Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1910
Views
5
Helpful
0
Comments

CWS HTTPS Inspection with MS CA Signed certificate

kussriva
Level 1
Level 1

‎08-07-2015 07:58 AM - edited ‎03-08-2019 06:58 PM

When configuring HTTPS traffic inspection and decryption we need to install a certificate on the CWS portal. This certificate can be either a self-signed certificate generated on the portal or a MS CA signed certificate.

Due to the fact that the Self-signed certificate has to be installed on each of the Company PC's generating a CA signed certificate is more scalable method of this Deployment.

If you have a self-signed certificate, it has to be imported on all the company PC's. It has to be added to the certificates under the "Trusted Root Certification Authorities".

 

So here are the steps to install the MS CA signed certificate and configure an HTTPS Decryption policy:

 

Step 1: Go to Admin, HTTPS Inspection, Certificates.

Step 2: Click on Generate a CSR, enter the Identifier which Identifies the certificate in the CWS portal, a description and then click Next

Step 3: After you click Next, a CSR would be automatically generated. You would need to download this CSR and get a cert generated using it.
Please note: the session expires in 30mins and if you do not upload the cert before 30mins, you would have to generate the CSR again.

Step 4:  Go to the MS CA server, go to Request a Certificate, click ‘Submit an advanced certificate request”.

Step 5: Open the CSR file in Notepad, copy paste the contents in the Certificate request box. The Certificate Template to be used has to be the “Subordinate CA”.

Step 6: After getting the CA signed cert, go back to the portal and upload the cert on the portal

Step 7: After the certificate has been upload, go to HTTPS Inspection, Filters and create a Decryption filter.
Please Note: this filter would be to select the web categories for whom the HTTPS traffic shall be decrypted. If you want to block some traffic, that has be done through the Web Filtering policy.

Step 8: Now go to HTTPS Inspection, Policy, Create HTTPS Rule. Type a Name, select the certificate added earlier and apply the filter created.
In the test we have selected Social Network and would be testing through Facebook. Thus only ‘facebook’ traffic would be decrypted and other HTTPS traffic would be Skipped inspection and would go through without Decryption.

Step 9: Now when we browse to facebook and check certificate, it should show the certificate we have created.

 

 

Regards,

Kushagra Srivastava

Labels:
cws_https_decrypt.docx
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents