy5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALh2j64Zg9C7mTGUFJSJqGq2
XVM8YXCF+7HQlITDVnhMyIbDTdmA2IASwxc6OAD6nnYJ+vY4+aTHsZb9u5hr/Cf/
xZkyp8d8dsAyWTte3RPLFPQzV5RDZnlproSp1jInh7et901V5aCDgp23xlpAD56r
oKEE5xNuC3oAhBv9P6vVAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU4xP/NRtUDYwb
MkmXYWAfLzgW0xgwgeUGA1UdIwSB3TCB2oAU4xP/NRtUDYwbMkmXYWAfLzgW0xih
gbukgbgwgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYD
VQQHEwlTdW5ueXZhbGUxGTAXBgNVBAoTEFN1cHBvcnQgU2VydmljZXMxIzAhBgNV
BAsTGlRlY2huaWNhbCBDdXN0b21lciBTdXBwb3J0MR0wGwYDVQQDExRzdW5ueXZh
bGUtcHJveHlTRzMwMDEeMBwGCSqGSIb3DQEJARYPdGVzdDEyM0AxMjMuY29tggQp
JGQpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAnYFwTxCOmd1T
ZfFxTsM08eOIu6lNWWW6IaLB/Tyy94I+2TTysbJL0pVHgPpnIBEIQ4ja4MVXqmbX
oDkZcKz0U39sr47KaRIvTcJ8Vh+thcDGw6D0qhTIEBzk60YVqlfd2WEu7hKpArkA
G7s1GxogcQ3Ev8Wh9DX/rwo5+MmQ6zY=
--More--        -----END CERTIFICATE-----
 
Blue Coat SG Series#(config ssl)view keyring SSL_Self_Signed
 
Keyring ID:               SSL_Self_Signed
Private key showability:  show
Signing request:          absent
Certificate:              present
Certificate subject:      /C=US/ST=California/L=Sunnyvale/O=Support Services/OU=Technical Customer Support/CN=sunnyvale-proxySG300/[email protected]
Certificate issuer:       /C=US/ST=California/L=Sunnyvale/O=Support Services/OU=Technical Customer Support/CN=sunnyvale-proxySG300/[email protected]
Certificate valid from:   Nov 15 00:19:53 2017 GMT
Certificate valid to:     Nov 15 00:19:53 2019 GMT
Certificate thumbprint:   F0:1C:AF:DF:CD:04:4F:0F:B6:61:F2:77:A8:6A:CC:AF
Keylist membership:
 

 

Search the sysinfo for the existing policy section, and copy out the entire code from "inline policy vpm to end-xxxxxxxx-inline-xml."

In the example below, copy from "inline policy vpm end-xxxxxxxx-inline end-xxxxxxxx-inline-xml" to "end-xxxxxxx-inline-xml" into a text editor, such as Notepad. Replace the SSL Intercept Layer keyring and paste the code back into the CLI.

 


 
Blue Coat SG Series#(config ssl)exit
Blue Coat SG Series#(config)
Blue Coat SG Series#(config)!- END proxies
Blue Coat SG Series#(config)!- BEGIN policy
Blue Coat SG Series#(config)inline policy vpm end-1234567-inline end-1234567-inline-xml
##COPY ENTIRE VPM Policy but edit the SSL Intercept Layer to the new Keyring
;; Tab: [SSL Intercept Layer (1)]
client.address=x.x.x.x/32 ssl.forward_proxy(yes) detect_protocol(yes) ssl.forward_proxy.issuer_keyring("SSL_Self_Signed") ; Rule 1
end-1234567-inline-xml
  ok
Blue Coat SG Series#(config)
Blue Coat SG Series#(config)!- END policy
Blue Coat SG Series#(config)

Attachments