If one or more certification authorities are already set up in your organization, you can use a certificate issued by your internal CA as the SSL inspection certificate. And if your internal CA is trusted for all business users, then SSL inspection will be happened seamlessly and users will not be notified about substituted SSL certificates.
Let's consider an example. Suppose that your organization has an internal CA which is based on Microsoft Enterprise CA and integrated with Active Directory, as shown in the picture below.
It is required to issue new CA type certificate for UserGate by Sub CA2 and then set up this certificate as your SSL inspection certificate.
Important! UserGate does not support signature rsassaPss. Make sure this algorithm is not used in certificate chain used for creating SSL decrypt certificate.
To do this perform the following steps:
|
Step |
Description |
|---|---|
|
Step 1. Generate a CSR request for creation of a new certificate in UserGate |
Select Generate-->New CSR, fill in the necessary fields and then generate a new CSR. The system will create a private key and a request file. Click Export to download this file. |
|
Step 2. Create a new certificated based on this CSR |
Using Microsoft CA, create a new certificate based on the downloaded CSR file by running the "certreq" utility: certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem or the web console of Microsoft CA. For more details, please refer to Microsoft's documentation. As a result, you will obtain a new certificate (public key) signed by Sub CA2. |
|
Step 3. Download the resulting certificate |
Download the certificate (public key) from the web console of Microsoft CA. |
|
Step 4. Upload the certificate to the previously created CSR |
In UserGate, select the CSR you've previously created and then click Edit. Upload the certificate file and click Save. |
|
Step 5. Specify the certificate as your SSL inspection certificate |
In UserGate, select the CSR you've previously created and then click Edit. In the Use as field, choose SSL decrypt certificate. |
|
Step 6. Download certificates for the intermediary CAs (Sub CA1 and Sub CA2) |
In the web console of Microsoft CA, select and download certificates (public keys) for Sub CA1 and Sub CA2. |
|
Step 7. Upload the certificates for Sub CA1 and Sub CA2 to UserGate |
Click Import to add the downloaded certificates for Sub CA1 and Sub CA2 into UserGate. |
|
Step 8. Specify the certificates for Sub CA1 and Sub CA2 as your intermediary SSL inspection certificates |
In UserGate, select the uploaded certificates and click Edit. In the Use as field, choose SSL intermediate decrypt certificate for both these certificates. |
|
Step 9. Upload a Root CA certificate to UserGate (optional) |
Click Import to upload a root certificate of your organization to UserGate. Click Edit and select Currently used - SSL inspection (root). |