How to USE SubCA of one's Organization as SafeSquid's Root CA for SSL Inspection. ( Client Discussion #3 )
Posted: Sat Apr 25, 2020 5:47 am
Hello All,
I have received a client query focusing on use of their own Enterprise CA Certificate to be used by SafeSquid for SSL INSPECTION.
The main reason here to do so is to reduce unnecessary adding of new Enterprise CA in each and Every Machine or Application.
The Below discussion is to solve and explain such good client queries.
The Client Discussion is added in a Typical Email based Conversation format.
Previous Discussion Includes:
-----------------------
From SafeSquid
-----------------------
Hi Lars,
Ideally you would obtain a sub-CA key pair from your enterprise CA, and protect it with apassphrase.
The SafeSquid Self-Service Portal at https://key.safesquid.com/ enables you to upload such passphrase protected key pair.
The passphrase used for protection is asymmetrically encrypted and stored such that it can be discovered only by a SafeSquid instance using your Activation Key.
All your SafeSquid instances would then fetch the uploaded CA key pair.
Each SafeSquid instance then "locally" generates a unique sub-CA key pair from this CA key pair.
The "fake SSL key pairs" generated for the HTTPS inspected websites are signed by the local sub-CA key pair.
During SSL handshake with the clients, SafeSquid sends the entire certificate chain including the Key Pair uploaded on the Self-Service Portal.
Presuming the enterprise CA certificate was already implanted into the client browsers / applications, you would therefore not need to push any further certificates.
Also since each SafeSquid instance would be generating SSL certificates with a local CA key pair you can easily use multiple SafeSquid instances in a load-balanced cluster to service your users.
Please feel free to ask any further questions.
Happy to Help,
Manish Kochar
SafeSquid Labs
-------------- SafeSquid Reply Ends ---------------
-------------------
Client Reply
-------------------
Hello Manish.
I hope this ticket is still open for replies. We have been busy with other high-priority tasks, so our proxy evaluation have been suffering. This certificate part is still what is halting our progress, and I still can’t quite get the hang of it.
For an ordinary SSL-protected website, I’d:
Create a CSR and key on the web server.
Paste the contents of that into our windows sub-ca certificate request web page, choosing a suitable template.
Get a .cer file in return.
Move the .cer to the correct location in the web server.
Make sure that the .key from step 1 is in the correct location.
Be set to go.
The process here is obviously not the same, and I’m not quite able to get it to work. I see two possibilities right now.
I create a CSR and a key on any system with an SSL stack installed, submit that request to my sub-ca certificate request web page, choosing the ”subordinate certification authority” template.
I go to the sub-ca certificate request web page, and create my request directly in the forms on site.
The first method works, and I can choose to download a base-64 encoded .cer file to my PC. The second method does not currently work, the form fails, possibly because of some setup issues of the template.
Anyhow, what I have now is a private key, created on Another workstation with the CSR, and a certificate signed by my sub-ca, based on the information in that CSR. Do I somehow have to export the private key from the certificate from my sub-ca key storage? What data should I be entering into the certificates part of the safesquid portal?
Do I make sense? Am I alone in not figuring this part out? In my tries to figure this out, I haven’t yet found any specific guides similar to our Environment, even though it should not be uncommon. (Windows AD with PKI up and running for all sorts of computer and user certificates) Sorry for my late and long reply, but when we figure this out, and get the AD SSO up and running, we look all set to commit to this solution.
Regards
Lars Olof Norell
------------- Client Reply Ends ------------
Discussion Continues…
Hello Lars,
My name is Ashish and I will be guiding you through out this process.
Feel Free to raise your queries, I will be happy to help you.
Before Starting Let's First Build Terminology so that we don't get confused
--------------
1. Root CA = Enterprise CA
2. Subordinate Certification Authority = SubCA = Intermediate CA
3. End Entity Certificate = Server Certificate
---------------
Now let's come to the Actual Solution,
--------------------------- ---------------------------
Few Things I need to clearify before starting:
1. You are going to use your Enterprise CA and Create One SubCA with the privilege to Sign End Entity Certificate.
[ This is Very Important & Required Because SafeSquid will use this SubCA and sign all the web server certificate ( Creating Fake SSL Certificate ) ]
From the Ongoing Conversation, I think that "
subordinate certification authority" refers to a certificate signed by your Enterprise CA with the privilege to sign End Entity Certificate.
Correct me if I am wrong.
Note: To Verify that the SubCA has the privilege to sign End Entity Certificate is by checking the Basic Constraints of the Certificate.
You can open the Certificate with the Default Microsoft Certificate Viewer and see the details of the Basic Constraints.
The Field:
Certificate Authority: TRUE ( FireFox )
CA: TRUE ( OpenSSL )
Subject Type=CA ( Chrome )
Please make sure the Generated Certificate does not have basic constraints as
Subject Type= End Entity ( Chrome )
Or
Certificate Authority: FALSE ( FireFox )
Or
CA: FALSE ( OpenSSL )
IMP NOTE: When you create the CSR at that time their should be a option to enable Basic Constraints field as CA i.e CA=TRUE
3. The Certificate Generated is in PEM FORMAT ( Base64-encoded ).
--------------------------- ---------------------------
If above goes all well
Then this means you have 2 files
One is the SubCA Certificate & One if the Private Key File.
Now comes the part when you are going to Actually Import This Certificate and Key Pair in Safesquid's Self-Service Portal.
Steps:
1. Go To Self-Service Portal ( key.safesquid.com )
2. Register ( if not and then) , Login.
3. Once You Login Please GoTo: https://key.safesquid.com/portaltest.html
[ We have currently not deployed new changes to Default Setup for some reason , so you will have to move to another portal page ]
4. In The Portal you will see Many Tab Sections Navigate to : Manage Certificates
5. Then Click on Generate Button.
[ If you are doing it for first time, else it will be Re-Generate ]
6. Click on Upload Enterprise CA
7. Over here there are 2 options
Having Passphrase
Does not have Passphrase
Select the desired as per your Certificate Key Generate you might have a passphrase protected one or a without Passphrase one.
And then drag upload both the SubCA Certificate & Key & ENTER THE PASSPHRASE.
If every thing goes well
Then click on Validate Private Key.
8. If the above step is completed.
If
Key was passphrase protected.
Then
their will be a option to either reuse the same Passphrase or create a new one
Using the Existing one is a Good Option so that you have track of the Passphrase.
Else If
Key was Not Passphrase protected, then you will have to enter new Passphrase
[ SafeSquid Security Measure is to Enabled Passphrase Protected Key ]
9. After doing so you are good to go to Upload the Certificate & Key.
Note: You will have to use the Latest SafeSquid-SWG Binary for this Feature.
Please download it
ISO Link: ( Full ISO ) http://downloads.safesquid.net/appliance/safesquid.iso
BINARY LINK: ( Latest SafeSquid-SWG Version ) http://downloads.safesquid.net/applianc ... est.tar.gz
Please feel free to revert back for any query in this Above process, we will happy to help you.
I have received a client query focusing on use of their own Enterprise CA Certificate to be used by SafeSquid for SSL INSPECTION.
The main reason here to do so is to reduce unnecessary adding of new Enterprise CA in each and Every Machine or Application.
The Below discussion is to solve and explain such good client queries.
The Client Discussion is added in a Typical Email based Conversation format.
Previous Discussion Includes:
-----------------------
From SafeSquid
-----------------------
Hi Lars,
Ideally you would obtain a sub-CA key pair from your enterprise CA, and protect it with apassphrase.
The SafeSquid Self-Service Portal at https://key.safesquid.com/ enables you to upload such passphrase protected key pair.
The passphrase used for protection is asymmetrically encrypted and stored such that it can be discovered only by a SafeSquid instance using your Activation Key.
All your SafeSquid instances would then fetch the uploaded CA key pair.
Each SafeSquid instance then "locally" generates a unique sub-CA key pair from this CA key pair.
The "fake SSL key pairs" generated for the HTTPS inspected websites are signed by the local sub-CA key pair.
During SSL handshake with the clients, SafeSquid sends the entire certificate chain including the Key Pair uploaded on the Self-Service Portal.
Presuming the enterprise CA certificate was already implanted into the client browsers / applications, you would therefore not need to push any further certificates.
Also since each SafeSquid instance would be generating SSL certificates with a local CA key pair you can easily use multiple SafeSquid instances in a load-balanced cluster to service your users.
Please feel free to ask any further questions.
Happy to Help,
Manish Kochar
SafeSquid Labs
-------------- SafeSquid Reply Ends ---------------
-------------------
Client Reply
-------------------
Hello Manish.
I hope this ticket is still open for replies. We have been busy with other high-priority tasks, so our proxy evaluation have been suffering. This certificate part is still what is halting our progress, and I still can’t quite get the hang of it.
For an ordinary SSL-protected website, I’d:
Create a CSR and key on the web server.
Paste the contents of that into our windows sub-ca certificate request web page, choosing a suitable template.
Get a .cer file in return.
Move the .cer to the correct location in the web server.
Make sure that the .key from step 1 is in the correct location.
Be set to go.
The process here is obviously not the same, and I’m not quite able to get it to work. I see two possibilities right now.
I create a CSR and a key on any system with an SSL stack installed, submit that request to my sub-ca certificate request web page, choosing the ”subordinate certification authority” template.
I go to the sub-ca certificate request web page, and create my request directly in the forms on site.
The first method works, and I can choose to download a base-64 encoded .cer file to my PC. The second method does not currently work, the form fails, possibly because of some setup issues of the template.
Anyhow, what I have now is a private key, created on Another workstation with the CSR, and a certificate signed by my sub-ca, based on the information in that CSR. Do I somehow have to export the private key from the certificate from my sub-ca key storage? What data should I be entering into the certificates part of the safesquid portal?
Do I make sense? Am I alone in not figuring this part out? In my tries to figure this out, I haven’t yet found any specific guides similar to our Environment, even though it should not be uncommon. (Windows AD with PKI up and running for all sorts of computer and user certificates) Sorry for my late and long reply, but when we figure this out, and get the AD SSO up and running, we look all set to commit to this solution.
Regards
Lars Olof Norell
------------- Client Reply Ends ------------
Discussion Continues…
Hello Lars,
My name is Ashish and I will be guiding you through out this process.
Feel Free to raise your queries, I will be happy to help you.
Before Starting Let's First Build Terminology so that we don't get confused
--------------
1. Root CA = Enterprise CA
2. Subordinate Certification Authority = SubCA = Intermediate CA
3. End Entity Certificate = Server Certificate
---------------
Now let's come to the Actual Solution,
--------------------------- ---------------------------
Few Things I need to clearify before starting:
1. You are going to use your Enterprise CA and Create One SubCA with the privilege to Sign End Entity Certificate.
[ This is Very Important & Required Because SafeSquid will use this SubCA and sign all the web server certificate ( Creating Fake SSL Certificate ) ]
From the Ongoing Conversation, I think that "
subordinate certification authority" refers to a certificate signed by your Enterprise CA with the privilege to sign End Entity Certificate.
Correct me if I am wrong.
Note: To Verify that the SubCA has the privilege to sign End Entity Certificate is by checking the Basic Constraints of the Certificate.
You can open the Certificate with the Default Microsoft Certificate Viewer and see the details of the Basic Constraints.
The Field:
Certificate Authority: TRUE ( FireFox )
CA: TRUE ( OpenSSL )
Subject Type=CA ( Chrome )
Please make sure the Generated Certificate does not have basic constraints as
Subject Type= End Entity ( Chrome )
Or
Certificate Authority: FALSE ( FireFox )
Or
CA: FALSE ( OpenSSL )
IMP NOTE: When you create the CSR at that time their should be a option to enable Basic Constraints field as CA i.e CA=TRUE
3. The Certificate Generated is in PEM FORMAT ( Base64-encoded ).
--------------------------- ---------------------------
If above goes all well
Then this means you have 2 files
One is the SubCA Certificate & One if the Private Key File.
Now comes the part when you are going to Actually Import This Certificate and Key Pair in Safesquid's Self-Service Portal.
Steps:
1. Go To Self-Service Portal ( key.safesquid.com )
2. Register ( if not and then) , Login.
3. Once You Login Please GoTo: https://key.safesquid.com/portaltest.html
[ We have currently not deployed new changes to Default Setup for some reason , so you will have to move to another portal page ]
4. In The Portal you will see Many Tab Sections Navigate to : Manage Certificates
5. Then Click on Generate Button.
[ If you are doing it for first time, else it will be Re-Generate ]
6. Click on Upload Enterprise CA
7. Over here there are 2 options
Having Passphrase
Does not have Passphrase
Select the desired as per your Certificate Key Generate you might have a passphrase protected one or a without Passphrase one.
And then drag upload both the SubCA Certificate & Key & ENTER THE PASSPHRASE.
If every thing goes well
Then click on Validate Private Key.
8. If the above step is completed.
If
Key was passphrase protected.
Then
their will be a option to either reuse the same Passphrase or create a new one
Using the Existing one is a Good Option so that you have track of the Passphrase.
Else If
Key was Not Passphrase protected, then you will have to enter new Passphrase
[ SafeSquid Security Measure is to Enabled Passphrase Protected Key ]
9. After doing so you are good to go to Upload the Certificate & Key.
Note: You will have to use the Latest SafeSquid-SWG Binary for this Feature.
Please download it
ISO Link: ( Full ISO ) http://downloads.safesquid.net/appliance/safesquid.iso
BINARY LINK: ( Latest SafeSquid-SWG Version ) http://downloads.safesquid.net/applianc ... est.tar.gz
Please feel free to revert back for any query in this Above process, we will happy to help you.