Setting up SSL certificates from Self Service Portal

Setting up SSL certificates from Self Service Portal

Overview

HTTPS-aware applications such as Internet Browsers, implement SSL/TLS protocols to prevent inadvertent communication with a malafide web service.
The SSL / TLS protocols enable applications to verify identity of the remote web services, and appropriately encrypt the entire communication preventing any third-party to eavesdrop.
In response to the SSL Handshake initiated by the client application, the remote web service submits identification using a Digital Server (SSL/TLS) Certificate.
The client application maintains stores of CA certificates representing various Trusted Root Certification Authority.
Unless explicitly trusted, the client application checks if the server certificate is signed by a Trusted Root CA.
The Trusted Root CA binds the server certificate to a set of FQDNs, and ensures each signed certificate bears a unique serial number.
Post verification the client proceeds with normal HTTP Protocol, but the communication is encrypted based on the parameters agreed during the SSL handshake, and the server certificate. The communication is thus opaque and cannot be inspected or modified by a third-party.
To inspect and / modify the communication between a client and server, a proxy server terminates connections.
For handling HTTPS traffic, it must additionally perform SSL Termination.
This requires the proxy server to provide an SSL Certificate for the web service requested by the client.
For seamless user experience, this SSL certificate must be signed by a Trusted Root CA.
Enterprises therefore ensure a Trusted Root CA is installed in the Trusted Root CA Store of the sanctioned web applications, such as Internet Browsers.
The proxy server is provided this Trusted Root CA, along with the associated Private Key.
The proxy server then produces the required SSL certificates for any web service and signs it using the provided Certificate-Key pair.
Enterprises that require multiple instances of proxy services to handle large traffic volumes, or geographic spread.
The deployment must also guarantee each certificate thus created by proxy servers have a distinct serial number.
You would be required to then share the CA certificate with your enterprise users, or push it via Group Policies, if you have a Microsoft Domain Network.
You may also import an SSL CA Certificate, provided by your existing Enterprise CA Infrastructure.
In such case you would not be required to push a Trusted Root CA Certificate.
All SafeSquid instances deployed by you that share the same Product Activation Key, shall automatically download the Trusted Root CA certificate.
Each SafeSquid instance shall then produce a sub-CA certificate-key pair, to sign the SSL Certificates for requested web services.
This mechanism ensures each SSL certificate bears a unique serial number, and signature, but only one Trusted Root CA Certificate is to be shared across client applications.
All Certificate-Key pairs are passphrase protected to prevent misuse.

Access the Self-Service Portal

Login to the Self-Service Portal https://key.safesquid.com
The Self-Service Portal for managing your SafeSquid deployments, facilitates easy creation of Trusted Root CA Certificates.
interface of self service portal
clicking on manage certificate

Generate SafeSquid Certificate

using Self-Signed Certificate.

Note: When you see "Generate" button it means that SafeSquid's SSL certificate has not been generated yet.
clicking on generate
Note: Passphrase entered in step #3 is non-recoverable. Remember to save the passphrase if in case you want to reuse the same certificate with a different activation key.
selecting general self signed and wntering passphrase for self signed certificate and clicking on generate
clicking on close to continue

Generate SafeSquid Certificate using Enterprise CA Certificate.

With a Passphrase

Generating SafeSquid certificate using an enterprise CA certificate which has a passphrase.
clicking on regenerate, uploading the enterprise CA cert and selecting have passphrase option
selecting CA cert files
entering the passphrase and clicking on validate private key
selecting retain password and clicking on upload
clicking on close to continue

Without Passphrase

clicking on regenerate, uploading the enterprise CA cert and selecting does not have passphrase option
selecting the CA cert files
Note: Passphrase entered in step #6 is non-recoverable. Remember to save the passphrase if in case you want to reuse the same certificate with a different activation key.
entering new passphrase and clicking on upload
clicking on close to continue

Downloading your Certificate.

From Self Service Portal

​ Click on “ Download ” to download your certificate
clicking on download to download your self signed certificate

From your web interface

Refer to below link on how to download SSL certificate from your web interface.
https://help.safesquid.com/portal/en/kb/articles/download-ssl-certificate-from-interface

Overview    

This article will show download of SafeSquid SSL certificate from the interface.

Prerequisites

You must have already generated your certificates from the Self-Service Portal. If not see our document Setting up SSL certificates from Self Service Portal
Note: You must restart your SafeSquid service once after generation of SSL certificates from Self-Service portal - Restart SafeSquid from SafeSquid Interface https://help.safesquid.com/portal/en/kb/articles/restart-the-safesquid-service-from-interface

Access The SafeSquid User Interface

Go to Configure 

click on configure in safesquid interface

Go to Real Time Content Security

going to real time content security

Go to HTTPS inspection

Go to SSL Certs/Cache

Download SSL certificate

download the certificate by clicking on download button
Save the downloaded certificate on to disk and import that certificate into client browsers.

Importing Your SSL Certificate Into Firefox

Importing Your SSL Certificate Into Internet Explorer or Chrome

HTTPS Inspection

Bypass HTTPS Inspection by using Request Types





    • Related Articles

    • Management of Self-Service Portal

      Overview The SafeSquid Self-Service Portal is the cloud-based management console for your SafeSquid Installations. The SafeSquid Self-Service Portal enables you to easily manage common properties across all your installations like. The SafeSquid ...

    • Application Eco-System

      Typical High-Level Solution Architecture In a typical organization setting, the amalgamation of SafeSquid Application Eco-system constitutes the complete SWG solution. Self-Service Portal To manage properties associated to the activation key, like ...

    • Manage VPN settings of Web Security Client

      Access the Self-Service portal Login with your valid credentials Go to Manage VPN Set URL (FQDN of SafeSquid Server) YourSafeSquid server FQDN and click on Set URL 'Example: 'My SafeSquid server FQDN is: sabproxy.safesquid.test You can verify ...

    • Manage Confidential Data Signatures

      Manage Keyword Signatures using Self Service portal We're going to assume that you've an active SafeSquid account with atleast one Activation Key. If this is not completed yet, you can register at https://key.safesquid.com. Login to the Self-Service ...

    • File and Folder

      /etc/init.d/safesquid Directory /etc/init.d contains scripts for controlling(initialization and termination) the system and various services. These scripts can be invoked directly. SafeSquid script is also stored in /etc/init.d directory which ...