Importance of Certificates/ Why

HTTPS-aware applications, like Internet Browsers, use SSL/TLS protocols to prevent communication with malicious web services. 

The SSL / TLS protocols enable applications to verify the identity of the remote web services, and appropriately encrypt the entire communication preventing any third-party to eavesdrop.

The communication is thus opaque and cannot be inspected or modified by a third-party.

Why do proxy servers need a root certificate in clients certificate store?

To inspect and / modify the communication between a client and server, a proxy server terminates connections.

For handling HTTPS traffic, it must additionally perform SSL Termination.

This requires the proxy server to provide an SSL Certificate for the web service requested by the client.

For seamless user experience, this SSL certificate must be signed by a Trusted Root CA.

Enterprises therefore ensure a Trusted Root CA is installed in the Trusted Root CA Store of the sanctioned web applications, such as Internet Browsers.

The proxy server provides this Trusted Root CA, along with the associated Private Key.

The proxy server then produces the required SSL certificates for any web service and signs it is using the provided Certificate-Key pair.

Enterprises that require multiple instances of proxy services to handle large traffic volumes, or geographic spread.

The deployment must also guarantee each certificate thus created by proxy servers have a distinct serial number.

How to generate a root certificate for SafeSquid proxy server and how to use it for HTTPS inspection?

The Self-Service Portal for managing your SafeSquid deployments facilitates easy creation of Trusted Root CA Certificates.

You would be required to then share the CA certificate with your enterprise users, or push it via Group Policies, if you have a Microsoft Domain Network.

You may also import an SSL CA Certificate, provided by your existing Enterprise CA Infrastructure.

In such case you would not be required to push a Trusted Root CA Certificate.

All SafeSquid instances deployed by you that share the same Product Activation Key shall automatically download the Trusted Root CA certificate.

Each SafeSquid instance shall then produce a sub-CA certificate-key pair, to sign the SSL Certificates for requested web services.

This mechanism ensures each SSL certificate bears a unique serial number, and signature, but only one Trusted Root CA Certificate is to be shared across client applications.

All Certificate-Key pairs are passphrase protected to prevent misuse.

Generating SafeSquid’s root certificate for HTTPS Inspection.

You can access the self-service Portal from https://key.safesquid.com

Login to your SafeSquid Self Service Portal https://key.safesquid.com account to generate SSL certificate as generation of certificate cannot be done via SafeSquid's web interface http://safesquid.cfg/ 

In your self-service portal go to “Manage Certificate” section.

Generating SafeSquid root certificate using self-signed certificate

Below are steps to generate Self-Signed Certificate.

Enter Passphrase to continue.

Now click on “Generate” to create a new certificate.

Your SSL certificate has been successfully generated.

Click “close” 

Click on the download icon to download your certificate your self-signed certificate.

Generating SafeSquid root certificate using enterprise CA certificate

Generating SafeSquid root certificate using enterprise CA certificate with passphrase.

Click on generate to generate a new certificate using your enterprise CA certificate.

If you have already created a self-signed certificate and now you want to update the certificate, then click on re-generate.

Note: Generating new certificates will replace the existing certificates.

Select Enterprise CA 

select “Have Passphrase.”

Now Click on “Drag your file here or click on this area.”

Select your Enterprise CA Files 

Enter the passphrase and click on “validate Private Key.”

Select “Retain password” if you want to use the existing passphrase or select “Do not Retain” and enter new passphrase.

After selecting the appropriate option, click on upload.

Your SafeSquid’s root certificate has been generated using your enterprise CA certificate.

Download your Enterprise CA certificate using the download button.

Generate SafeSquid root certificate using enterprise CA certificate without passphrase.

Click on generate to generate a new certificate using your enterprise CA certificate.

If you have already created a self-signed certificate and now you want to update the certificate, then click on re-generate.

Note: Generating new certificates will replace the existing certificates.

Select Enterprise CA 

select “Do not have Passphrase.”

Now Click on “Drag your file here or click on this area.”

Select your Enterprise CA Files with passphrase.

Enter new passphrase and click on “Upload.”

Your SSL certificate has been generated.

Click “Close” and continue.

Download your Enterprise CA certificate using the download button.