Setting up SSL certificates from Self Service Portal

Overview

HTTPS-aware applications such as Internet Browsers, implement SSL/TLS protocols to prevent inadvertent communication with a malafide web service.

The SSL / TLS protocols enable applications to verify the identity of the remote web services, and appropriately encrypt the entire communication preventing any third party from eavesdropping.

In response to the SSL Handshake initiated by the client application, the remote web service submits identification using a Digital Server (SSL/TLS) Certificate.

The client application maintains stores of CA certificates representing various Trusted Root Certification Authority.

Unless explicitly trusted, the client application checks if a Trusted Root CA signs the server certificate.

The Trusted Root CA binds the server certificate to a set of FQDNs and ensures each signed certificate bears a unique serial number.

Post verification, the client proceeds with normal HTTP Protocol, but the communication is encrypted based on the parameters agreed upon during the SSL handshake and the server certificate. Thus, the communication is opaque and cannot be inspected or modified by a third party.

A proxy server terminates connections to inspect and/or modify the communication between a client and server.

For handling HTTPS traffic, it must additionally perform SSL Termination.

This requires the proxy server to provide an SSL Certificate for the web service requested by the client.

For a seamless user experience, this SSL certificate must be signed by a Trusted Root CA.

Enterprises therefore ensure a Trusted Root CA is installed in the Trusted Root CA Store of the sanctioned web applications, such as Internet Browsers.

The proxy server is provided with this Trusted Root CA, along with the associated Private Key.

The proxy server then produces the required SSL certificates for any web service and signs it using the provided Certificate-Key pair.

Enterprises that require multiple instances of proxy services to handle large traffic volumes or geographic spread.

The deployment must also guarantee each certificate thus created by proxy servers has a distinct serial number.

You would be required to then share the CA certificate with your enterprise users, or push it via Group Policies if you have a Microsoft Domain Network.

You may also import an SSL CA Certificate, provided by your existing Enterprise CA Infrastructure.

In such a case, you would not be required to push a Trusted Root CA Certificate.

All SafeSquid instances deployed by you that share the same Product Activation Key, shall automatically download the Trusted Root CA certificate.

Each SafeSquid instance shall then produce a sub-CA certificate-key pair, to sign the SSL Certificates for requested web services.

This mechanism ensures each SSL certificate bears a unique serial number and signature, but only one Trusted Root CA Certificate is to be shared across client applications.

All Certificate-Key pairs are passphrase-protected to prevent misuse.

Access the Self-Service Portal

Log in to the Self-Service Portal - https://key.safesquid.com

The Self-Service Portal for managing your SafeSquid deployments, facilitates easy creation of Trusted Root CA Certificates.

Generate SafeSquid Certificate

Using Self-Signed Certificate

Note: When you see the "Generate" button it means that SafeSquid's SSL certificate has not been generated yet.

Note: The passphrase entered in step #3 is non-recoverable. Remember to save the passphrase if in case you want to reuse the same certificate with a different activation key.

Using Enterprise CA Certificate

With a Passphrase

Generating SafeSquid certificate using an enterprise CA certificate which has a passphrase.

Without a Passphrase

Note: The passphrase entered in step #6 is non-recoverable. Remember to save the passphrase if in case you want to reuse the same certificate with a different activation key.

Download Certificate

From the Self-Service Portal

“ 

From Web Interface

Refer to the below link on how to download an SSL certificate from your web interface.
https://help.safesquid.com/portal/en/kb/articles/download-ssl-certificate-from-interface

Related Links

1. Importing Your SSL Certificate Into Firefox

1. Importing Your SSL Certificate Into Internet Explorer or Chrome

1. HTTPS Inspection
   

1. Bypass HTTPS Inspection by using Request Types
   

• Related Articles

• Management of Self-Service Portal

  Overview The SafeSquid Self-Service Portal is the cloud-based management console for your SafeSquid Installations. It enables you to easily manage common properties across all your installations. The SafeSquid Self-Service Portal Manages activities ...

• Application Eco-System

  Typical High-Level Solution Architecture In a typical organization setting, the amalgamation of SafeSquid Application Eco-system constitutes the complete SWG solution. Self-Service Portal To manage properties associated to the activation key, like ...

• Manage VPN settings of Web Security Client

  Access the Self-Service portal Login with your valid credentials Go to Manage VPN Set URL (FQDN of SafeSquid Server) YourSafeSquid server FQDN and click on Set URL 'Example: 'My SafeSquid server FQDN is: sabproxy.safesquid.test You can verify ...

• Manage Confidential Data Signatures

  Manage Keyword Signatures using the Service Portal We're going to assume that you have an active SafeSquid account with at least one Activation Key. If this is not completed yet, you can register at https://key.safesquid.com. Log in to the ...

• File and Folder

  /etc/init.d/safesquid Directory /etc/init.d contains scripts for controlling(initialization and termination) the system and various services. These scripts can be invoked directly. SafeSquid script is also stored in /etc/init.d directory which ...