4.5.1. Creating SSL inspection certificates based on company's CA

If one or more certification authorities are already set up in your organization, you can use a certificate issued by your internal CA as the SSL inspection certificate. And if your internal CA is trusted for all business users, then SSL inspection will be happened seamlessly and users will not be notified about substituted SSL certificates.

Let's consider an example. Suppose that your organization has an internal CA which is based on Microsoft Enterprise CA and integrated with Active Directory, as shown in the picture below.

image2

It is required to issue new CA type certificate for UserGate by Sub CA2 and then set up this certificate as your SSL inspection certificate.

Important! UserGate does not support signature rsassaPss. Make sure this algorithm is not used in certificate chain used for creating SSL decrypt certificate.

To do this perform the following steps:

Step

Description

Step 1. Generate a CSR request for creation of a new certificate in UserGate

Select Generate-->New CSR, fill in the necessary fields and then generate a new CSR. The system will create a private key and a request file. Click Export to download this file.

Step 2. Create a new certificated based on this CSR

Using Microsoft CA, create a new certificate based on the downloaded CSR file by running the "certreq" utility: certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem or the web console of Microsoft CA. For more details, please refer to Microsoft's documentation. As a result, you will obtain a new certificate (public key) signed by Sub CA2.

Step 3. Download the resulting certificate

Download the certificate (public key) from the web console of Microsoft CA.

Step 4. Upload the certificate to the previously created CSR

In UserGate, select the CSR you've previously created and then click Edit. Upload the certificate file and click Save.

Step 5. Specify the certificate as your SSL inspection certificate

In UserGate, select the CSR you've previously created and then click Edit. In the Use as field, choose SSL decrypt certificate.

Step 6. Download certificates for the intermediary CAs (Sub CA1 and Sub CA2)

In the web console of Microsoft CA, select and download certificates (public keys) for Sub CA1 and Sub CA2.

Step 7. Upload the certificates for Sub CA1 and Sub CA2 to UserGate

Click Import to add the downloaded certificates for Sub CA1 and Sub CA2 into UserGate.

Step 8. Specify the certificates for Sub CA1 and Sub CA2 as your intermediary SSL inspection certificates

In UserGate, select the uploaded certificates and click Edit. In the Use as field, choose SSL intermediate decrypt certificate for both these certificates.

Step 9. Upload a Root CA certificate to UserGate (optional)

Click Import to upload a root certificate of your organization to UserGate. Click Edit and select Currently used - SSL inspection (root).