4.5.1. Using Corporate CA to Create an SSL Inspection Certificate

If a corporate CA or CA chain already exists in the company, you can specify a certificate issued by the corporate CA as the SSL inspection certificate. If the corporate CA is trusted by all corporate users, SSL interception will be transparent, and users will not get a certificate warning.

Let us consider in more detail how to configure UserGate in this scenario. Suppose that the organization uses a corporate CA based on the Microsoft Enterprise CA integrated into Active Directory. The CA hierarchy is as follows:

image2

Figure 3 - Example hierarchy of a corporate CA

You will need to issue a certificate for UserGate using Sub CA2 and configure it as the SSL inspection certificate. In addition, you will need to issue a UserGate SSL decrypt certificate as the CA.

Note

UserGate does not support the rsassaPss signature algorithm. Make sure that no part of the certificate chain used to issue the SSL inspection certificate uses this algorithm.

To do the above, follow these steps:

Task

Description

Step 1. Create a CSR request for creating a certificate in UserGate.

Click Generate --> New CSR. Fill in the relevant fields and create the CSR. A private key and a request file will be created. Download the request file by clicking Export.

Step 2. Create the certificate based on the prepared CSR.

In Microsoft CA, create a certificate based on the CSR file you obtained in the previous step using the certreq utility:

certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem

As an alternative, you can do this using the Microsoft CA web console by selecting the "Subordinate Certification Authority" template. For more details, consult the Microsoft documentation. When the procedure completes, you will obtain the certificate (public key) signed by Sub CA2.

Step 3. Download the resulting certificate.

Download the certificate (public key) you created from the Microsoft CA web console.

Step 4. Upload the certificate to the CSR you created earlier.

In UserGate, select the CSR created earlier and click Edit. Upload the certificate file and click Save.

Step 5. Specify the SSL inspection certificate type.

In UserGate, select the CSR created earlier and click Edit. In the Use as field, specify SSL inspection certificate.

Step 6. Download the certificates for the intermediate CAs (Sub CA1 and Sub CA2).

In the Microsoft CA web console, select and download the certificates (public keys) for Sub CA1 and Sub CA2.

Step 7. Upload the Sub CA1 and Sub CA2 certificates to UserGate.

Click Import and upload the Sub CA1 and Sub CA2 certificates you downloaded in the previous step.

Step 8. Set the "SSL inspection intermediate CA" type for the Sub CA1 and Sub CA2 certificates.

Select the uploaded certificates in UserGate and click Edit. In the Use as field, specify SSL inspection intermediate CA for both certificates.

Step 9. (Optional) Upload the Root CA certificate to UserGate.

Click Import to upload the organization's root certificate to UserGate. Click Edit and specify SSL inspection root CA in the Use as field.